Re: secure boot & direct kernel load (was: Re: [PATCH] x86/loader: only patch linux kernels)

2024-04-15 Thread Daniel P . Berrangé
On Mon, Apr 15, 2024 at 03:30:32PM +0200, Gerd Hoffmann wrote: > Hi, > > > > Options I see: > > > > > > (a) Stop using direct kernel boot, let virt-install & other tools > > > create vfat boot media with shim+kernel+initrd instead. > > > > > > (b) Enroll the distro signing keys in

Re: secure boot & direct kernel load (was: Re: [PATCH] x86/loader: only patch linux kernels)

2024-04-15 Thread Gerd Hoffmann
Hi, > > Options I see: > > > > (a) Stop using direct kernel boot, let virt-install & other tools > > create vfat boot media with shim+kernel+initrd instead. > > > > (b) Enroll the distro signing keys in the efi variable store, so > > booting the kernel without shim.efi works.

Re: secure boot & direct kernel load (was: Re: [PATCH] x86/loader: only patch linux kernels)

2024-04-15 Thread Daniel P . Berrangé
On Wed, Apr 10, 2024 at 12:35:13PM +0200, Gerd Hoffmann wrote: > On Wed, Apr 10, 2024 at 03:26:29AM -0400, Michael S. Tsirkin wrote: > > On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote: > > > If the binary loaded via -kernel is *not* a linux kernel (in which > > > case protocol ==

Re: secure boot & direct kernel load (was: Re: [PATCH] x86/loader: only patch linux kernels)

2024-04-10 Thread Gerd Hoffmann
> > > Options I see: > > > > > > (a) Stop using direct kernel boot, let virt-install & other tools > > > create vfat boot media with shim+kernel+initrd instead. > > > > > > (b) Enroll the distro signing keys in the efi variable store, so > > > booting the kernel without shim.efi

Re: secure boot & direct kernel load (was: Re: [PATCH] x86/loader: only patch linux kernels)

2024-04-10 Thread Gerd Hoffmann
On Wed, Apr 10, 2024 at 07:10:22AM -0400, Michael S. Tsirkin wrote: > On Wed, Apr 10, 2024 at 12:35:13PM +0200, Gerd Hoffmann wrote: > > On Wed, Apr 10, 2024 at 03:26:29AM -0400, Michael S. Tsirkin wrote: > > > On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote: > > > > If the binary

Re: secure boot & direct kernel load (was: Re: [PATCH] x86/loader: only patch linux kernels)

2024-04-10 Thread Michael S. Tsirkin
On Wed, Apr 10, 2024 at 12:35:13PM +0200, Gerd Hoffmann wrote: > On Wed, Apr 10, 2024 at 03:26:29AM -0400, Michael S. Tsirkin wrote: > > On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote: > > > If the binary loaded via -kernel is *not* a linux kernel (in which > > > case protocol ==

secure boot & direct kernel load (was: Re: [PATCH] x86/loader: only patch linux kernels)

2024-04-10 Thread Gerd Hoffmann
On Wed, Apr 10, 2024 at 03:26:29AM -0400, Michael S. Tsirkin wrote: > On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote: > > If the binary loaded via -kernel is *not* a linux kernel (in which > > case protocol == 0), do not patch the linux kernel header fields. > > > > It's (a)

Re: [PATCH] x86/loader: only patch linux kernels

2024-04-10 Thread Michael S. Tsirkin
On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote: > If the binary loaded via -kernel is *not* a linux kernel (in which > case protocol == 0), do not patch the linux kernel header fields. > > It's (a) pointless and (b) might break binaries by random patching > and (c) changes the

[PATCH] x86/loader: only patch linux kernels

2024-04-10 Thread Gerd Hoffmann
If the binary loaded via -kernel is *not* a linux kernel (in which case protocol == 0), do not patch the linux kernel header fields. It's (a) pointless and (b) might break binaries by random patching and (c) changes the binary hash which in turn breaks secure boot verification. Background: OVMF