On 02.06.2025 15:36, Ross Lagerwall wrote: > From: Kevin Lampis <kevin.lam...@cloud.com> > > Make it possible to embed a public key in Xen to be used when verifying > live patch payloads. Inclusion of the public key is optional. > > To avoid needing to include a DER / X.509 parser in the hypervisor, the > public key is unpacked at build time and included in a form that is > convenient for the hypervisor to consume. This is different approach > from that used by Linux which embeds the entire X.509 certificate and > builds in a parser for it. > > A suitable key can be created using openssl: > > openssl req -x509 -newkey rsa:2048 -keyout priv.pem -out pub.pem \ > -sha256 -days 3650 -nodes \ > -subj > "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname" > openssl x509 -inform PEM -in pub.pem -outform PEM -pubkey -nocert -out > verify_key.pem > > Signed-off-by: Kevin Lampis <kevin.lam...@cloud.com> > Signed-off-by: Ross Lagerwall <ross.lagerw...@citrix.com>
While reviewing patch 4 it occurred to me: Why embed the key? Can't this be specified as (another) boot module? Jan
