On Mon, Jun 02, 2025 at 02:36:34PM +0100, Ross Lagerwall wrote: > From: Kevin Lampis <kevin.lam...@cloud.com> > > Make it possible to embed a public key in Xen to be used when verifying > live patch payloads. Inclusion of the public key is optional. > > To avoid needing to include a DER / X.509 parser in the hypervisor, the > public key is unpacked at build time and included in a form that is > convenient for the hypervisor to consume. This is different approach > from that used by Linux which embeds the entire X.509 certificate and > builds in a parser for it. > > A suitable key can be created using openssl: > > openssl req -x509 -newkey rsa:2048 -keyout priv.pem -out pub.pem \ > -sha256 -days 3650 -nodes \ > -subj > "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname" > openssl x509 -inform PEM -in pub.pem -outform PEM -pubkey -nocert -out > verify_key.pem > > Signed-off-by: Kevin Lampis <kevin.lam...@cloud.com> > Signed-off-by: Ross Lagerwall <ross.lagerw...@citrix.com> > --- > > In v3: > > * Drop unnecessary condition in Makefile > * Use dashes instead of underscores > * Drop section placement annotation on declaration > * Clarify endianness of embedded key > > xen/common/Kconfig | 18 +++++++++++++++++ > xen/crypto/Makefile | 11 ++++++++++ > xen/include/xen/livepatch.h | 5 +++++ > xen/tools/extract-key.py | 40 +++++++++++++++++++++++++++++++++++++ > 4 files changed, 74 insertions(+) > create mode 100755 xen/tools/extract-key.py > > diff --git a/xen/common/Kconfig b/xen/common/Kconfig > index 0951d4c2f286..74673078202a 100644 > --- a/xen/common/Kconfig > +++ b/xen/common/Kconfig > @@ -472,6 +472,24 @@ config LIVEPATCH > > If unsure, say Y. > > +config PAYLOAD_VERIFY > + bool "Verify signed LivePatch payloads" > + depends on LIVEPATCH > + select CRYPTO > + help > + Verify signed LivePatch payloads using an RSA public key built > + into the Xen hypervisor. Selecting this option requires a > + public key in PEM format to be available for embedding during > + the build. > + > +config PAYLOAD_VERIFY_KEY > + string "File name of public key used to verify payloads" > + default "verify_key.pem" > + depends on PAYLOAD_VERIFY > + help > + The file name of an RSA public key in PEM format to be used for > + verifying signed LivePatch payloads.
I think this is likely to break the randconfig testing that we do in Gitlab CI, as randconfig could select PAYLOAD_VERIFY, but there will be no key included, and hence the build will fail? Ideally Gitlab CI would need to be adjusted to provide such key so the build doesn't fail. I think it could be provided unconditionally to simplify the logic, if the option is not selected the file will simply be ignored. Thanks, Roger.
