Implement secure boot enforcement #19
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
It's still a draft because we need to test it in situation (with a modified XAPI to set the |
stormi
reviewed
Jul 20, 2023
handler.c
Outdated
| &gEfiGlobalVariableGuid, &data, &data_len); | ||
|
|
||
| if (status != EFI_SUCCESS) | ||
| return false; |
There was a problem hiding this comment.
If we ever enter this condition, it might deserve a specific WARN log.
varstored.c
Outdated
| @@ -532,6 +543,11 @@ varstored_initialize(domid_t domid) | |||
| } | |||
| } | |||
|
|
|||
| if (!check_secure_boot()) { | |||
| ERR("Secure boot is required, but isn't acitvated\n"); | |||
There was a problem hiding this comment.
Typo
Suggested change
| ERR("Secure boot is required, but isn't acitvated\n"); | |
| ERR("Secure boot is required, but isn't activated\n"); |
andSmv
force-pushed
the
secureboot-enforce
branch
from
c0fd5cc
to
748576c
Compare
Depending on a parameter, varstored aborts if secure_boot_enable is activated, but no certificates are present. Signed-off-by: Andrei Semenov <[email protected]>
andSmv
force-pushed
the
secureboot-enforce
branch
from
748576c
to
0cf78a8
Compare
Signed-off-by: Andrei Semenov <[email protected]>
benjamreis
added a commit
to xcp-ng/xen-api
that referenced
this pull request
Jul 25, 2023
This setting will be used by varstored to know wheter to allow the start of a VM that has no certificates when secureboot is enabled. Default: false to keep the previous behavior. See: xapi-project/varstored#19 Signed-off-by: BenjiReis <[email protected]>
benjamreis
added a commit
to xcp-ng/xen-api
that referenced
this pull request
Jul 25, 2023
This setting will be used by varstored to know wheter to allow the start of a VM that has no certificates when secureboot is enabled by writing in the xenstore in `/local/domain/<domid>/platform/secureboot-enforce`. Default: false to keep the previous behavior. See: xapi-project/varstored#19 Signed-off-by: BenjiReis <[email protected]>
benjamreis
added a commit
to xcp-ng/xen-api
that referenced
this pull request
Jul 25, 2023
This setting will be used by varstored to know wheter to allow the start of a VM that has no certificates when secureboot is enabled by writing in the xenstore in `/local/domain/<domid>/platform/secureboot-enforce`. Default: false to keep the previous behavior. See: xapi-project/varstored#19 Signed-off-by: BenjiReis <[email protected]>
benjamreis
added a commit
to xcp-ng/xen-api
that referenced
this pull request
Jul 25, 2023
This setting will be used by varstored to know wheter to allow the start of a VM that has no certificates when secureboot is enabled by writing in the xenstore in `/local/domain/<domid>/platform/secureboot-enforce`. Default: false to keep the previous behavior. See: xapi-project/varstored#19 Signed-off-by: BenjiReis <[email protected]>
benjamreis
added a commit
to xcp-ng/xen-api
that referenced
this pull request
Jul 27, 2023
This setting will be used by varstored to know wheter to allow the start of a VM that has no certificates when secureboot is enabled by writing in the xenstore in `/local/domain/<domid>/platform/secureboot-enforce`. Default: false to keep the previous behavior. See: xapi-project/varstored#19 Signed-off-by: BenjiReis <[email protected]>
benjamreis
added a commit
to xcp-ng/xen-api
that referenced
this pull request
Jul 27, 2023
This setting will be used by varstored to know wheter to allow the start of a VM that has no certificates when secureboot is enabled by writing in the xenstore in `/local/domain/<domid>/platform/secureboot-enforce`. Default: false to keep the previous behavior. See: xapi-project/varstored#19 Signed-off-by: BenjiReis <[email protected]>
benjamreis
added a commit
to xcp-ng/xen-api
that referenced
this pull request
Jul 27, 2023
This setting will be used by varstored to know wheter to allow the start of a VM that has no certificates when secureboot is enabled by writing in the xenstore in `/local/domain/<domid>/platform/secureboot-enforce`. Default: false to keep the previous behavior. See: xapi-project/varstored#19 Signed-off-by: BenjiReis <[email protected]>
|
Closing. See #16 (comment). |
|
Finally, we don't need to change anymore varstored behaviour |
|
Reopening following the reopening of #16 |
|
Looks like I can't reopen it. We'll create another. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Depending on a parameter, varstored aborts if secure_boot_enable is activated, but no certificates are present.
This behavior was discussed in [https://github.com//issues/16]