[Fedora-xen] Xen, Fedora, and UEFI Secure Boot
M A Young
m.a.young at durham.ac.uk
Thu Jul 12 09:21:22 UTC 2012
On Wed, 11 Jul 2012, Dario Faggioli wrote:
> On Thu, 2012-07-05 at 11:04 -0400, Konrad Rzeszutek Wilk wrote:
>>> Ok, so, should we be concerned? Is there something we can/should do
>>> about that? How do you think we can help in having xen being considered?
>>
>> First the Linux kernel running under EFI has to actually boot (with Xen
>> hypervisor). It doesn't do that yet and the upstream kernel would
>> need patches for that.
>>
> Yes, I can imagine there are technical challenges and open issues, but
> (although, of course, I might be wrong), that is not what scares me
> most... I really think there are good enough "brains" working on
> them! :-)
>
> What I wanted to know here is whether or not there already are plans to
> include the xen binaries in that signing game, so that Fedora users can
> still `yum install xen -- reboot --start playing' as it is happening
> now, and, more important, if that is not the case what we can do to help
> this.
>
> Is the fact that Fedora release guidelines include Xen _guest_ support
> but not full _host_ functionalities going to be an issue if/when we
> decide to try influencing this
> http://fedoraproject.org/wiki/Features/SecureBoot ?
In terms of getting xen into the Fedora signing game we would either need
to get the people behind the SecureBoot feature to add xen or submit our
own feature to add that functionality (I haven't contacted them but I
guess they would prefer the latter).
With regard to technical challenges I wonder what if any signature
checking xen itself would need to do (for example would it check the
signature on the dom0 kernel or would grub2 do that) because part of the
securing process would be to ensure that xen itself didn't leave open
doors to break into the secure system. Also there is the question of
drivers as I gather they need to be signed to talk to bios devices, which
may simply be a pass through of the dom0 kernel signed drivers or might be
more complicated.
Michael Young
More information about the xen
mailing list