Build and use default Secure Boot variable files #5
Conversation
|
Note that there are two layers of UEFI certificates in XAPI. The default ones directly read from /usr, and the custom ones. |
|
My understanding is that since I've removed the cert downloading code, when |
|
I've updated the DBX generation script and spec files for generating our own dbx.auth. Note that there are two ways to generate our dbx (see the microsoft/secureboot_objects wiki):
I've chosen the first approach in my PR, but it can be easily changed if needed. |
dinhngtu
changed the title
|
Should I implement the PK changes as discussed? |
|
Changes:
Now the PK changes can be easily integrated. |
|
Changes:
I'll need to test manually first. (Also, please squash, the history is not clean for a straight merge) |
|
Tested with pool state cleared, then SB vars propagated to a After secureboot-certs install and repropagation: https://paste.vates.tech/?d0e321b00468a974#EAM1B5sMg7QTaWR8XJhsGLjZsVza5kY8iDFyfasYRSC3 |
|
Due to the order where Secure Boot variables are set during initial setup (https://github.com/xapi-project/varstored/blob/53277ffa62ab0021e8dac9faf5908566d4ce9bc7/handler.c#L170-L179), for things to work correctly if the VM has Secure Boot enabled during initial setup, the PK (and no other variable) will require a signed auth blob for pool-level installation. |
|
Added self-signed PK blob. Works with propagation; new Server 2022 installed from CD; and Ubuntu Server 24.04.1 booted from CD. Variable logs: https://paste.vates.tech/?0fce36801736b2b5#8j3i7jmZTVGFwMqCwEyenBZ2Um1nhJa7HPNCV3s6qbTE Ubuntu: |
These are source files for the generation of Secure Boot variable blobs. Commit: 3f69ef448a55e1ba1836dcf7642b9f8fff025fcb Includes KEK/db/dbx certificates and dbx_info_msft_06_10_25.json. Signed-off-by: Tu Dinh <[email protected]>
dinhngtu
changed the title
There was a problem hiding this comment.
Is the name appropriate? It suggests it is designed to build dbx but we also use it for KEK and db now.
* Add gen-sbvar.py script for generating KEK/db from our own cert list and dbx from microsoft/secureboot_objects JSON source * KEK/db/dbx blobs don't need to be signed for this purpose * secureboot-certs changes: * Use included variable files by default * Don't create temp db key pair on install * Keep the 'latest' option to download the latest dbx Signed-off-by: Tu Dinh <[email protected]>
Since varstored expects a self-signed PK.auth on Secure Boot activation, include that instead of using gen-sbvar.py at build time. Signed-off-by: Tu Dinh <[email protected]>
Windows guests and Linux guests with fwupd will update their dbx anyway even if it's set to none on a pool level. While setting it to none does reduce protection against Secure Boot bypasses, guests are expected to eventually fill the hole with these updates, and it's still useful for booting old installation media. Signed-off-by: Tu Dinh <[email protected]>
|
Koji build to v8.3-incoming: https://koji.xcp-ng.org/taskinfo?taskID=90790 |
3 participants
Changelog:
secureboot-certs retains the option to download the latest dbx.
Work Item Reference
If this change is related to a Vates internal task or issue, please provide a work item reference. Otherwise, leave this blank.
XCPNG-701
Why should this change be accepted as an update to XCP-ng?
Explain the motivation, problem being solved, or benefit to users or maintainers.
Release Notes
Explain the change for users
Write a user-facing explanation which will serve as a basis for public announcements.
Good release notes explain what changes, who is concerned, and how it affects them. It's not a technical changelog.
Do users or support need to be aware of anything specific related to the update?
Any manual steps, changes to default behavior, compatibility issues, etc.
If yes, provide details.
Already detailed at xcp-ng/xcp-ng-org#328
Testing and regression avoidance
What tests have you done?
1. Regarding the change itself.
Tested Secure Boot enabled with propagation; new Server 2022 installed from CD; and Ubuntu Server 24.04.1 booted from CD. TPM measurements of SB variables were dumped and compared after installation/variable update.
2. Regarding potential regressions.
See above.
What tests in current test suites cover this change?
1. Regarding the change itself.
tests/uefi_sb -m windows_vmtests/uefi_sb -m 'not windows_vm and not hostA2' -k 'not test_vm_import_restores_certs and not test_host_certificates_updated_after_join'2. Regarding potential regressions.
main-multi-*,sb_*,vtpmWhat tests were or will be added to CI for this change? If none, explain why.
1. Regarding the change itself.
xcp-ng/xcp-ng-tests#277
2. To ensure there are no regressions.
None. Since I'm not changing varstored's operation I think current tests are adequate.
What other tests should reviewers or testers perform (after the build)?
1. Regarding the change itself.
See manual tests above (if needed).
2. Regarding potential regressions.
See above.
Documentation
Should existing documentation be updated, or new documentation be added?
If yes, explain what needs to be updated or added, and where. If no, explain why.
xcp-ng/xcp-ng-org#328
Xen Orchestra Impact
Does this affect existing features in Xen Orchestra, or add features that could be useful for Xen Orchestra?
If yes, describe which features and how.
N/A