[Fedora-xen] Xen, Fedora, and UEFI Secure Boot

[M A Young]

On Wed, 11 Jul 2012, Dario Faggioli wrote:

> On Thu, 2012-07-05 at 11:04 -0400, Konrad Rzeszutek Wilk wrote:
>>> Ok, so, should we be concerned? Is there something we can/should do
>>> about that? How do you think we can help in having xen being considered?
>>
>> First the Linux kernel running under EFI has to actually boot (with Xen
>> hypervisor).  It doesn't do that yet and the upstream kernel would
>> need patches for that.
>>
> Yes, I can imagine there are technical challenges and open issues, but
> (although, of course, I might be wrong), that is not what scares me
> most... I really think there are good enough "brains" working on
> them! :-)
>
> What I wanted to know here is whether or not there already are plans to
> include the xen binaries in that signing game, so that Fedora users can
> still `yum install xen -- reboot --start playing' as it is happening
> now, and, more important, if that is not the case what we can do to help
> this.
>
> Is the fact that Fedora release guidelines include Xen  _guest_ support
> but not full _host_ functionalities going to be an issue if/when we
> decide to try influencing this
> http://fedoraproject.org/wiki/Features/SecureBoot ?

In terms of getting xen into the Fedora signing game we would either need 
to get the people behind the SecureBoot feature to add xen or submit our 
own feature to add that functionality (I haven't contacted them but I 
guess they would prefer the latter).

With regard to technical challenges I wonder what if any signature 
checking xen itself would need to do (for example would it check the 
signature on the dom0 kernel or would grub2 do that) because part of the 
securing process would be to ensure that xen itself didn't leave open 
doors to break into the secure system. Also there is the question of 
drivers as I gather they need to be signed to talk to bios devices, which 
may simply be a pass through of the dom0 kernel signed drivers or might be 
more complicated.

 	Michael Young