[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH] EFI: Enable booting unified hypervisor/kernel/initrd images
On 04.09.2020 18:48, Trammell Hudson wrote: > On Friday, September 4, 2020 9:02 AM, Roger Pau Monné <roger.pau@xxxxxxxxxx> > wrote: >> On Fri, Aug 28, 2020 at 11:51:35AM +0000, Trammell Hudson wrote: >>> - return secboot == 1 && setupmode == 0; >> >> Does this need to be strictly 1, or any value != 0? > > We discussed this briefly here on xen-devel without any real conclusion; > the UEFI spec says that all other values are reserved. I'm not sure in > practice > if any others ever show up. I think considering how critical it is that we get things right (as in "secure"), we should fail booting by default (with a way to override this) if the value found is reserved (as far as we can tell). >> [...] >> I have to admit I know very little, but don't you need to verify the >> ramdisk also, like you verify the kernel? Or is the kernel the one >> that's supposed to verify it's ramdisk before using it? > > With the unified image there is no need to do so; the xen.efi, config, > kernel, initrd, flash, and ucode are all signed as one file and the > shim protocol is not necessary. > > For the non-unified case, well, that's what started me on this patch. > I was quite surprised that all of the Secure Boot support in Linux > distrbutions and Xen did not sign the initrd or command lines, > only the kernel image. So, yes, it seems like it should be signed, > but that's not what the wider community decided to do. But no matter how they do it, in principle it is the kernel's responsibility aiui. I.e. they could sign the entire initrd, or they could sign all the relevant pieces inside it. Jan
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |