Skip to content

Announce Secure Boot changes #328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 20, 2025
Merged

Announce Secure Boot changes #328

merged 1 commit into from
Oct 20, 2025

Conversation

@dinhngtu
Copy link
Member

@dinhngtu dinhngtu commented Mar 3, 2025

Before submitting the pull request, you must agree with the following statements by checking both boxes with a 'x'.

  • "I accept that my contribution is placed under the CC BY-SA 2.0 license [1]."
  • "My contribution complies with the Developer Certificate of Origin [2]."

[1] https://creativecommons.org/licenses/by-sa/2.0/
[2] https://docs.xcp-ng.org/project/contributing/#developer-certificate-of-origin-dco

@dinhngtu dinhngtu force-pushed the secureboot-changes branch from 8cc41b0 to 3300fd5 Compare March 13, 2025 11:46
@dinhngtu dinhngtu marked this pull request as ready for review March 13, 2025 11:46
stormi
stormi reviewed Jul 17, 2025
View reviewed changes
docs/guides/guest-UEFI-Secure-Boot.md
Comment on lines 45 to 51
## 8.3 with varstored >= 1.2.0-2.4

Secure Boot is ready to use without extra configuration. Simply activate Secure Boot on your VMs, and they will be provided with an appropriate set of default Secure Boot variables.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even with varstored including certs, certs will still need to be manually propagated to existing VMs that are not in setup mode, that is any VM which already booted once and was not explicitly put in setup mode.

So parts of the Quick start guide below, and of the rest of the guide, still apply.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that should be mentioned here.

@dinhngtu dinhngtu mentioned this pull request Aug 6, 2025
Merged
6 tasks
stormi
stormi reviewed Aug 6, 2025
View reviewed changes
@dinhngtu dinhngtu force-pushed the secureboot-changes branch 4 times, most recently from 0a9f2df to b2c9acd Compare August 7, 2025 10:51
@dinhngtu dinhngtu force-pushed the secureboot-changes branch 2 times, most recently from ed00912 to 0b2a2ea Compare September 11, 2025 16:32
@dinhngtu
Copy link
Member Author

  • Emphasized the fact that SB defaults will be automatically kept up-to-date.
  • Emphasized our new recommendation to keep pool variables clear by default.

stormi
stormi approved these changes Oct 20, 2025
View reviewed changes
Copy link
Member

@stormi stormi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to rework this page to extract old information related to 8.2 and pre-October 2025 updates 8.3, but in case I can't find enough time before the release: let's merge.

docs/guides/guest-UEFI-Secure-Boot.md Outdated

* If you haven't used `secureboot-certs install` on your pool, your pool now supports guest Secure Boot by default.
* We now include the 2023 Microsoft KEK certificate for guest-initiated security updates to the db and dbx variables.
* If you have used `secureboot-certs install` on your pool before, install these certificates manually by running this command again.
Copy link
Member

@stormi stormi Sep 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The best way for most users here is to remove the installed certificates to let XAPI use the defaults provided by the RPM. This way, their pool gets new updates in the future. This whole "use system defaults" vs "install certs that stick" question is worth its own section and possibly details in a pool's advanced view about installed certs and whether they come from system or not.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a pending comment I apparently never published.

@stormi stormi merged commit aedaf3a into master Oct 20, 2025
1 check passed
@stormi stormi deleted the secureboot-changes branch October 20, 2025 16:39
dinhngtu added a commit that referenced this pull request Oct 23, 2025
@dinhngtu
Split guest SB page to "current" and "legacy"
830b299 
The "legacy" page contains the information in this page prior to #328.

The "current" page purges all the information about versions prior to
the guest SB update.

Signed-off-by: Tu Dinh <[email protected]>
@dinhngtu dinhngtu mentioned this pull request Oct 23, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stormi stormi stormi approved these changes

@ydirson ydirson ydirson left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dinhngtu @stormi @ydirson