[Fedora-xen] Xen, Fedora, and UEFI Secure Boot

Dario Faggioli raistlin at linux.it
Thu Jul 12 09:35:18 UTC 2012 

On Thu, 2012-07-12 at 10:21 +0100, M A Young wrote: 
> > Is the fact that Fedora release guidelines include Xen  _guest_ support
> > but not full _host_ functionalities going to be an issue if/when we
> > decide to try influencing this
> > http://fedoraproject.org/wiki/Features/SecureBoot ?
> 
> In terms of getting xen into the Fedora signing game we would either need 
> to get the people behind the SecureBoot feature to add xen or submit our 
> own feature to add that functionality (I haven't contacted them but I 
> guess they would prefer the latter).
> 
I see. Well, you sure are way more confident than me with the "adding
features" process (I'm trying to get into how this sort of things work
for Fedora) but I'm available to provide any help with anything you
think I could do in order to achieve that.

> With regard to technical challenges I wonder what if any signature 
> checking xen itself would need to do (for example would it check the 
> signature on the dom0 kernel or would grub2 do that) because part of the 
> securing process would be to ensure that xen itself didn't leave open 
> doors to break into the secure system. Also there is the question of 
> drivers as I gather they need to be signed to talk to bios devices, which 
> may simply be a pass through of the dom0 kernel signed drivers or might be 
> more complicated.
> 
These are all very interesting question, to which I'm far from having an
answer... However, as I  think they also apply to other hypervisors (and
KVM among them) we can at least look at what they have in mind and/or
share thoughts and ideas, can't we?

Thanks and Regards,
Dario

-- 
<<This happens because I choose it to happen!>> (Raistlin Majere)
-----------------------------------------------------------------
Dario Faggioli, Ph.D, http://retis.sssup.it/people/faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/xen/attachments/20120712/eac3fcb4/attachment.sig>

More information about the xen mailing list