x86/kexec: Secure Boot support

[PATCH v2 0/7] x86/kexec: Secure Boot support

Kevin Lampis posted 7 patches 3 days, 14 hours ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://gitlab.com/xen-project/patchew/xen tags/patchew/20260609154518.779757-1-kevin.lampis@citrix.com

xen/arch/x86/bzimage.c                   |  47 +---
xen/arch/x86/include/asm/bzimage.h       |  44 ++++
xen/arch/x86/include/asm/machine_kexec.h |   2 +-
xen/arch/x86/machine_kexec.c             |   3 +-
xen/arch/x86/x86_64/kexec_reloc.S        |  24 ++
xen/common/kexec.c                       |  42 +++-
xen/common/kimage.c                      | 268 +++++++++++++++++++----
xen/include/public/kexec.h               |  11 +-
xen/include/xen/kimage.h                 |  23 +-
9 files changed, 363 insertions(+), 101 deletions(-)

Expand all Fold all

[PATCH v2 0/7] x86/kexec: Secure Boot support

Posted by Kevin Lampis 3 days, 14 hours ago

These changes allow loading and booting an EFI kexec crash kernel.

For this new EFI kexec type, userspace won't provide purgatory code.
Instead Xen jumps directly to the new kernel.

Signature validation is done by the dom0 kernel. Xen then calculates a
digest for all the segments stored in memory. This digest is verified
again during execution. This digest check obviates the need for Xen to
verify Secure Boot signatures directly.

Link to v1: (I should have changed the title and/or version sorry)
https://lore.kernel.org/xen-devel/20260602164911.2684471-1-kevin.lampis@citrix.com/

Changes in v2:
- Removed dependency on lockdown mode
- Split work into multiple patches
- Move setup_header to appropriate header file bzimage.h
- Renamed setup_header to less generic name bzimage_header
- I couldn't find a way to use the EFI header instead of setup_header
- Extend digest check to non-EFI crash type
- Do digest check earlier for cleaner failure path
- Print expected vs actual digest on failure
- Swap xen_kexec_segment_t to struct kimage_segment in separate patch
- Plumb boot params into assembly code in separate patch
- Rename rsi parameter to arg
- Remove references to "EFI" in boot params assembly code
- Move %rsi assignment earlier so it is valid for the 32bit path too
- Zero general purpose registers in separate patch
- Zero 32bit version of GPRs for performance and correctness
- Zero GPRs on 32bit kexec path too

Ross Lagerwall (5):
  x86/kexec: add digest checks
  x86/kexec: rename setup_header to bzimage_header
  x86/kexec: add new struct kimage_segment
  x86/kexec: Support non-page-aligned kexec segments
  x86/kexec: Implement new EFI load types

Kevin Lampis (2):
  x86/kexec: Pass boot params directly to new kernel
  x86/kexec: Zero general purpose registers

 xen/arch/x86/bzimage.c                   |  47 +---
 xen/arch/x86/include/asm/bzimage.h       |  44 ++++
 xen/arch/x86/include/asm/machine_kexec.h |   2 +-
 xen/arch/x86/machine_kexec.c             |   3 +-
 xen/arch/x86/x86_64/kexec_reloc.S        |  24 ++
 xen/common/kexec.c                       |  42 +++-
 xen/common/kimage.c                      | 268 +++++++++++++++++++----
 xen/include/public/kexec.h               |  11 +-
 xen/include/xen/kimage.h                 |  23 +-
 9 files changed, 363 insertions(+), 101 deletions(-)

-- 
2.52.0