Xen project Mailing List

Re: [PATCH v2] xen/efi: Do not check kernel signature if it was embedded

To: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>

From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Date: Fri, 20 Jun 2025 22:22:08 +0200

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>

Delivery-date: Fri, 20 Jun 2025 20:22:32 +0000

Feedback-id: i1568416f:Fastmail

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Jun 20, 2025 at 09:26:05AM +0100, Frediano Ziglio wrote: > Using UKI it's possible to embed Linux kernel into xen.efi file. > In this case the signature for Secure Boot is applied to the > whole xen.efi, including the kernel. > So checking for specific signature for the kernel is not > needed. > > Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx> Reviewed-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> > --- > Changes since v1: > - updated commit message and code comment; > - renamed kernel_was_verified to kernel_verified. > --- > xen/common/efi/boot.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c > index e39fbc3529..fb3b120982 100644 > --- a/xen/common/efi/boot.c > +++ b/xen/common/efi/boot.c > @@ -1291,6 +1291,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE > ImageHandle, > bool base_video = false; > const char *option_str; > bool use_cfg_file; > + bool kernel_verified = false; > int dt_modules_found; > > __set_bit(EFI_BOOT, &efi_flags); > @@ -1461,6 +1462,11 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE > ImageHandle, > read_file(dir_handle, s2w(&name), &kernel, option_str); > efi_bs->FreePool(name.w); > } > + else > + { > + /* Kernel was embedded so Xen signature includes it. */ > + kernel_verified = true; > + } > > if ( !read_section(loaded_image, L"ramdisk", &ramdisk, NULL) ) > { > @@ -1534,6 +1540,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE > ImageHandle, > * verify it. > */ > if ( kernel.ptr && > + !kernel_verified && > !EFI_ERROR(efi_bs->LocateProtocol(&shim_lock_guid, NULL, > (void **)&shim_lock)) && > (status = shim_lock->Verify(kernel.ptr, kernel.size)) != > EFI_SUCCESS ) > -- > 2.43.0 > -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.