On Wed, 11 Jul 2012, Dario Faggioli wrote:
On Thu, 2012-07-05 at 11:04 -0400, Konrad Rzeszutek Wilk wrote:
Ok, so, should we be concerned? Is there something we can/should do
about that? How do you think we can help in having xen being considered?
First the Linux kernel running under EFI has to actually boot (with Xen
hypervisor). It doesn't do that yet and the upstream kernel would
need patches for that.
Yes, I can imagine there are technical challenges and open issues, but
(although, of course, I might be wrong), that is not what scares me
most... I really think there are good enough "brains" working on
them! :-)
What I wanted to know here is whether or not there already are plans to
include the xen binaries in that signing game, so that Fedora users can
still `yum install xen -- reboot --start playing' as it is happening
now, and, more important, if that is not the case what we can do to help
this.
Is the fact that Fedora release guidelines include Xen _guest_ support
but not full _host_ functionalities going to be an issue if/when we
decide to try influencing this
http://fedoraproject.org/wiki/Features/SecureBoot ?
In terms of getting xen into the Fedora signing game we would either need
to get the people behind the SecureBoot feature to add xen or submit our
own feature to add that functionality (I haven't contacted them but I
guess they would prefer the latter).
With regard to technical challenges I wonder what if any signature
checking xen itself would need to do (for example would it check the
signature on the dom0 kernel or would grub2 do that) because part of the
securing process would be to ensure that xen itself didn't leave open
doors to break into the secure system. Also there is the question of
drivers as I gather they need to be signed to talk to bios devices, which
may simply be a pass through of the dom0 kernel signed drivers or might be
more complicated.
Michael Young
--
xen mailing list
xen@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/xen
