[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Booting signed xen.efi through shim

To: "Tamas K Lengyel" <tamas@xxxxxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Wed, 20 Sep 2017 00:30:07 -0600
Cc: "miodownikj@xxxxxxxxxxxx" <miodownikj@xxxxxxxxxxxx>, Daniel Kiper <daniel.kiper@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 20 Sep 2017 06:30:15 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 20.09.17 at 00:23, <tamas@xxxxxxxxxxxxx> wrote:
> On Mon, Sep 18, 2017 at 2:58 AM, Jan Beulich <JBeulich@xxxxxxxx> wrote:
>>>>> On 14.09.17 at 18:20, <tamas@xxxxxxxxxxxxx> wrote:
>>> Of course, you can grab them from here:
>>> https://drive.google.com/drive/folders/0B5duyI9SzNtWaXE0cjM1QzZJbVk?usp=shar
>>>  
>>> ing
>>
>> So the dumps of the two (using my own tool) are identical except for
>> the expected difference due to the certificate. In particular neither
>> image has any strange relocation types afaics, and both have the
>> sort of unexpected, but also supposedly benign
>> IMAGE_SCN_LNK_NRELOC_OVFL flag set for .bss. Hence I'm afraid ...
>>
>>> I've verified that xen-signed.efi boots with Secureboot enabled when
>>> booted directly but doesn't boot through the shim.
>>
>> ... you'll need to do some debugging in order to figure out what's
>> going on here. With the above the prime suspect is the shim though,
>> fiddling with the image after loading it into memory. So perhaps
>> dumping the .reloc section contents in order to compare it with
>> what's in the image may be a suitable approach.
> 
> Yeap, the shim pretty simply removed the .reloc section as it was
> marked discardable and did the relocations for Xen. So with that
> removed from the shim I no longer get the error and I see that the
> dom0 kernel gets verified using the shim lock protocol.

So did you instead try whether simply clearing the discardable
flag from the section also helps? The flag ought to matter in
paged environments only (which EFI isn't despite paging being
enabled), but as we see some people think otherwise.

> I still didn't
> get dom0 to boot for some reason but that might be an unrelated issue
> (and I have no serial console right now). Nevertheless, progress!

And it doesn't get far enough for you to see any output at all?
Did you try "earlyprintk=xen" on the kernel command line and/or
"vga=keep" on the Xen one?

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Booting signed xen.efi through shim
  - From: Tamas K Lengyel

References:
- [Xen-devel] Booting signed xen.efi through shim
  - From: Tamas K Lengyel
- Re: [Xen-devel] Booting signed xen.efi through shim
  - From: Daniel Kiper
- Re: [Xen-devel] Booting signed xen.efi through shim
  - From: Tamas K Lengyel
- Re: [Xen-devel] Booting signed xen.efi through shim
  - From: Jan Beulich
- Re: [Xen-devel] Booting signed xen.efi through shim
  - From: Tamas K Lengyel
- Re: [Xen-devel] Booting signed xen.efi through shim
  - From: Jan Beulich
- Re: [Xen-devel] Booting signed xen.efi through shim
  - From: Tamas K Lengyel
- Re: [Xen-devel] Booting signed xen.efi through shim
  - From: Jan Beulich
- Re: [Xen-devel] Booting signed xen.efi through shim
  - From: Tamas K Lengyel
- Re: [Xen-devel] Booting signed xen.efi through shim
  - From: Jan Beulich
- Re: [Xen-devel] Booting signed xen.efi through shim
  - From: Tamas K Lengyel

Prev by Date: Re: [Xen-devel] [PATCH][V2] x86/xen: clean up clang build warning
Next by Date: [Xen-devel] [PATCH v8 03/15] xen: add new domctl hypercall to set grant table resource limits
Previous by thread: Re: [Xen-devel] Booting signed xen.efi through shim
Next by thread: Re: [Xen-devel] Booting signed xen.efi through shim
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.