This is a belated followup to my post in 2016, which was a followup to a
post by Ward Vandewege in 2008 about problems introduced by Xen 3.1.3's
changes in the trampoline allocation code:
https://lists.xenproject.org/archives/html/xen-devel/2016-08/msg01208.html
I've been maintaining an out-of-tr
On Wed, Feb 28, 2018 at 03:07:41PM +, Andrew Cooper wrote:
> On 28/02/18 14:08, Trammell Hudson wrote:
> > kexec allocates a 1 page segment at 0x0 and memsets most of it to zero,
> > wiping out coreboot's EBDA structure, which xen's head.S consulted to
> > alloc
On Friday, September 4, 2020 5:29 AM, Julien Grall wrote:
> On 28/08/2020 12:51, Trammell Hudson wrote:
>
> > - /* PE32+ Subsystem type */
> > +#if defined(ARM)
> >
>
> Shouldn't this be defined(aarch64) ?
To be honest I'm not sure and don't
On Friday, September 4, 2020 5:54 AM, George Dunlap
wrote:
> And I’d encourage others to try submitting simple one-or-two-patch series as
> PRs to Gitlab instead, as we continue the experiment.
I've reworked my unified EFI image patch to merge with the
recent Makefile changes and submitted it
On Friday, September 4, 2020 9:02 AM, Roger Pau Monné
wrote:
> On Fri, Aug 28, 2020 at 11:51:35AM +0000, Trammell Hudson wrote:
> > diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S
> > index 0273f79152..ba691b1890 100644
> > --- a/xen/arch/x86/xen.ld
On Friday, September 4, 2020 1:58 PM, Julien Grall wrote:
> On 28/08/2020 12:51, Trammell Hudson wrote:
> > This patch adds support for bundling the xen.efi hypervisor, the xen.cfg
> > configuration file, the Linux kernel and initrd, as well as the XSM, and
> > CPU mi
On Friday, September 4, 2020 2:05 PM, Trammell Hudson wrote:
> On Friday, September 4, 2020 1:58 PM, Julien Grall jul...@xen.org wrote:
> > On 28/08/2020 12:51, Trammell Hudson wrote:
> > > This patch adds support for bundling the xen.efi hypervisor, the xen.cfg
> > &
wn loaded image to locate the PE sections for
the Xen configuration (`.config`), dom0 kernel (`.kernel`), dom0 initrd
(`.initrd`), and XSM config (`.xsm`), which are included after building
xen.efi using objcopy to add named sections for each input file.
Trammell hudson (4):
x86/xen.lds.S: Work
list discussion:
https://sourceware.org/pipermail/binutils/2020-August/112746.html
Fixed in:
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=610ed3e08f13b3886fd7194fb7a248dee8724685
Signed-off-by: Trammell hudson
---
xen/arch/x86/xen.lds.S | 1 +
1 file changed, 1 insertion(+)
diff
add file.need_to_free and split display_file_info()
Signed-off-by: Trammell hudson
---
xen/common/efi/boot.c | 36 ++--
1 file changed, 22 insertions(+), 14 deletions(-)
diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
index 4022a672c9..f5bdc4b1df
named `.ucode`,
which is loaded in the efi_arch_cfg_file_late() stage of the boot process.
On ARM systems the Device Tree can be included in a section named
`.dtb`, which is loaded during the efi_arch_cfg_file_early() stage of
the boot process.
Signed-off-by: Trammell hudson
---
.gitignore
all of the Xen+config+kernel+initrd modules linked into the
unified image. This also ensures that properly configured platforms
will measure the entire runtime into the TPM for unsealing secrets or
remote attestation.
Signed-off-by: Trammell Hudson
---
xen/common/efi/boot.c | 31
From: Trammell hudson
Signed-off-by: Trammell hudson
---
xen/common/efi/boot.c | 36 ++--
1 file changed, 22 insertions(+), 14 deletions(-)
diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
index 4022a672c9..f5bdc4b1df 100644
--- a/xen/common/efi
From: Trammell hudson
This patch series adds support for bundling the xen.efi hypervisor,
the xen.cfg configuration file, the Linux kernel and initrd, as well
as the XSM, and architectural specific files into a single "unified"
EFI executable. This allows an administrator to
From: Trammell hudson
binutils in most distrbutions have a bug in find_section_by_vma()
that causes objcopy round section addresses incorrectly and that
think the .buildid section overlaps with the .rodata. Aligning the
sections allows these older verisons of the tools to work on the
xen.efi
From: Trammell hudson
This patch adds support for bundling the xen.efi hypervisor, the xen.cfg
configuration file, the Linux kernel and initrd, as well as the XSM,
and architectural specific files into a single "unified" EFI executable.
This allows an administrator to update the
From: Trammell hudson
If secure boot is enabled, the Xen command line arguments are ignored.
If a unified Xen image is used, then the bundled configuration, dom0
kernel, and initrd are prefered over the ones listed in the config file.
Unlike the shim based verification, the PE signature on a
On Tuesday, September 8, 2020 11:04 AM, Jan Beulich wrote:
> [...]
> Personally I think this kind of a workaround patch is something
> distros ought to be fine to carry, if they care about the
> functionality and only until they get around to upgrade their
> binutils. But I'll be happy to hear dif
On Tuesday, September 8, 2020 8:29 AM, Jan Beulich wrote:
> [...] As with, I think, the majority of new
> features, distros would pick up your new functionality mainly for
> use in new versions, and hence would likely run with new binutils
> anyway by that time.
It also occurs to me that the binu
On Monday, September 14, 2020 5:05 AM, Roger Pau Monné
wrote:
> Thanks! Being picky you likely wan to split this into two separate
> commits: one for adding need_to_free and the other for
> display_file_info. There's no relation between the two that would
> require them to be on the same commit.
On Monday, September 14, 2020 6:06 AM, Roger Pau Monné
wrote:
> On Mon, Sep 07, 2020 at 03:00:26PM -0400, Trammell Hudson wrote:
> > [...]
> > It is inspired by systemd-boot's unified kernel technique and borrows the
> > function to locate PE sections from systemd&
On Monday, September 14, 2020 6:24 AM, Roger Pau Monné
wrote:
> On Mon, Sep 07, 2020 at 03:00:27PM -0400, Trammell Hudson wrote:
> [...]
> > - static const __initconst EFI_GUID global_guid = EFI_GLOBAL_VARIABLE;
> > - uint8_t secboot, setupmode;
> > - UINTN secbo
named `.ucode`,
which is loaded in the efi_arch_cfg_file_late() stage of the boot process.
On ARM systems the Device Tree can be included in a section named
`.dtb`, which is loaded during the efi_arch_cfg_file_early() stage of
the boot process.
Signed-off-by: Trammell Hudson
---
.gitignore
Add a separate function to display the address ranges used by
the files and call `efi_arch_handle_module()` on the modules.
Signed-off-by: Trammell Hudson
---
xen/common/efi/boot.c | 27 +--
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/xen/common/efi
all of the Xen+config+kernel+initrd modules linked into the
unified image. This also ensures that properly configured platforms
will measure the entire runtime into the TPM for unsealing secrets or
remote attestation.
Signed-off-by: Trammell Hudson
---
xen/common/efi/boot.c | 44
The config file, kernel, initrd, etc should only be freed if they
are allocated with the UEFI allocator.
Signed-off-by: Trammell Hudson
---
xen/common/efi/boot.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
index
wn loaded image to locate the PE sections for
the Xen configuration (`.config`), dom0 kernel (`.kernel`), dom0 initrd
(`.ramdisk`), and XSM config (`.xsm`), which are included after building
xen.efi using objcopy to add named sections for each input file.
Trammell Hudson (4):
efi/boot.c: add file.
place, which would not work if it were in a read-only
segment.
Signed-off-by: Trammell Hudson
---
xen/arch/arm/efi/efi-boot.h | 8 ++--
xen/arch/x86/efi/efi-boot.h | 26 +--
xen/common/efi/boot.c | 92 +++--
xen/include/efi/efidef.h| 2 +-
4 files
On Monday, September 14, 2020 10:30 AM, Jan Beulich wrote:
> On 14.09.2020 16:25, Trammell Hudson wrote:
> > By defining IN as const, the EFI handler functions become almost
> > const-correct and allow most of the rest of the EFI boot code to
> > use constant strings.
>
&
On Monday, September 14, 2020 10:55 AM, Jan Beulich wrote:
> On 14.09.2020 16:46, Trammell Hudson wrote:
> > Option 3 would be to write wrappers for the few functions that are
> > used in the EFI boot path that cast-away the constness of their
> > arguments (while also sile
On Tuesday, September 15, 2020 9:41 AM, Jan Beulich wrote:
> On 14.09.2020 17:05, Trammell Hudson wrote:
> > [...] I checked to see
> > which functions would need to be wrapped. It is a surprisingly
> > small number:
> > #define PrintStr(s) StdOut->OutputString(StdO
. For instance, the config parser code modifies the config
file in place, which would not work if it were in a read-only segment.
