Auth: Add support to make KEK and DB files optional #23
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If the host doesn't have the authentication files correctly configured for secure boot, the VM NVRAM state is always in setup mode and allows the VM to boot even if it has SecureBoot enabled. This change allows varstored and varstore-sb-state to copy only the PK file (which is always present) and switch the VM to user mode. This will prevent the VM to boot if it has SecureBoot enabled, which is fine. Otherwise, the VM is stuck in setup mode allowing it to boot but with SecureBoot disabled, giving a false impression of security. It's opt-out by default so DB and KEK files are set to not required only if the build macro AUTH_ONLY_PK_REQUIRED is defined. Signed-off-by: Thierry Escande <thierry.escande@vates.tech>
This patch allows passing of extra compilation flags from command line using 'make EXTRA_CFLAGS=-DFOO'. Signed-off-by: Thierry Escande <thierry.escande@vates.tech>
|
A bit of context about this PR:
We understand that varstored was intentionnally made not to propagate certs if KEK or db are missing, to please Windows Update who wants to update the dbx and can't if they aren't defined correctly. However, we accept the risk of such issues (and know how to help user fix them now, by helping them install the correct certificates) when varstored will be built with these new optional flags, and prefer this over the false sense of security that setup mode induces. Complementary to this change, we'll enhance XAPI so that clients such as Xen Orchestra can display an accurate status about the VM certs and offer a simple way for users to propagate certs from disk to VM for VMs which have already been booted once. |
tescande
added a commit
to xcp-ng-rpms/varstored
that referenced
this pull request
Apr 17, 2024
This commit adds the patches to support the compilation flag AUTH_ONLY_PK_REQUIRED used to make KEK and DB authentication files optional, making only the PK file required. A pull request on the upstream repository has been submitted [1]. [1] xapi-project/varstored#23 Signed-off-by: Thierry Escande <thierry.escande@vates.tech>
freddy77
approved these changes
May 7, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If the host doesn't have the authentication files correctly configured for secure boot, the VM NVRAM state is always in setup mode and allows the VM to boot even if it has SecureBoot enabled.
This change allows varstored and varstore-sb-state to copy only the PK file (which is always present) and switch the VM to user mode. This will prevent the VM to boot if it has SecureBoot enabled, which is fine. Otherwise, the VM is stuck in setup mode allowing it to boot but with SecureBoot disabled, giving a false impression of security.
It's opt-out by default so DB and KEK files are set to not required only if the build macro AUTH_ONLY_PK_REQUIRED is defined.