-
Welcome
-
Subscribe to
EFI + Intel TXT and TPM + Xen/Linux - how to make it work
Session information has not yet been published for this event.
One Line Summary
EFI + Intel TXT and TPM + Xen/Linux - how to make it work
Abstract
After some investigation it looks that EFI
+ tboot + Xen does not work. The problem is that
tboot treats EFI as untrusted stuff and shuts down
all services. However, these services are needed
to boot Xen properly. So, this tboot behavior
makes it completely unusable with Xen. Linux is
hit by this issue, too. It is less severe because
it boots but due to a lack of EFI runtime services
it is not possible to run e.g. efibootmgr which
manages machine boot config. Hence, this means
that we should hammer out proper approach to that
problem. At the beginning of discussion we should
review EFI infrastructure security. This should
lead to a decision about EFI availability in
measured environments. If yes, then we should
decide what and how should be exposed. It is also
worth considering here solutions providing
functionality similar to tboot, e.g. TrustedGRUB,
EFI TBOOT, etc.
Presentation Materials
slidesSpeaker
-
Biography
Daniel Kiper works as software developer
for Oracle. He is responsible for Xen boot
code development. He also played with GRUB2
and due to that last year he was appointed
as one of the GRUB maintainers. Earlier he
worked on kexec, kdump, makedumpfile, crash
tool and memory hotplug development.