Signed-off-by: Trammell Hudson
---
xen/arch/arm/efi/efi-boot.h | 8 +-
xen/arch/x86/efi/efi-boot.h | 40 -
xen/common/efi/boot.c | 157
On Tuesday, September 15, 2020 12:36 PM, Jan Beulich wrote:
> In order for these casts to be halfway safe, they need to happen in
> inline functions, not macros. That way it'll be sufficiently clear
> and certain that it's really only the const which gets changed,
> but not e.g. also the pointed-t
On Wednesday, September 16, 2020 3:32 AM, Roger Pau Monné
wrote:
> On Mon, Sep 14, 2020 at 07:50:12AM -0400, Trammell Hudson wrote:
> > - s2w(&name_string);
>
> Don't you need to check that s2w succeed, so that name_string.w is not
> a random pointer from stack g
On Wednesday, September 16, 2020 3:45 AM, Roger Pau Monné
wrote:
> On Mon, Sep 14, 2020 at 07:50:13AM -0400, Trammell Hudson wrote:
> > If secure boot is enabled, the Xen command line arguments are ignored.
> > If a unified Xen image is used, then the bundled configuration, dom0
On Thursday, September 17, 2020 8:33 AM, Jan Beulich wrote:
> On 14.09.2020 13:50, Trammell Hudson wrote:
> [...]
> > +For all the examples the `.pad` section ended at 0x82d04100.
> > +All the sections are optional (`.config`, `.kernel`, `.ramdisk`, `.xsm`,
> > +
On Thursday, September 17, 2020 9:04 AM, Trammell Hudson
wrote:
> On Thursday, September 17, 2020 8:33 AM, Jan Beulich jbeul...@suse.com wrote:
> > [...]
> > > - if ( read_section(image, ".ucode", &ucode, NULL) )
> > > -return;
> &g
On Thursday, September 17, 2020 8:51 AM, Jan Beulich wrote:
> On 14.09.2020 13:50, Trammell Hudson wrote:
> > If secure boot is enabled, the Xen command line arguments are ignored.
> > If a unified Xen image is used, then the bundled configuration, dom0
> > kernel, and ini
wn loaded image to locate the PE sections for
the Xen configuration (`.config`), dom0 kernel (`.kernel`), dom0 initrd
(`.ramdisk`), and XSM config (`.xsm`), which are included after building
xen.efi using objcopy to add named sections for each input file.
Trammell Hudson (5):
efi/boot.c: Make fi
Other than the config file parser that edits the image inplace,
no other users of the file sections requires write access to the
data.
Signed-off-by: Trammell Hudson
---
xen/common/efi/boot.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/xen/common/efi/boot.c b
es from disk if
the named sections do not exist. This allows distributions to continue
with the status quo if they want a signed kernel + config, while still
allowing a user provided initrd (which is how the shim protocol currently
works as well).
Signed-off-by: Trammell hudson
---
.gitignore
The config file, kernel, initrd, etc should only be freed if they
are allocated with the UEFI allocator.
Signed-off-by: Trammell Hudson
---
xen/common/efi/boot.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
index
Add a separate function to display the address ranges used by
the files and call `efi_arch_handle_module()` on the modules.
Signed-off-by: Trammell Hudson
---
xen/common/efi/boot.c | 27 +--
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/xen/common/efi
+kernel+initrd modules linked into the
unified image. This also ensures that, on properly configured UEFI Secure Boot
platforms, the entire runtime will be measured into the TPM for unsealing
secrets or remote attestation.
Signed-off-by: Trammell Hudson
---
xen/common/efi/boot.c | 43
On Thursday, September 17, 2020 11:26 AM, Jan Beulich wrote:
> On 17.09.2020 16:05, Trammell Hudson wrote:
> > If we have a way to detect a unified image early enough, then
> > we can avoid the backwards incompatibility if it is not unified.
>
> I was assuming this wa
On Friday, September 18, 2020 11:15 AM, Jan Beulich wrote:
> On 17.09.2020 17:40, Trammell Hudson wrote:
> Instead of forcing the caller to pass in a dot-prefixed name
> and you assuming it's a dot here, how about ...
> ... pe_find_section() looking for '.' followed b
the section parameter of
efi_arch_cfg_file_early() and efi_arch_cfg_file_late()
and changes pe_find_section() to use a CHAR16 section name.
Signed-off-by: Trammell hudson
---
.gitignore | 1 +
docs/misc/efi.pandoc| 49 +++
xen/arch/arm/efi/efi-boot.h | 25 --
xen/arch/x86/efi
wn loaded image to locate the PE sections for
the Xen configuration (`.config`), dom0 kernel (`.kernel`), dom0 initrd
(`.ramdisk`), and XSM config (`.xsm`), which are included after building
xen.efi using objcopy to add named sections for each input file.
Trammell Hudson (5):
efi/boot.c: Make fi
Add a separate function to display the address ranges used by
the files and call `efi_arch_handle_module()` on the modules.
Signed-off-by: Trammell Hudson
Acked-by: Jan Beulich
---
xen/common/efi/boot.c | 27 +--
1 file changed, 17 insertions(+), 10 deletions(-)
diff
Other than the config file parser that edits the image inplace,
no other users of the file sections requires write access to the
data.
Signed-off-by: Trammell Hudson
Reviewed-by: Jan Beulich
Reviewed-by: Roger Pau Monné
---
xen/common/efi/boot.c | 11 ++-
1 file changed, 6 insertions
+kernel+initrd modules linked into the
unified image. This also ensures that, on properly configured UEFI Secure Boot
platforms, the entire runtime will be measured into the TPM for unsealing
secrets or remote attestation.
Signed-off-by: Trammell Hudson
---
xen/common/efi/boot.c | 43
The config file, kernel, initrd, etc should only be freed if they
are allocated with the UEFI allocator.
Signed-off-by: Trammell Hudson
Reviewed-by: Roger Pau Monné
---
xen/common/efi/boot.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/xen/common/efi/boot.c b
On Tuesday, September 29, 2020 6:17 AM, Jan Beulich wrote:
> On 21.09.2020 13:51, Trammell Hudson wrote:
> [...]
> > Reviewed-by: Roger Pau Monné roger@citrix.com
>
> Strictly speaking with the changes done from v5 to v6 this tag
> would have needed dropping. I guess
On Tuesday, September 29, 2020 11:37 AM, Jan Beulich wrote:
> On 21.09.2020 13:51, Trammell Hudson wrote:
> [...]
> > - file->need_to_free = false;
>
> In patch 2 you don't bother clearing the field, presumably because
> it's static data and hence zero-f
wn loaded image to locate the PE sections for
the Xen configuration (`.config`), dom0 kernel (`.kernel`), dom0 initrd
(`.ramdisk`), and XSM config (`.xsm`), which are included after building
xen.efi using objcopy to add named sections for each input file.
Trammell Hudson (5):
efi/boot.c: add file.
Add a separate function to display the address ranges used by
the files and call `efi_arch_handle_module()` on the modules.
Signed-off-by: Trammell Hudson
Acked-by: Jan Beulich
---
xen/common/efi/boot.c | 27 +--
1 file changed, 17 insertions(+), 10 deletions(-)
diff
This patch wraps the EFI OutputString() method so that they can be
called with const arguments. The OutputString method does not modify
its argument, although the prototype is missing const, so it is necssary
to cast away the const when calling it.
Signed-off-by: Trammell Hudson
---
xen/common
The config file, kernel, initrd, etc should only be freed if they
are allocated with the UEFI allocator. On x86 the ucode, and on
ARM the dtb, are also marked as need_to_free.
Signed-off-by: Trammell Hudson
---
xen/arch/arm/efi/efi-boot.h | 2 +-
xen/arch/x86/efi/efi-boot.h | 2 +-
xen
the section parameter of
efi_arch_cfg_file_early() and efi_arch_cfg_file_late()
and changes pe_find_section() to use a const CHAR16 section name.
Signed-off-by: Trammell Hudson
---
.gitignore | 1 +
docs/misc/efi.pandoc| 49 +++
xen/arch/arm/efi/efi-boot.h | 25 --
xen/arch
+kernel+initrd modules linked into the
unified image. This also ensures that, on properly configured UEFI Secure Boot
platforms, the entire runtime will be measured into the TPM for unsealing
secrets or remote attestation.
Signed-off-by: Trammell Hudson
---
xen/common/efi/boot.c | 43
On Wednesday, September 30, 2020 2:49 AM, Jan Beulich wrote:
> On 29.09.2020 20:17, Trammell Hudson wrote:
> > - if ( dtbfile.addr && dtbfile.size )
> > - if ( dtbfile.need_to_free )
> > efi_bs->FreePages(dtbfile.addr, PFN_UP(dtbfile.size));
> >
wn loaded image to locate the PE sections for
the Xen configuration (`.config`), dom0 kernel (`.kernel`), dom0 initrd
(`.ramdisk`), and XSM config (`.xsm`), which are included after building
xen.efi using objcopy to add named sections for each input file.
