From: Bobby Eshleman <bobbyeshleman@gmail.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: Bobby Eshleman <bobbyeshleman@gmail.com>,
Daniel Kiper <daniel.kiper@oracle.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
George Dunlap <george.dunlap@citrix.com>,
Ian Jackson <iwj@xenproject.org>, Jan Beulich <jbeulich@suse.com>,
Julien Grall <julien@xen.org>,
Stefano Stabellini <sstabellini@kernel.org>, Wei Liu <wl@xen.org>,
Olivier Lambert <olivier.lambert@vates.fr>
Subject: [PATCH v3 0/5] Support Secure Boot for multiboot2 Xen
Date: Thu, 21 Jan 2021 16:51:39 -0800 [thread overview]
Message-ID: <cover.1611273359.git.bobbyeshleman@gmail.com> (raw)
This is version 3 for a patch set sent out to the ML in 2018 [1] to
support UEFI Secure Boot for Xen on multiboot2 platforms.
A new binary, xen.mb.efi, is built. It contains the mb2 header as well
as a hand-crafted PE/COFF header. The dom0 kernel is verified using the
shim lock protocol.
I followed with v2 feedback and attempted to convert the PE/COFF header
into C instead of ASM. Unfortunately, this was only possible for the
first part (Legacy) of the PE/COFF header. The other parts required
addresses only available at link time (such as __2M_rwdata_end,
__pe_SizeOfImage, efi_mb_start address, etc...), which effectively ruled
out C.
The biggest difference between v2 and v3 is that in v3 we do not attempt
to merge xen.mb.efi and xen.efi into a single binary. Instead, this
will be left to a future patch set, unless requested otherwise.
[1]: https://lists.xen.org/archives/html/xen-devel/2018-06/msg01292.html
Changes in v3:
- add requested comment clarification
- remove unnecessary fake data from PE/COFF head (like linker versions)
- macro-ize and refactor Makefile according to Jan's feedback
- break PE/COFF header into its own file
- shrink the PE/COFF to start 0x40 instead of 0x80 (my tests showed
this function with no problem, on a live nested vm or using
objdump/objcopy)
- support SOURCE_EPOCH for posix time
- removed `date` invocation that would break on FreeBSD
- style changes
- And obviously, ported to current HEAD
Daniel Kiper (5):
xen: add XEN_BUILD_POSIX_TIME
xen/x86: manually build xen.mb.efi binary
xen/x86: add some addresses to the Multiboot header
xen/x86: add some addresses to the Multiboot2 header
xen/x86/efi: Verify dom0 kernel with SHIM_LOCK protocol in
efi_multiboot2()
xen/Makefile | 22 ++++---
xen/arch/x86/Makefile | 7 +-
xen/arch/x86/arch.mk | 2 +
xen/arch/x86/boot/Makefile | 1 +
xen/arch/x86/boot/head.S | 53 +++++++++++++--
xen/arch/x86/boot/pecoff.S | 123 +++++++++++++++++++++++++++++++++++
xen/arch/x86/efi/efi-boot.h | 30 ++++++++-
xen/arch/x86/efi/stub.c | 17 ++++-
xen/arch/x86/xen.lds.S | 34 ++++++++++
xen/common/efi/boot.c | 19 ++++--
xen/include/xen/compile.h.in | 1 +
xen/include/xen/efi.h | 1 +
12 files changed, 283 insertions(+), 27 deletions(-)
create mode 100644 xen/arch/x86/boot/pecoff.S
--
2.30.0
next reply other threads:[~2021-01-22 0:55 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-22 0:51 Bobby Eshleman [this message]
2021-01-22 0:51 ` [PATCH v3 1/5] xen: add XEN_BUILD_POSIX_TIME Bobby Eshleman
2021-01-22 11:27 ` Jan Beulich
2021-01-22 21:57 ` Bobby Eshleman
2021-01-25 8:58 ` Jan Beulich
2021-01-22 0:51 ` [PATCH v3 2/5] xen/x86: manually build xen.mb.efi binary Bobby Eshleman
2021-03-15 13:36 ` Jan Beulich
2021-05-07 20:26 ` Bob Eshleman
2021-05-17 6:48 ` Jan Beulich
2021-05-17 13:20 ` Daniel Kiper
2021-05-17 13:24 ` Jan Beulich
2021-05-18 17:46 ` Daniel Kiper
2021-05-19 9:29 ` Jan Beulich
2021-05-19 12:48 ` Daniel Kiper
2021-05-19 14:35 ` Jan Beulich
2021-06-09 13:18 ` Daniel Kiper
2021-06-09 13:45 ` Jan Beulich
2021-01-22 0:51 ` [PATCH v3 3/5] xen/x86: add some addresses to the Multiboot header Bobby Eshleman
2021-03-15 15:05 ` Jan Beulich
2021-01-22 0:51 ` [PATCH v3 4/5] xen/x86: add some addresses to the Multiboot2 header Bobby Eshleman
2021-02-23 9:04 ` Roger Pau Monné
2021-02-23 18:07 ` Bob Eshleman
2021-01-22 0:51 ` [PATCH v3 5/5] xen/x86/efi: Verify dom0 kernel with SHIM_LOCK protocol in efi_multiboot2() Bobby Eshleman
2021-03-16 15:08 ` Jan Beulich
2021-01-22 9:39 ` [PATCH v3 0/5] Support Secure Boot for multiboot2 Xen Jan Beulich
2021-01-22 21:18 ` Bobby Eshleman
2021-01-25 8:52 ` Jan Beulich
2021-02-22 18:04 ` Bobby Eshleman
2021-02-23 7:16 ` Jan Beulich
2021-02-23 18:00 ` Bob Eshleman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1611273359.git.bobbyeshleman@gmail.com \
--to=bobbyeshleman@gmail.com \
--cc=andrew.cooper3@citrix.com \
--cc=daniel.kiper@oracle.com \
--cc=george.dunlap@citrix.com \
--cc=iwj@xenproject.org \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=olivier.lambert@vates.fr \
--cc=sstabellini@kernel.org \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).