[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Xen Secure Boot and Lockdown WG Meeting Summary - Mon, March 29, 2021

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Bob Eshleman <bobbyeshleman@xxxxxxxxx>
Date: Wed, 31 Mar 2021 15:28:37 -0700
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Christopher Clark <christopher.w.clark@xxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Michał Żygowski <michal.zygowski@xxxxxxxxx>, Olivier Lambert <olivier.lambert@xxxxxxxx>, Piotr Król <piotr.krol@xxxxxxxxx>, Rich Persaud <persaur@xxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Roman Shaposhnik <roman@xxxxxxxxxx>, Trammell Hudson <hudson@xxxxxxxx>
Delivery-date: Wed, 31 Mar 2021 22:29:02 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

# Xen Secure Boot and Lockdown

This document summarizes the Xen Secure Boot and Lockdown WG meeting that
occurred on Mon, March 29, 2021.

We identified a list of requirements for locking down a Xen system that
(at least) requires the following:

## Verified Boot Chain

Various projects are underway already to support a verified boot chain that
includes Xen and dom0.

    1. via the EFI loader
        1. Xen already supports verification of itself, the dom0 kernel, and the
           dom0 initrd, via a PE32+ bundle and the EFI loader.
    2. Trenchboot
    3. Add PE/COFF header to mb2 Xen (patches on ML, needs revision), allowing
       shim + grub2.

## Linux Lockdown in Dom0

    1. Needs further testing, but seems to at least nominally work with QubesOS
        1. QubesOS may be benefiting from outsourcing otherwise locked down
           functionality to stubdoms
    3. Integrity checking for initrd
        1. Not an issue for bundled xen.efi

## Xen Lockdown in Dom0

    1. Live patching
    2. Kexec
        1. Will dom0 kexec need extending?  Probably just "plumbing" to work for
           Xen.
    3. /priv/cmd
        1. Violations of SB include:
            1. set_trap_table
            2. mmu_update
            3. ... more ... (TODO: add to this list)
    4. PCI Passthrough
        1. usage of unstable Xen interfaces
        2. PCI BARs mapping in guest
        3. Interrupt routing setup
        4. See other QEMU-related issues below
    5. QEMU
        1. I/O permissions
        2. resets may be an issue
    6. Xen command line
        1. What parts are safe? and unsafe?
        2. Allow safe options from unmeasured source


The living version of this document, to be used to coordinate future work, is
found here:
   https://cryptpad.fr/pad/#/2/pad/edit/IrfCfGH3l1Z2oUGlbBS2kiz6/

Please feel free to add to / edit the above document!

The raw meeting notes can be found here:
   https://cryptpad.fr/pad/#/2/pad/edit/YHfyA-IbuEa3SLe-hsKVEjRC/ 

-- 
Bobby Eshleman
SE at Vates SAS

Prev by Date: Re: [PATCH 03/21] libs/guest: introduce xc_cpu_policy_t
Next by Date: [xen-unstable test] 160581: tolerable FAIL - PUSHED
Previous by thread: [linux-linus test] 160573: regressions - FAIL
Next by thread: [xen-unstable test] 160581: tolerable FAIL - PUSHED
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.