Trammell Hudson (5):
efi/boot.c: add file.
the section parameter of
efi_arch_cfg_file_early() and efi_arch_cfg_file_late(),
changes pe_find_section() to use a const CHAR16 section name,
and adds pe_name_compare() to match section names.
Signed-off-by: Trammell Hudson
---
.gitignore | 1 +
docs/misc/efi.pandoc| 49
xe
Add a separate function to display the address ranges used by
the files and call `efi_arch_handle_module()` on the modules.
Signed-off-by: Trammell Hudson
Acked-by: Jan Beulich
---
xen/common/efi/boot.c | 27 +--
1 file changed, 17 insertions(+), 10 deletions(-)
diff
new device tree.
Signed-off-by: Trammell Hudson
---
xen/arch/arm/efi/efi-boot.h | 11 +--
xen/arch/x86/efi/efi-boot.h | 2 +-
xen/common/efi/boot.c | 10 ++
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi
+kernel+initrd modules linked into the
unified image. This also ensures that, on properly configured UEFI Secure Boot
platforms, the entire runtime will be measured into the TPM for unsealing
secrets or remote attestation.
Signed-off-by: Trammell Hudson
---
xen/common/efi/boot.c | 43
remove unneeded un-const casts.
Signed-off-by: Trammell Hudson
Reviewed-by: Jan Beulich
---
xen/common/efi/boot.c | 21 ++---
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
index 93cfeba7e1..bd629eb658 100644
--- a
On Wednesday, September 30, 2020 8:15 AM, Jan Beulich wrote:
> On 30.09.2020 14:00, Trammell Hudson wrote:
> > This patch wraps the EFI OutputString() method so that they can be
> > called with const arguments. The OutputString method does not modify
> > its argument, alth
On Friday, October 2, 2020 4:27 AM, Jan Beulich wrote:
> On 30.09.2020 14:00, Trammell Hudson wrote:
> > - /* Read and parse the config file. */
>
> I'm sorry for noticing this only now, but I don't think this comment
> should be moved. If no other ne
new device tree.
Signed-off-by: Trammell Hudson
Reviewed-by: Jan Beulich
---
xen/arch/arm/efi/efi-boot.h | 11 +--
xen/arch/x86/efi/efi-boot.h | 2 +-
xen/common/efi/boot.c | 10 ++
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/xen/arch/arm/efi/efi
wn loaded image to locate the PE sections for
the Xen configuration (`.config`), dom0 kernel (`.kernel`), dom0 initrd
(`.ramdisk`), and XSM config (`.xsm`), which are included after building
xen.efi using objcopy to add named sections for each input file.
Trammell Hudson (4):
efi/boot.c: add file.
the section parameter of
efi_arch_cfg_file_early() and efi_arch_cfg_file_late(),
changes pe_find_section() to use a const CHAR16 section name,
and adds pe_name_compare() to match section names.
Signed-off-by: Trammell Hudson
Reviewed-by: Jan Beulich
---
.gitignore | 1 +
docs/misc/efi.pandoc
Add a separate function to display the address ranges used by
the files and call `efi_arch_handle_module()` on the modules.
Signed-off-by: Trammell Hudson
Acked-by: Jan Beulich
---
xen/common/efi/boot.c | 27 +--
1 file changed, 17 insertions(+), 10 deletions(-)
diff
+kernel+initrd modules linked into the
unified image. This also ensures that, on properly configured UEFI Secure Boot
platforms, the entire runtime will be measured into the TPM for unsealing
secrets or remote attestation.
Signed-off-by: Trammell Hudson
---
xen/common/efi/boot.c | 43
Any further thoughts on this patch series? Three out of four of
them have been reviewed or acked by at least one reviewer, with
only the last one currently unreviewed.
--
Trammell
On Friday, October 2, 2020 1:18 PM, Trammell Hudson wrote:
> This patch series adds support for bundling
On Friday, October 9, 2020 10:27 PM, Andrew Cooper
wrote:
> [...]
> Looks like arm64 is crashing fairly early on boot.
>
> This is probably caused by "efi: Enable booting unified
> hypervisor/kernel/initrd images".
