|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v3 2/5] livepatch: Embed public key in Xen
On Thu, Jun 05, 2025 at 01:19:00PM +0200, Jan Beulich wrote: > On 02.06.2025 15:36, Ross Lagerwall wrote: > > From: Kevin Lampis <kevin.lampis@xxxxxxxxx> > > > > Make it possible to embed a public key in Xen to be used when verifying > > live patch payloads. Inclusion of the public key is optional. > > > > To avoid needing to include a DER / X.509 parser in the hypervisor, the > > public key is unpacked at build time and included in a form that is > > convenient for the hypervisor to consume. This is different approach > > from that used by Linux which embeds the entire X.509 certificate and > > builds in a parser for it. > > > > A suitable key can be created using openssl: > > > > openssl req -x509 -newkey rsa:2048 -keyout priv.pem -out pub.pem \ > > -sha256 -days 3650 -nodes \ > > -subj > > "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname" > > openssl x509 -inform PEM -in pub.pem -outform PEM -pubkey -nocert -out > > verify_key.pem > > > > Signed-off-by: Kevin Lampis <kevin.lampis@xxxxxxxxx> > > Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> > > While reviewing patch 4 it occurred to me: Why embed the key? Can't this > be specified as (another) boot module? Then the key itself will need to be signed, and it's extra churn that we would need to verify at boot. I'm not opposed to being able to load the key as a module, but it seems reasonable to also bundle one in Xen. If there's interest in passing one as a module it could always be implemented as a separate feature. IMO: I don't see both approaches as being incompatible with each other. Thanks, Roger.
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |