[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] docs: UEFI Secure Boot security policy

To: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
From: Stefano Stabellini <sstabellini@xxxxxxxxxx>
Date: Thu, 19 Jun 2025 12:56:12 -0700 (PDT)
Cc: Ross Lagerwall <ross.lagerwall@xxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, security@xxxxxxx, Juergen Gross <jgross@xxxxxxxx>, Trammell Hudson <hudson@xxxxxxxx>, Frediano Ziglio <frediano.ziglio@xxxxxxxxx>, Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx>, Kevin Lampis <kevin.lampis@xxxxxxxxx>
Delivery-date: Thu, 19 Jun 2025 19:56:23 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, 19 Jun 2025, Marek Marczykowski-Górecki wrote:
> On Thu, Jun 19, 2025 at 03:16:51PM +0100, Ross Lagerwall wrote:
> > I think a section on PCI passthrough is also warranted. i.e. preventing 
> > misuse
> > of a device to exploit Secure Boot.
> 
> While I agree it makes sense, I wonder if it's in scope for UEFI
> Secure Boot as defined by Microsoft? It may have implication for example
> on PCI passthrough to a PV domains.

If we bring DomUs into the discussion, then I think we need to make a
distinction between predefined DomUs, which could have signatures
verified by Secure Boot (such as Dom0 and hyperlaunch/dom0less guests),
and other dynamically created DomUs which could be fetched from the
network and potentially started without signature verification or prior
knowledge.

Follow-Ups:
- Re: [PATCH] docs: UEFI Secure Boot security policy
  - From: Marek Marczykowski-Górecki

References:
- [PATCH] docs: UEFI Secure Boot security policy
  - From: Andrew Cooper
- Re: [PATCH] docs: UEFI Secure Boot security policy
  - From: Ross Lagerwall
- Re: [PATCH] docs: UEFI Secure Boot security policy
  - From: Marek Marczykowski-Górecki

Prev by Date: Re: [PATCH v3 08/14] xen/dt: Move bootfdt functions to xen/bootfdt.h
Next by Date: Re: [PATCH] docs: UEFI Secure Boot security policy
Previous by thread: Re: [PATCH] docs: UEFI Secure Boot security policy
Next by thread: Re: [PATCH] docs: UEFI Secure Boot security policy
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.