On 20.06.2025 11:39, Roger Pau Monné wrote: > On Mon, Jun 02, 2025 at 02:36:34PM +0100, Ross Lagerwall wrote: >> From: Kevin Lampis <kevin.lam...@cloud.com> >> >> Make it possible to embed a public key in Xen to be used when verifying >> live patch payloads. Inclusion of the public key is optional. >> >> To avoid needing to include a DER / X.509 parser in the hypervisor, the >> public key is unpacked at build time and included in a form that is >> convenient for the hypervisor to consume. This is different approach >> from that used by Linux which embeds the entire X.509 certificate and >> builds in a parser for it. >> >> A suitable key can be created using openssl: >> >> openssl req -x509 -newkey rsa:2048 -keyout priv.pem -out pub.pem \ >> -sha256 -days 3650 -nodes \ >> -subj >> "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname" >> openssl x509 -inform PEM -in pub.pem -outform PEM -pubkey -nocert -out >> verify_key.pem >> >> Signed-off-by: Kevin Lampis <kevin.lam...@cloud.com> >> Signed-off-by: Ross Lagerwall <ross.lagerw...@citrix.com> >> --- >> >> In v3: >> >> * Drop unnecessary condition in Makefile >> * Use dashes instead of underscores >> * Drop section placement annotation on declaration >> * Clarify endianness of embedded key >> >> xen/common/Kconfig | 18 +++++++++++++++++ >> xen/crypto/Makefile | 11 ++++++++++ >> xen/include/xen/livepatch.h | 5 +++++ >> xen/tools/extract-key.py | 40 +++++++++++++++++++++++++++++++++++++ >> 4 files changed, 74 insertions(+) >> create mode 100755 xen/tools/extract-key.py >> >> diff --git a/xen/common/Kconfig b/xen/common/Kconfig >> index 0951d4c2f286..74673078202a 100644 >> --- a/xen/common/Kconfig >> +++ b/xen/common/Kconfig >> @@ -472,6 +472,24 @@ config LIVEPATCH >> >> If unsure, say Y. >> >> +config PAYLOAD_VERIFY >> + bool "Verify signed LivePatch payloads" >> + depends on LIVEPATCH >> + select CRYPTO >> + help >> + Verify signed LivePatch payloads using an RSA public key built >> + into the Xen hypervisor. Selecting this option requires a >> + public key in PEM format to be available for embedding during >> + the build. >> + >> +config PAYLOAD_VERIFY_KEY >> + string "File name of public key used to verify payloads" >> + default "verify_key.pem" >> + depends on PAYLOAD_VERIFY >> + help >> + The file name of an RSA public key in PEM format to be used for >> + verifying signed LivePatch payloads. > > I think this is likely to break the randconfig testing that we do in > Gitlab CI, as randconfig could select PAYLOAD_VERIFY, but there will > be no key included, and hence the build will fail? > > Ideally Gitlab CI would need to be adjusted to provide such key so the > build doesn't fail. I think it could be provided unconditionally to > simplify the logic, if the option is not selected the file will simply > be ignored.
Alternatively the two options could be folded, the default being the empty string meaning "no payload verification". I don't think randconfig can sensibly make up random strings ... Jan
