Xen project Mailing List

Re: [Xen-devel] Xen.efi and secure boot

From: "Jan Beulich" <JBeulich@xxxxxxxx>

Date: Fri, 30 Nov 2012 12:15:24 +0000

Cc: Keir Fraser <keir@xxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Fri, 30 Nov 2012 12:14:47 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 30.11.12 at 12:34, George Dunlap <dunlapg@xxxxxxxxx> wrote: > On Fri, Nov 30, 2012 at 11:23 AM, Jan Beulich <JBeulich@xxxxxxxx> wrote: > >> >>> On 30.11.12 at 11:56, George Dunlap <dunlapg@xxxxxxxxx> wrote: >> > On Fri, Nov 30, 2012 at 10:27 AM, Jan Beulich <JBeulich@xxxxxxxx> wrote: >> > >> >> >> >> So I learned a little more meanwhile - it's not that trivial: I'm told >> >> the shim uses UEFI services to do the verification, and those >> >> services only handle PE images. But we obviously can't reasonably >> >> expect the Dom0 kernel to be packaged as PE image, as that >> >> would then be unusable as DomU kernel (on older hosts at least, >> >> i.e. even if we added a PE loader to libxc). >> >> >> > >> > But what does the shim use to check the signature of Xen in this case? >> > Does Xen / native Linux need to be a PE image to boot from the shim? >> >> Yes - xen.efi just needs to get a signature implanted for that >> part to work, and native Linux uses the EFI_STUB mechanism >> to gets its binary into said format (which then also only needs a >> signature added). >> >> > If >> > not, wouldn't the native PE image suffice? And if so, why can't the shim >> > check signatures the same way it checks the sig for the thing it's >> booting? >> >> The checking code only knows to locate signatures inside PE >> images. Consequently, whatever you want to pass to that code >> needs to look like one. xen.efi and native Linux with EFI_STUB >> enabled already do, but if you handed such a kernel binary to >> either of the two PV domain kernel loaders Xen has, they would >> just bail. >> > > OK... so Fedora and Ubuntu are going to be shipping signed kernel > binaries. Are those binaries going to be in PE / EFI format then? If so: > 1. You won't need to do any fancy on-the-fly repackaging in Xen; you can > just pass the already-signed distro-supplied binary > 2. The toolstack is simply going to have to be able to read PE kernels for > PV guests > 3. If distros don't include non-PE kernels, we're going to have to backport > that functionality to older versions of Xen. Looks like our bzImage loader may be able to deal with these (fake) PE images already, so that should then be backwards compatible back to 3.4.2 (DomU loader) and 4.0.0 (Dom0 loader). Good enough, I think. I'll check next week whether that's actually true. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.