Darn it. I'm working out how to build and boot qemu aarch64 so
that I can figure
On Saturday, October 10, 2020 1:42 PM, Trammell Hudson wrote:
> On Friday, October 9, 2020 10:27 PM, Andrew Cooper andrew.coop...@citrix.com
> wrote:
> > [...]
> > Looks like arm64 is crashing fairly early on boot.
> > This is probably caused by "efi: Enable booting
I have preliminary patches to support bundling the Xen hypervisor, xen.cfg, the
Linux kernel, initrd and XSM into a single "unified" EFI executable that can be
signed by sbsigntool for verification by UEFI Secure Boot. It is inspired by
systemd-boot's unified kernel technique and borrows the fu
This preliminary patch adds support for bundling the Xen hypervisor, xen.cfg,
the Linux kernel, initrd and XSM into a single "unified" EFI executable that
can be signed by sbsigntool for verification by UEFI Secure Boot. It is
inspired by systemd-boot's unified kernel technique and borrows the
When building xen from head with almost any combination of options, the
resulting xen.efi seems properly formed. When CONFIG_LIVEPATCH is turned off,
however, the resulting xen.efi is corrupted in some way and binutils no longer
wants to work with it:
~/build/xen-clean/xen$ git rev-parse HEAD
8
On Thursday, August 6, 2020 9:57 AM, Jan Beulich wrote:
> On 05.08.2020 19:20, Trammell Hudson wrote:
> > This preliminary patch adds support for bundling the Xen hypervisor,
> > xen.cfg,
> > the Linux kernel, initrd and XSM into a single "unified" EFI execu
On Thursday, August 6, 2020 2:04 PM, Jan Beulich wrote:
> On 06.08.2020 13:44, Trammell Hudson wrote:
>
> > On Thursday, August 6, 2020 9:57 AM, Jan Beulich jbeul...@suse.com wrote:
> >
> > > Overall I think it might help if this PE parsing code (if UEFI
> > &g
On Thursday, August 6, 2020 6:40 PM, Jan Beulich wrote:
> On 05.08.2020 20:19, Trammell Hudson wrote:
> [...]
> > ~/build/xen-clean/xen$ objcopy xen.efi test.efi
> > objcopy: test.efi: Data Directory size (1c) exceeds space left in section
> > (18)
> > objcopy: t
On Thursday, August 6, 2020 8:14 PM, Andrew Cooper
wrote:
> For SecureBoot, it is important that nothing which is signed can be
> tricked into running unsigned code.
>
> That includes configuration such as xen.cfg or the command line.
> Consuming these from unsigned sources is ok, so long as we c
On Friday, August 7, 2020 2:23 PM, Jan Beulich wrote:
> On 06.08.2020 16:15, Trammell Hudson wrote:
> > --- /dev/null
> > +++ b/xen/arch/x86/efi/pe.c
> > @@ -0,0 +1 @@
> > +../../../common/efi/pe.c
> > \ No newline at end of file
>
> This isn't suppos
[ Responding to both Jan and Andrew's comments about config parsing
and file sources when secure boot is enabled ]
On Friday, August 7, 2020 2:23 PM, Jan Beulich wrote:
> [...]
> As said before, I think we want an all-or-nothing approach. You
> want to first establish whether the image is a unifi
n once
per file.
Signed-off-by: Trammell hudson
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index c9b6af8..4b15e06 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -679,6 +679,15 @@ static void __init noreturn reinit_bsp_stack(void)
reset_stack_and_jump_nolp
On Wednesday, August 12, 2020 8:16 PM, Andrew Cooper
wrote:
> However, the use of LINE creates problems for livepatch builds, as
> it causes the binary diffing tools to believe these changed, based on a
> change earlier in the file.
Ah, I hadn't considered that. Makes sense that the
determinis
s will measure the entire runtime into
the TPM for unsealing secrets or remote attestation.
Signed-off-by: Trammell Hudson
diff --git a/xen/Makefile b/xen/Makefile
index a87bb225dc..e4e4c6d5c1 100644
--- a/xen/Makefile
+++ b/xen/Makefile
@@ -355,7 +355,7 @@ $(TARGET): delete-unfresh-files
On Fri, Mar 12, 2021 at 04:24:53PM +0100, Marek Marczykowski-G??recki wrote:
> On Thu, Mar 11, 2021 at 10:34:02AM -0800, Bob Eshleman wrote:
> > We would like to start a working group for secure boot support in Xen
> > to coordinate the various interested parties and set out a plan for
> > the feat
90 matches
Mail list logo
