This event has ended. Visit the official site or create your own event on Sched.
View analytic
Tuesday, July 11 • 15:20 - 16:05
EFI + Intel TXT and TPM + Xen/Linux: How to Make It Work - Daniel Kiper, Oracle

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
After some investigation it looks that EFI + tboot + Xen does not work. The problem is that tboot treats EFI as untrusted stuff and shuts down all services. However, these services are needed to boot Xen properly. So, this tboot behavior makes it completely unusable with Xen. Linux is hit by this issue, too. It is less severe because it boots but due to a lack of EFI runtime services it is not possible to run e.g. efibootmgr which manages machine boot config. Hence, this means that we should hammer out proper approach to that problem. At the beginning of discussion we should review EFI infrastructure security. This should lead to a decision about EFI availability in measured environments. If yes, then we should decide
what and how should be exposed. It is also worth considering here solutions providing functionality similar to tboot, e.g. TrustedGRUB, EFI TBOOT, etc.

avatar for Daniel Kiper

Daniel Kiper

Software Developer V, Oracle
Daniel Kiper works as software developer for Oracle. He is responsible for | Xen boot code development. He also played with GRUB2 and due to that last year he was appointed as one of the GRUB maintainers. Earlier he worked on kexec, kdump, makedumpfile, crash tool and memory hotp... Read More →

Tuesday July 11, 2017 15:20 - 16:05

Attendees (2)