EFI + tboot + Xen

EFI + tboot + Xen

[Daniel Kiper]

Hey,

Has anybody tried to run EFI + tboot + Xen?
I have a feeling that it does not work because
tboot shuts down EFI boot services. However,
even if it works then efibootmgr is unusable
due to lack of EFI runtime services. Do we care?
Is it possible to make it work with full blown
EFI infrastructure available for Xen?

Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: EFI + tboot + Xen

[Andrew Cooper]

On 14/04/2017 15:54, Daniel Kiper wrote:
> Hey,
>
> Has anybody tried to run EFI + tboot + Xen?
> I have a feeling that it does not work because
> tboot shuts down EFI boot services. However,
> even if it works then efibootmgr is unusable
> due to lack of EFI runtime services. Do we care?
> Is it possible to make it work with full blown
> EFI infrastructure available for Xen?

Judging by
http://hg.code.sf.net/p/tboot/code/file/9352e6391332/tboot/common/boot.S#l83
it will be grub exiting boot services.  tboot needs rather more
multiboot2 knowledge before it could participate in a hand-off to Xen
while keeping boot services active.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: EFI + tboot + Xen

[Daniel Kiper]

On Fri, Apr 14, 2017 at 04:17:54PM +0100, Andrew Cooper wrote:
> On 14/04/2017 15:54, Daniel Kiper wrote:
> > Hey,
> >
> > Has anybody tried to run EFI + tboot + Xen?
> > I have a feeling that it does not work because
> > tboot shuts down EFI boot services. However,
> > even if it works then efibootmgr is unusable
> > due to lack of EFI runtime services. Do we care?
> > Is it possible to make it work with full blown
> > EFI infrastructure available for Xen?
>
> Judging by
> http://hg.code.sf.net/p/tboot/code/file/9352e6391332/tboot/common/boot.S#l83
> it will be grub exiting boot services.  tboot needs rather more
> multiboot2 knowledge before it could participate in a hand-off to Xen
> while keeping boot services active.

Sure, it is not a problem. However, I was told that it was (not) done
deliberately because we cannot trust EFI due to lack of its measurement.
I am not sure it is true or not. I though that somebody played with tboot
and Xen and has some knowledge in that area. Anyway, I will investigate
this further. However, any knowledge sharing is greatly appreciated.

Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: EFI + tboot + Xen

[Rich Persaud]

[-- Attachment #1.1: Type: text/plain, Size: 2174 bytes --]

On Apr 14, 2017, at 16:43, Daniel Kiper <daniel.kiper@oracle.com> wrote:
> 
>> On Fri, Apr 14, 2017 at 04:17:54PM +0100, Andrew Cooper wrote:
>>> On 14/04/2017 15:54, Daniel Kiper wrote:
>>> Hey,
>>> 
>>> Has anybody tried to run EFI + tboot + Xen?
>>> I have a feeling that it does not work because
>>> tboot shuts down EFI boot services. However,
>>> even if it works then efibootmgr is unusable
>>> due to lack of EFI runtime services. Do we care?
>>> Is it possible to make it work with full blown
>>> EFI infrastructure available for Xen?
>> 
>> Judging by
>> http://hg.code.sf.net/p/tboot/code/file/9352e6391332/tboot/common/boot.S#l83
>> it will be grub exiting boot services.  tboot needs rather more
>> multiboot2 knowledge before it could participate in a hand-off to Xen
>> while keeping boot services active.
> 
> Sure, it is not a problem. However, I was told that it was (not) done
> deliberately because we cannot trust EFI due to lack of its measurement.
> I am not sure it is true or not. I though that somebody played with tboot
> and Xen and has some knowledge in that area. Anyway, I will investigate
> this further. However, any knowledge sharing is greatly appreciated.

On the OpenXT project, Ross Philipson has an early PoC:
https://github.com/rossphilipson/efi-tboot

From the README:
---
EFI TBOOT is mostly a proof of concept at this point. It is not currently functional. It can be built and installed as an EFI boot loader. It only works in conjunction with Xen at the moment. The current development work is being done on Fedora 25 x64. The status as of March 14, 2017 is: 

- EFI TBOOT will boot, but it needs a few key strokes to get going (this is for debugging purposes). 
- EFI TBOOT will relocate itself to EFI runtime memory and setup a shared runtime variable with Xen. 
- EFI related configuration setup is done as well as standard TBOOT pre- launch configuration. 
- Xen is launched and has code to call EFI TBOOT back after EBS. 
- EFI TBOOT then does the SENTER successfully in the callback. 
- The post launch entry point is reached but the switch back to long mode is not working
---

Rich

[-- Attachment #1.2: Type: text/html, Size: 6285 bytes --]

[-- Attachment #2: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: EFI + tboot + Xen

[Ross Philipson]

On 04/17/2017 06:05 PM, Rich Persaud wrote:
> On Apr 14, 2017, at 16:43, Daniel Kiper <daniel.kiper@oracle.com
> <mailto:daniel.kiper@oracle.com>> wrote:
> 
>> On Fri, Apr 14, 2017 at 04:17:54PM +0100, Andrew Cooper wrote:
>>> On 14/04/2017 15:54, Daniel Kiper wrote:
>>>> Hey,
>>>>
>>>> Has anybody tried to run EFI + tboot + Xen?
>>>> I have a feeling that it does not work because
>>>> tboot shuts down EFI boot services. However,
>>>> even if it works then efibootmgr is unusable
>>>> due to lack of EFI runtime services. Do we care?
>>>> Is it possible to make it work with full blown
>>>> EFI infrastructure available for Xen?
>>>
>>> Judging by
>>> http://hg.code.sf.net/p/tboot/code/file/9352e6391332/tboot/common/boot.S#l83
>>> it will be grub exiting boot services.  tboot needs rather more
>>> multiboot2 knowledge before it could participate in a hand-off to Xen
>>> while keeping boot services active.
>>
>> Sure, it is not a problem. However, I was told that it was (not) done
>> deliberately because we cannot trust EFI due to lack of its measurement.
>> I am not sure it is true or not. I though that somebody played with tboot
>> and Xen and has some knowledge in that area. Anyway, I will investigate
>> this further. However, any knowledge sharing is greatly appreciated.
> 
> On the OpenXT project, Ross Philipson has an early PoC:
> https://github.com/rossphilipson/efi-tboot
> 
> From the README:
> ---
> 
> EFI TBOOT is mostly a proof of concept at this point. It is not currently
> functional. It can be built and installed as an EFI boot loader. It only works
> in conjunction with Xen at the moment. The current development work is being
> done on Fedora 25 x64. The status as of March 14, 2017 is: 
> 
> 
> - EFI TBOOT will boot, but it needs a few key strokes to get going (this is for
> debugging purposes). 
> 
> - EFI TBOOT will relocate itself to EFI runtime memory and setup a shared
> runtime variable with Xen. 
> 
> - EFI related configuration setup is done as well as standard TBOOT pre- launch
> configuration. 
> 
> - Xen is launched and has code to call EFI TBOOT back after EBS. 
> 
> - EFI TBOOT then does the SENTER successfully in the callback. 
> 
> - The post launch entry point is reached but the switch back to long mode is not
> working
> 
> ---
> 
> 
> Rich
> 

So this project is a proof of concept at the moment. Currently the readme is out
of date (I will fix that). The SENTER returns correctly now and rebuilds the
world to get back into long mode. It then calls into the post launch function in
tboot.c and does a bit more before dying because it is incomplete.

Anyway I will work on fixing the readme with more details on what it is all about.

-- 
Ross Philipson

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel