xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Bobby Eshleman <bobbyeshleman@gmail.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: Bobby Eshleman <bobbyeshleman@gmail.com>,
	Daniel Kiper <daniel.kiper@oracle.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	George Dunlap <george.dunlap@citrix.com>,
	Ian Jackson <iwj@xenproject.org>, Jan Beulich <jbeulich@suse.com>,
	Julien Grall <julien@xen.org>,
	Stefano Stabellini <sstabellini@kernel.org>, Wei Liu <wl@xen.org>,
	Olivier Lambert <olivier.lambert@vates.fr>
Subject: [PATCH v3 0/5] Support Secure Boot for multiboot2 Xen
Date: Thu, 21 Jan 2021 16:51:39 -0800	[thread overview]
Message-ID: <cover.1611273359.git.bobbyeshleman@gmail.com> (raw)

This is version 3 for a patch set sent out to the ML in 2018 [1] to
support UEFI Secure Boot for Xen on multiboot2 platforms.

A new binary, xen.mb.efi, is built.  It contains the mb2 header as well
as a hand-crafted PE/COFF header.  The dom0 kernel is verified using the
shim lock protocol.

I followed with v2 feedback and attempted to convert the PE/COFF header
into C instead of ASM.  Unfortunately, this was only possible for the
first part (Legacy) of the PE/COFF header.  The other parts required
addresses only available at link time (such as __2M_rwdata_end,
__pe_SizeOfImage, efi_mb_start address, etc...), which effectively ruled
out C.

The biggest difference between v2 and v3 is that in v3 we do not attempt
to merge xen.mb.efi and xen.efi into a single binary.  Instead, this
will be left to a future patch set, unless requested otherwise.

[1]: https://lists.xen.org/archives/html/xen-devel/2018-06/msg01292.html

Changes in v3:

- add requested comment clarification
- remove unnecessary fake data from PE/COFF head (like linker versions)
- macro-ize and refactor Makefile according to Jan's feedback
- break PE/COFF header into its own file
- shrink the PE/COFF to start 0x40 instead of 0x80 (my tests showed
  this function with no problem, on a live nested vm or using
  objdump/objcopy)
- support SOURCE_EPOCH for posix time
- removed `date` invocation that would break on FreeBSD
- style changes
- And obviously, ported to current HEAD

Daniel Kiper (5):
  xen: add XEN_BUILD_POSIX_TIME
  xen/x86: manually build xen.mb.efi binary
  xen/x86: add some addresses to the Multiboot header
  xen/x86: add some addresses to the Multiboot2 header
  xen/x86/efi: Verify dom0 kernel with SHIM_LOCK protocol in
    efi_multiboot2()

 xen/Makefile                 |  22 ++++---
 xen/arch/x86/Makefile        |   7 +-
 xen/arch/x86/arch.mk         |   2 +
 xen/arch/x86/boot/Makefile   |   1 +
 xen/arch/x86/boot/head.S     |  53 +++++++++++++--
 xen/arch/x86/boot/pecoff.S   | 123 +++++++++++++++++++++++++++++++++++
 xen/arch/x86/efi/efi-boot.h  |  30 ++++++++-
 xen/arch/x86/efi/stub.c      |  17 ++++-
 xen/arch/x86/xen.lds.S       |  34 ++++++++++
 xen/common/efi/boot.c        |  19 ++++--
 xen/include/xen/compile.h.in |   1 +
 xen/include/xen/efi.h        |   1 +
 12 files changed, 283 insertions(+), 27 deletions(-)
 create mode 100644 xen/arch/x86/boot/pecoff.S

-- 
2.30.0



             reply	other threads:[~2021-01-22  0:55 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-22  0:51 Bobby Eshleman [this message]
2021-01-22  0:51 ` [PATCH v3 1/5] xen: add XEN_BUILD_POSIX_TIME Bobby Eshleman
2021-01-22 11:27   ` Jan Beulich
2021-01-22 21:57     ` Bobby Eshleman
2021-01-25  8:58       ` Jan Beulich
2021-01-22  0:51 ` [PATCH v3 2/5] xen/x86: manually build xen.mb.efi binary Bobby Eshleman
2021-03-15 13:36   ` Jan Beulich
2021-05-07 20:26     ` Bob Eshleman
2021-05-17  6:48       ` Jan Beulich
2021-05-17 13:20         ` Daniel Kiper
2021-05-17 13:24           ` Jan Beulich
2021-05-18 17:46             ` Daniel Kiper
2021-05-19  9:29               ` Jan Beulich
2021-05-19 12:48                 ` Daniel Kiper
2021-05-19 14:35                   ` Jan Beulich
2021-06-09 13:18                     ` Daniel Kiper
2021-06-09 13:45                       ` Jan Beulich
2021-01-22  0:51 ` [PATCH v3 3/5] xen/x86: add some addresses to the Multiboot header Bobby Eshleman
2021-03-15 15:05   ` Jan Beulich
2021-01-22  0:51 ` [PATCH v3 4/5] xen/x86: add some addresses to the Multiboot2 header Bobby Eshleman
2021-02-23  9:04   ` Roger Pau Monné
2021-02-23 18:07     ` Bob Eshleman
2021-01-22  0:51 ` [PATCH v3 5/5] xen/x86/efi: Verify dom0 kernel with SHIM_LOCK protocol in efi_multiboot2() Bobby Eshleman
2021-03-16 15:08   ` Jan Beulich
2021-01-22  9:39 ` [PATCH v3 0/5] Support Secure Boot for multiboot2 Xen Jan Beulich
2021-01-22 21:18   ` Bobby Eshleman
2021-01-25  8:52     ` Jan Beulich
2021-02-22 18:04 ` Bobby Eshleman
2021-02-23  7:16   ` Jan Beulich
2021-02-23 18:00     ` Bob Eshleman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1611273359.git.bobbyeshleman@gmail.com \
    --to=bobbyeshleman@gmail.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=daniel.kiper@oracle.com \
    --cc=george.dunlap@citrix.com \
    --cc=iwj@xenproject.org \
    --cc=jbeulich@suse.com \
    --cc=julien@xen.org \
    --cc=olivier.lambert@vates.fr \
    --cc=sstabellini@kernel.org \
    --cc=wl@xen.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).