Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-17 Thread Jan Beulich
On 11.08.2020 16:47, Trammell Hudson wrote: > On Friday, August 7, 2020 2:23 PM, Jan Beulich wrote: >> On 06.08.2020 16:15, Trammell Hudson wrote: >>> --- /dev/null >>> +++ b/xen/scripts/unify-xen >>> @@ -0,0 +1,89 @@ >>> +#!/bin/bash >>> +# Build a "unified Xen" image. >>> +# Usage >>> +# unify x

Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-11 Thread Trammell Hudson
[ Responding to both Jan and Andrew's comments about config parsing and file sources when secure boot is enabled ] On Friday, August 7, 2020 2:23 PM, Jan Beulich wrote: > [...] > As said before, I think we want an all-or-nothing approach. You > want to first establish whether the image is a unifi

Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-11 Thread Trammell Hudson
On Friday, August 7, 2020 2:23 PM, Jan Beulich wrote: > On 06.08.2020 16:15, Trammell Hudson wrote: > > --- /dev/null > > +++ b/xen/arch/x86/efi/pe.c > > @@ -0,0 +1 @@ > > +../../../common/efi/pe.c > > \ No newline at end of file > > This isn't supposed to be part of the patch; the symlinks get >

Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-10 Thread Andrew Cooper
On 07/08/2020 19:22, Trammell Hudson wrote: > On Thursday, August 6, 2020 8:14 PM, Andrew Cooper > wrote: >> For SecureBoot, it is important that nothing which is signed can be >> tricked into running unsigned code. >> >> That includes configuration such as xen.cfg or the command line. >> Consumi

Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-07 Thread Trammell Hudson
On Thursday, August 6, 2020 8:14 PM, Andrew Cooper wrote: > For SecureBoot, it is important that nothing which is signed can be > tricked into running unsigned code. > > That includes configuration such as xen.cfg or the command line. > Consuming these from unsigned sources is ok, so long as we c

Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-07 Thread Jan Beulich
On 06.08.2020 16:15, Trammell Hudson wrote: > Updated patch: I'm afraid the number of style issues has further increased. First and foremost please read ./CODING_STYLE and look at surrounding code. > --- /dev/null > +++ b/xen/arch/x86/efi/pe.c > @@ -0,0 +1 @@ > +../../../common/efi/pe.c > \ No ne

Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-07 Thread Jan Beulich
On 06.08.2020 16:15, Trammell Hudson wrote: > Updated patch: Before I get to look at this new version, one more general remark (just to not forget making it later): There's a scalability issue here: Right now xen.efi requires to be loaded below the 4Gb boundary. I've seen systems with as little as

Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-06 Thread Andrew Cooper
On 06/08/2020 15:15, Trammell Hudson wrote: > On Thursday, August 6, 2020 2:04 PM, Jan Beulich wrote: > >> On 06.08.2020 13:44, Trammell Hudson wrote: >> >>> On Thursday, August 6, 2020 9:57 AM, Jan Beulich jbeul...@suse.com wrote: Also, considering kernel and initrd are embedded, is there re

Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-06 Thread Jan Beulich
On 06.08.2020 16:15, Trammell Hudson wrote: > On Thursday, August 6, 2020 2:04 PM, Jan Beulich wrote: >> On 06.08.2020 13:44, Trammell Hudson wrote: >>> On Thursday, August 6, 2020 9:57 AM, Jan Beulich jbeul...@suse.com wrote: Overall I think it might help if this PE parsing code (if UEFI >>>

Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-06 Thread Trammell Hudson
On Thursday, August 6, 2020 2:04 PM, Jan Beulich wrote: > On 06.08.2020 13:44, Trammell Hudson wrote: > > > On Thursday, August 6, 2020 9:57 AM, Jan Beulich jbeul...@suse.com wrote: > > > > > Overall I think it might help if this PE parsing code (if UEFI > > > doesn't offer a protocol to do it fo

Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-06 Thread Jan Beulich
On 06.08.2020 13:44, Trammell Hudson wrote: > On Thursday, August 6, 2020 9:57 AM, Jan Beulich wrote: >> Overall I think it might help if this PE parsing code (if UEFI >> doesn't offer a protocol to do it for us) was put into its own >> source file. > > I tried to putting it into a separate file

Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-06 Thread Trammell Hudson
On Thursday, August 6, 2020 9:57 AM, Jan Beulich wrote: > On 05.08.2020 19:20, Trammell Hudson wrote: > > This preliminary patch adds support for bundling the Xen hypervisor, > > xen.cfg, > > the Linux kernel, initrd and XSM into a single "unified" EFI executable that > > can be signed by sbsignt

Re: [RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-06 Thread Jan Beulich
On 05.08.2020 19:20, Trammell Hudson wrote: > This preliminary patch adds support for bundling the Xen hypervisor, xen.cfg, > the Linux kernel, initrd and XSM into a single "unified" EFI executable that > can be signed by sbsigntool for verification by UEFI Secure Boot. It is > inspired by syst

[RFC] efi/boot: Unified Xen executable for UEFI Secure Boot support

2020-08-05 Thread Trammell Hudson
This preliminary patch adds support for bundling the Xen hypervisor, xen.cfg, the Linux kernel, initrd and XSM into a single "unified" EFI executable that can be signed by sbsigntool for verification by UEFI Secure Boot. It is inspired by systemd-boot's unified kernel technique and borrows the