[v2] xen/efi: Do not check kernel signature if it was embedded

[PATCH v2] xen/efi: Do not check kernel signature if it was embedded

Posted by Frediano Ziglio 4 months, 1 week ago

Using UKI it's possible to embed Linux kernel into xen.efi file.
In this case the signature for Secure Boot is applied to the
whole xen.efi, including the kernel.
So checking for specific signature for the kernel is not
needed.

Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
---
Changes since v1:
- updated commit message and code comment;
- renamed kernel_was_verified to kernel_verified.
---
 xen/common/efi/boot.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
index e39fbc3529..fb3b120982 100644
--- a/xen/common/efi/boot.c
+++ b/xen/common/efi/boot.c
@@ -1291,6 +1291,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle,
     bool base_video = false;
     const char *option_str;
     bool use_cfg_file;
+    bool kernel_verified = false;
     int dt_modules_found;
 
     __set_bit(EFI_BOOT, &efi_flags);
@@ -1461,6 +1462,11 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle,
             read_file(dir_handle, s2w(&name), &kernel, option_str);
             efi_bs->FreePool(name.w);
         }
+        else
+        {
+            /* Kernel was embedded so Xen signature includes it. */
+            kernel_verified = true;
+        }
 
         if ( !read_section(loaded_image, L"ramdisk", &ramdisk, NULL) )
         {
@@ -1534,6 +1540,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle,
      * verify it.
      */
     if ( kernel.ptr &&
+         !kernel_verified &&
          !EFI_ERROR(efi_bs->LocateProtocol(&shim_lock_guid, NULL,
                                            (void **)&shim_lock)) &&
          (status = shim_lock->Verify(kernel.ptr, kernel.size)) != EFI_SUCCESS )
-- 
2.43.0

Re: [PATCH v2] xen/efi: Do not check kernel signature if it was embedded

Posted by Marek Marczykowski-Górecki 4 months, 1 week ago

On Fri, Jun 20, 2025 at 09:26:05AM +0100, Frediano Ziglio wrote:
> Using UKI it's possible to embed Linux kernel into xen.efi file.
> In this case the signature for Secure Boot is applied to the
> whole xen.efi, including the kernel.
> So checking for specific signature for the kernel is not
> needed.
> 
> Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>

Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>

> ---
> Changes since v1:
> - updated commit message and code comment;
> - renamed kernel_was_verified to kernel_verified.
> ---
>  xen/common/efi/boot.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
> index e39fbc3529..fb3b120982 100644
> --- a/xen/common/efi/boot.c
> +++ b/xen/common/efi/boot.c
> @@ -1291,6 +1291,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle,
>      bool base_video = false;
>      const char *option_str;
>      bool use_cfg_file;
> +    bool kernel_verified = false;
>      int dt_modules_found;
>  
>      __set_bit(EFI_BOOT, &efi_flags);
> @@ -1461,6 +1462,11 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle,
>              read_file(dir_handle, s2w(&name), &kernel, option_str);
>              efi_bs->FreePool(name.w);
>          }
> +        else
> +        {
> +            /* Kernel was embedded so Xen signature includes it. */
> +            kernel_verified = true;
> +        }
>  
>          if ( !read_section(loaded_image, L"ramdisk", &ramdisk, NULL) )
>          {
> @@ -1534,6 +1540,7 @@ void EFIAPI __init noreturn efi_start(EFI_HANDLE ImageHandle,
>       * verify it.
>       */
>      if ( kernel.ptr &&
> +         !kernel_verified &&
>           !EFI_ERROR(efi_bs->LocateProtocol(&shim_lock_guid, NULL,
>                                             (void **)&shim_lock)) &&
>           (status = shim_lock->Verify(kernel.ptr, kernel.size)) != EFI_SUCCESS )
> -- 
> 2.43.0
> 

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab