[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] [Xen-devel] UEFI Secure Boot Xen 4.9
On Mon, Sep 18, 2017 at 11:24:15AM -0400, Tamas K Lengyel wrote: > On Tue, Sep 5, 2017 at 12:26 PM, Tamas K Lengyel > <tamas.k.lengyel@xxxxxxxxx> wrote: > > On Mon, Sep 4, 2017 at 6:40 AM, Daniel Kiper <daniel.kiper@xxxxxxxxxx> > > wrote: > >> On Wed, Aug 30, 2017 at 10:16:23AM -0600, Tamas K Lengyel wrote: > >>> On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@xxxxxxxxxx> > >>> wrote: > >>> > Hey Tamas, > >>> > > >>> > Sorry for late reply. I was on vacation. > >>> > > >>> > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote: > >>> >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper > >>> >> <daniel.kiper@xxxxxxxxxx> wrote: > >>> > > >>> > [...] > >>> > > >>> >> > UEFI will verify shim secure boot signature then shim will verify > >>> >> > GRUB2 > >>> >> > signature then GRUB2 will verify (with shim protocol) Xen signature > >>> >> > and > >>> >> > finally Xen will verify (with shim protocol) Linux kernel signature. > >>> >> > Then > >>> >> > your kernel can verify modules using whatever you want. > >>> >> > > >>> >> >> I would be happy to work to help achieve this. > >>> >> > > >>> >> > There is a chance that I will have something very raw at the > >>> >> > beginning > >>> >> > of June. If you wish to do tests drop me a line. > >>> >> > >>> >> Hi Daniel, > >>> >> is there any news on this? I would be interested in giving this a shot > >>> >> too. > >>> > > >>> > Please look at > >>> > > >>> > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html > >>> > > >>> > and at > >>> > > >>> > https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html > >>> > > >>> > Attachments contain the same patches as above but rebased on latest > >>> > GRUB2 and Xen git repositories. > >>> > > >>> > Due to some travel I am going to restart work on this in the second > >>> > half of September. > >>> > > >>> > If you have any questions please drop me a line. > >>> > > >>> > >>> Hi Daniel, > >>> thanks for the update, I'll give it a shot today to set it up. In a > >>> somewhat related note, are you aware of any work on getting secure > >>> boot + UEFI working in a guest? There is a PoC patch on OpenXT > >>> (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if > >>> there are any parallel efforts ongoing. > >> > >> I do not follow this issue in detail. However, I suppose that if OVMF > >> supports UEFI secure boot (well, QEMU has to enable SMM support too; > >> I do not know does it work with Xen or not) then guest should work > >> without any issue. Just guessing... > >> > > > > Sure, was just wondering if you are aware of anyone looking at that. > > > > In other news I was able to get your patches working and have been > > able to boot with Secure boot enabled as far as shim -> signed grub -> > > signed linux without initrd. If I boot a signed version of Xen from > > grub it goes as far as setup_efi_pci but then the system reboots > > without anything else being printed on the screen. I haven't been able > > to debug it any further yet. > > > > Daniel, > just FYI the xen.mb.efi generated with your patches causes pesign to segfault: > > cms_pe_common.c:generate_digest:198 PE section ".text" has invalid address > Segmentation fault Thank you for doing the tests. I am going to restart work on this next week and post next version of patches in October. I will try to fix all issues spotted by you. Stay tuned... Daniel _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx https://lists.xen.org/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |