Is it possible to boot an unified kernel image as Xen Dom0 with UEFI Secure Boot?
I am trying to set up a Xen Host in a way that every step until booting the Dom0 Linux kernel is Secure Boot verified.
Without Xen, this could be achieved by signing an unified kernel image containing the kernel, initrd and kernel command-line parameters in a single EFI binary.
Signing only the Xen EFI binary is useless because the kernel, initrd and Xen configuration file could be modified without affecting Secure Boot.
When booted via Shim, Xen verifies the Dom0 kernel and initrd using the Shim protocol, but the Xen configuration file containing the kernel command-line parameters is not verified, so an attacker could still modify these parameters.
tklengyel/xen-uefi patches the Xen source code to measure the Xen configuration file into a PCR register. This would not be necessary if the signed kernel binary booted by Xen included the initrd and kernel command-line parameters and all other parameters specified in the Xen configuration file were ignored.
Is there any way to achieve this?
There is no support for it in the mainline Xen tree as of 4.15, although there are preliminary patches to support building a "unified Xen": https://github.com/osresearch/xen/tree/secureboot
This borrows the technique from systemd-boot to create the single unified Xen executable with xen.cfg, bzImage, initrd.img and an optional XSM file, each in their own named PE section. This executable can then be signed with sbsign and validated by UEFI Secure Boot using the Platform Key or key database. A UEFI boot manager entry can be created for this unified Xen so that grub is not required.
It's been tested in qemu with the OVMF Secure Boot enabled, as well as Thinkpad hardware. Further cleanup is necessary before it is ready for submission to xen-devel.
- Ansible xenserver_guest module not setting static IP on AlmaLinux 9 guest OS
- Understanding Groovy retry() and catchError()
- How to set IP address to alpine linux as Dom-U on Xen hypervisor?
- Detect virtualized OS from an application?
- xen hvm : no console
- How to Compress or write zero's /dev/zero to a swap file?
- UEFI Runtime Services: Role and Function Within an OS
- How to create my own CPU pool on boot in XEN
- What's the differences between Xen, QEMU and KVM?
- How do I remove Xen from Ubuntu?
- "openssl speed rsa" less performant on (normally) better cpu
- Java VMs that do not require an operating system?
- Get list of ip addesses from multiple citrix hypervisors vm's using ansible
- create paravirtualized domu using virt-manager
- Does cloudstack support Citrix Hypervisor 7 and 8?
- Is it possible to boot an unified kernel image as Xen Dom0 with UEFI Secure Boot?
- How do I enable bridged networking in Xen guest?
- merge a command's output with another's last field
- What are the differences between QEMU and VirtualBox?
- How do I login to a XEN session from a C# program using a secure string password?
- virsh restore with modified xml "Error: xml modification unsupported"
- Is it possible to snapshot state of virtual machine with all processes inside?
- XEN ParaVirt guest boot parameters
- Type-1 Hypervisors non-volatile memory isolation
- Automatic provisioning of xen in private cloud
- Why does an argument passed into a script block fail to work?
- Command not fully executing under ssh.net in c#
- How can I install and compile xen from the source code?
- Logging xm console output in xen?
- Windows 10 domU broken after upgrade xen 4.1 --> 4.8