Re: [Xen-devel] Booting signed xen.efi through shim

[Tamas K Lengyel <tamas@xxxxxxxxxxxxx>]

On Fri, Sep 22, 2017 at 2:25 AM, Jan Beulich <JBeulich@xxxxxxxx> wrote:
>>>> On 22.09.17 at 00:46, <tamas@xxxxxxxxxxxxx> wrote:
>> One piece that I see still missing is the Xen command line parameters
>> not being verified. It would be ideal to have the option to get that
>> set during compile time as well, similar to Linux's CONFIG_CMDLINE
>> option, to avoid for example getting iommu or XSM being turned off by
>> someone with physical access.
>
> We do have CMDLINE and CMDLINE_OVERRIDE. But for someone
> with physical access it would likely also be possible to avoid secure
> boot altogether?
>

Interesting, it never showed up for me in make menuconfig. Searching
for it does show it but seems to be not accessible in menuconfig.
Anyway, good to know! And indeed, someone having physical access could
do a firmware reset by taking the computer apart (firmware would need
to be password protected if Secureboot is enabled). What I meant is
protection against someone during boot changing the config options or
altering the cfg file on disk.

And even with a firmware reset, I guess it's up to the OEM to decide
what the reset state is. So it might be possible in some situations to
have the reset state also include having Secureboot enabled with the
custom keys. Otherwise having the disk encrypted with the key being
sealed in the TPM against PCR[0-4] for example should work. Provided
of course that a malicious firmware can't fake those measurements
somehow.

Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel