[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] [Xen-devel] UEFI Secure Boot Xen 4.9



On Mon, Sep 18, 2017 at 11:24:15AM -0400, Tamas K Lengyel wrote:
> On Tue, Sep 5, 2017 at 12:26 PM, Tamas K Lengyel
> <tamas.k.lengyel@xxxxxxxxx> wrote:
> > On Mon, Sep 4, 2017 at 6:40 AM, Daniel Kiper <daniel.kiper@xxxxxxxxxx> 
> > wrote:
> >> On Wed, Aug 30, 2017 at 10:16:23AM -0600, Tamas K Lengyel wrote:
> >>> On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@xxxxxxxxxx> 
> >>> wrote:
> >>> > Hey Tamas,
> >>> >
> >>> > Sorry for late reply. I was on vacation.
> >>> >
> >>> > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote:
> >>> >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper 
> >>> >> <daniel.kiper@xxxxxxxxxx> wrote:
> >>> >
> >>> > [...]
> >>> >
> >>> >> > UEFI will verify shim secure boot signature then shim will verify 
> >>> >> > GRUB2
> >>> >> > signature then GRUB2 will verify (with shim protocol) Xen signature 
> >>> >> > and
> >>> >> > finally Xen will verify (with shim protocol) Linux kernel signature. 
> >>> >> > Then
> >>> >> > your kernel can verify modules using whatever you want.
> >>> >> >
> >>> >> >> I would be happy to work to help achieve this.
> >>> >> >
> >>> >> > There is a chance that I will have something very raw at the 
> >>> >> > beginning
> >>> >> > of June. If you wish to do tests drop me a line.
> >>> >>
> >>> >> Hi Daniel,
> >>> >> is there any news on this? I would be interested in giving this a shot 
> >>> >> too.
> >>> >
> >>> > Please look at
> >>> >
> >>> >   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html
> >>> >
> >>> > and at
> >>> >
> >>> >   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html
> >>> >
> >>> > Attachments contain the same patches as above but rebased on latest
> >>> > GRUB2 and Xen git repositories.
> >>> >
> >>> > Due to some travel I am going to restart work on this in the second
> >>> > half of September.
> >>> >
> >>> > If you have any questions please drop me a line.
> >>> >
> >>>
> >>> Hi Daniel,
> >>> thanks for the update, I'll give it a shot today to set it up. In a
> >>> somewhat related note, are you aware of any work on getting secure
> >>> boot + UEFI working in a guest? There is a PoC patch on OpenXT
> >>> (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if
> >>> there are any parallel efforts ongoing.
> >>
> >> I do not follow this issue in detail. However, I suppose that if OVMF
> >> supports UEFI secure boot (well, QEMU has to enable SMM support too;
> >> I do not know does it work with Xen or not) then guest should work
> >> without any issue. Just guessing...
> >>
> >
> > Sure, was just wondering if you are aware of anyone looking at that.
> >
> > In other news I was able to get your patches working and have been
> > able to boot with Secure boot enabled as far as shim -> signed grub ->
> > signed linux without initrd. If I boot a signed version of Xen from
> > grub it goes as far as setup_efi_pci but then the system reboots
> > without anything else being printed on the screen. I haven't been able
> > to debug it any further yet.
> >
>
> Daniel,
> just FYI the xen.mb.efi generated with your patches causes pesign to segfault:
>
> cms_pe_common.c:generate_digest:198 PE section ".text" has invalid address
> Segmentation fault

Thank you for doing the tests. I am going to restart work on this next week
and post next version of patches in October. I will try to fix all issues
spotted by you. Stay tuned...

Daniel

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
https://lists.xen.org/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.