Live patch signing support was mentioned as future work in the design
document several years ago. This series finally implements support for
it since it is a requirement of Secure Boot to prevent loading unsigned
code into Xen.

Note that this series depends on another patch that has not yet been
merged:
xen/lib: Export additional sha256 functions
https://lists.xenproject.org/archives/html/xen-devel/2025-05/msg00222.html

Jennifer Herbert (1):
  livepatch: Verify livepatch signatures

Kevin Lampis (1):
  livepatch: Embed public key in Xen

Ross Lagerwall (2):
  docs: Introduce live patch signing
  crypto: Add RSA support

 docs/misc/livepatch.pandoc      |  104 +-
 xen/common/Kconfig              |   18 +
 xen/common/Makefile             |    1 +
 xen/common/livepatch.c          |  175 ++++
 xen/common/livepatch_elf.c      |   55 +
 xen/common/mpi.c                | 1724 +++++++++++++++++++++++++++++++
 xen/crypto/Makefile             |   13 +
 xen/crypto/rsa.c                |  194 ++++
 xen/include/xen/livepatch.h     |    5 +
 xen/include/xen/livepatch_elf.h |   18 +
 xen/include/xen/mpi.h           |   63 ++
 xen/include/xen/rsa.h           |   72 ++
 xen/tools/extract-key.py        |   37 +
 13 files changed, 2427 insertions(+), 52 deletions(-)
 create mode 100644 xen/common/mpi.c
 create mode 100644 xen/crypto/rsa.c
 create mode 100644 xen/include/xen/mpi.h
 create mode 100644 xen/include/xen/rsa.h
 create mode 100755 xen/tools/extract-key.py

-- 
2.49.0

On Tue, May 06, 2025 at 03:32:12PM +0100, Ross Lagerwall wrote:
> Live patch signing support was mentioned as future work in the design
> document several years ago. This series finally implements support for
> it since it is a requirement of Secure Boot to prevent loading unsigned
> code into Xen.
> 
> Note that this series depends on another patch that has not yet been
> merged:
> xen/lib: Export additional sha256 functions
> https://lists.xenproject.org/archives/html/xen-devel/2025-05/msg00222.html
> 
> Jennifer Herbert (1):
>   livepatch: Verify livepatch signatures
> 
> Kevin Lampis (1):
>   livepatch: Embed public key in Xen
> 
> Ross Lagerwall (2):
>   docs: Introduce live patch signing
>   crypto: Add RSA support

Patches 1 and 4 seems to be lost...

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

On 06/05/2025 6:15 pm, Marek Marczykowski-Górecki wrote:
> On Tue, May 06, 2025 at 03:32:12PM +0100, Ross Lagerwall wrote:
>> Live patch signing support was mentioned as future work in the design
>> document several years ago. This series finally implements support for
>> it since it is a requirement of Secure Boot to prevent loading unsigned
>> code into Xen.
>>
>> Note that this series depends on another patch that has not yet been
>> merged:
>> xen/lib: Export additional sha256 functions
>> https://lists.xenproject.org/archives/html/xen-devel/2025-05/msg00222.html
>>
>> Jennifer Herbert (1):
>>   livepatch: Verify livepatch signatures
>>
>> Kevin Lampis (1):
>>   livepatch: Embed public key in Xen
>>
>> Ross Lagerwall (2):
>>   docs: Introduce live patch signing
>>   crypto: Add RSA support
> Patches 1 and 4 seems to be lost...

Yes, we're working on that.  (Corporate email fun)

~Andrew