[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Xen Secure Boot and Lockdown WG Meeting Summary - Mon, March 29, 2021
# Xen Secure Boot and Lockdown This document summarizes the Xen Secure Boot and Lockdown WG meeting that occurred on Mon, March 29, 2021. We identified a list of requirements for locking down a Xen system that (at least) requires the following: ## Verified Boot Chain Various projects are underway already to support a verified boot chain that includes Xen and dom0. 1. via the EFI loader 1. Xen already supports verification of itself, the dom0 kernel, and the dom0 initrd, via a PE32+ bundle and the EFI loader. 2. Trenchboot 3. Add PE/COFF header to mb2 Xen (patches on ML, needs revision), allowing shim + grub2. ## Linux Lockdown in Dom0 1. Needs further testing, but seems to at least nominally work with QubesOS 1. QubesOS may be benefiting from outsourcing otherwise locked down functionality to stubdoms 3. Integrity checking for initrd 1. Not an issue for bundled xen.efi ## Xen Lockdown in Dom0 1. Live patching 2. Kexec 1. Will dom0 kexec need extending? Probably just "plumbing" to work for Xen. 3. /priv/cmd 1. Violations of SB include: 1. set_trap_table 2. mmu_update 3. ... more ... (TODO: add to this list) 4. PCI Passthrough 1. usage of unstable Xen interfaces 2. PCI BARs mapping in guest 3. Interrupt routing setup 4. See other QEMU-related issues below 5. QEMU 1. I/O permissions 2. resets may be an issue 6. Xen command line 1. What parts are safe? and unsafe? 2. Allow safe options from unmeasured source The living version of this document, to be used to coordinate future work, is found here: https://cryptpad.fr/pad/#/2/pad/edit/IrfCfGH3l1Z2oUGlbBS2kiz6/ Please feel free to add to / edit the above document! The raw meeting notes can be found here: https://cryptpad.fr/pad/#/2/pad/edit/YHfyA-IbuEa3SLe-hsKVEjRC/ -- Bobby Eshleman SE at Vates SAS
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |