On 05.08.2020 13:29, Trammell Hudson wrote: > I have preliminary patches to support bundling the Xen hypervisor, xen.cfg, > the Linux kernel, initrd and XSM into a single "unified" EFI executable that > can be signed by sbsigntool for verification by UEFI Secure Boot. It is > inspired by systemd-boot's unified kernel technique and borrows the function > to locate PE sections from systemd's LGPL'ed code. > > The configuration, kernel, etc are added after building using objcopy to add > named sections for each input file. This allows an administrator to update > the components independently without requiring rebuilding xen. During EFI > boot, Xen looks at its own loaded image to locate the PE sections and, if > secure boot is enabled, only allows use of the unified components. > > The resulting EFI executable can be invoked directly from the UEFI Boot > Manager, removing the need to use a separate loader like grub. Unlike the > shim based verification, the signature covers the entire > Xen+config+kernel+initrd unified file. This also ensures that properly > configured platforms will measure the entire runtime into the TPM for > unsealing secrets or remote attestation. > > I've tested it on qemu OVMF with Secure Boot enabled, as well as on real > Thinkpad hardware. The EFI console is very slow, although it works and is > able to boot into dom0. > > The current patch set is here, and I'd appreciate suggestions on the > technique or cleanup for submission: > https://github.com/osresearch/xen/tree/secureboot
Sounds quite interesting, thanks, but please post the Xen patches here for commenting, perhaps with an RFC tag for now. Jan
