[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: secure boot & direct kernel load (was: Re: [PATCH] x86/loader: only
From: |
Daniel P . Berrangé |
Subject: |
Re: secure boot & direct kernel load (was: Re: [PATCH] x86/loader: only patch linux kernels) |
Date: |
Mon, 15 Apr 2024 14:48:03 +0100 |
User-agent: |
Mutt/2.2.12 (2023-09-09) |
On Mon, Apr 15, 2024 at 03:30:32PM +0200, Gerd Hoffmann wrote:
> Hi,
>
> > > Options I see:
> > >
> > > (a) Stop using direct kernel boot, let virt-install & other tools
> > > create vfat boot media with shim+kernel+initrd instead.
> > >
> > > (b) Enroll the distro signing keys in the efi variable store, so
> > > booting the kernel without shim.efi works.
> > >
> > > (c) Add support for loading shim to qemu (and ovmf), for example
> > > with a new '-shim' command line option which stores shim.efi
> > > in some new fw_cfg file.
> >
> > The problem with this is that now virt-install has to actually
> > find the correct a shim.efi binary. It is already somewhat hard
> > to find a suitable kerenl+initrd binary, and AFAIK, the places
> > where we get these binaries don't have shim.efi alongside.
> >
> > eg for RHEL/Fedora we grab kernel+initrd from the pxeboot dir:
> >
> >
> > https://fedora.mirrorservice.org/fedora/linux/development/rawhide/Everything/x86_64/os/images/pxeboot/
>
> shim is
> https://fedora.mirrorservice.org/fedora/linux/development/rawhide/Everything/x86_64/os/EFI/BOOT/BOOTX64.EFI
>
> > In various forums we have discussed adding the secureboot
> > certs to the libosinfo database, so that we can have a
> > customized EFI varstore with minimized certs, even for the
> > ISO / HDD boot scenario.
>
> Well. It's not that easy unfortunately. At least the "minimized certs"
> part. shim often is signed with the microsoft keys only, so you can't
> drop that without rendering the install.iso unbootable.
>
> Only adding the distro certs without removing the microsoft certs works
> of course.
In that scenario libosinfo would report that the given OS
requires both the microsoft & $distro certs to be
enrolled.
Only if shim were signed by the $distro certs, would
libosifo omit reporting the microsoft certs.
Basically libosinfo would have to report whatever set
of 'n' certs are required to make boot work.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|