|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Unified Xen executable for UEFI Secure Boot support
I have preliminary patches to support bundling the Xen hypervisor, xen.cfg, the Linux kernel, initrd and XSM into a single "unified" EFI executable that can be signed by sbsigntool for verification by UEFI Secure Boot. It is inspired by systemd-boot's unified kernel technique and borrows the function to locate PE sections from systemd's LGPL'ed code. The configuration, kernel, etc are added after building using objcopy to add named sections for each input file. This allows an administrator to update the components independently without requiring rebuilding xen. During EFI boot, Xen looks at its own loaded image to locate the PE sections and, if secure boot is enabled, only allows use of the unified components. The resulting EFI executable can be invoked directly from the UEFI Boot Manager, removing the need to use a separate loader like grub. Unlike the shim based verification, the signature covers the entire Xen+config+kernel+initrd unified file. This also ensures that properly configured platforms will measure the entire runtime into the TPM for unsealing secrets or remote attestation. I've tested it on qemu OVMF with Secure Boot enabled, as well as on real Thinkpad hardware. The EFI console is very slow, although it works and is able to boot into dom0. The current patch set is here, and I'd appreciate suggestions on the technique or cleanup for submission: https://github.com/osresearch/xen/tree/secureboot -- Trammell
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |