|
| From: | Zhangbo (Oscar) |
| Subject: | [RFC] secure boot: is it necessary to let qemu verify EDK2 efi file |
| Date: | Mon, 29 Jun 2020 01:58:38 +0000 |
Hi all:
Secure boot for virtual machine NOWADAYS starts from edk2’s vBIOS, which
verifies guest OS’s shim/grub2. Then grub2 verifies guest OS’s kernel.
From the view of the whole complete trust chain, the GUEST part is
disconnected from the HOST part, as the verification of vBIOS is missing, that
is to say, no one verifies vBIOS image file(QEMU_EFI.fd).
#
#
#
# _________ __________ ___________
# | |_____| |___| | HOST part
# |_RTM_____| |_BIOS_____| |_kernel____|
#
#
# __________ ___________
# | |__| | GUEST part
# |_vBIOS____| |guest kernel
#
#
Thus, we have to verify vBIOS in order to complete the trust chain,
connecting the host part with the guest part.
One solution is using IMA to verify the libvirt/qemu binaries and vBIOS image
file(QEMU_EFI.fd).
The other is let IMA verify libvirt/qemu, but let qemu verify vBIOS image
file afterwards.
Solution 1:
#
#
#
# _________ __________ ___________ __________
# | |_____| |___| |___| |
# |_RTM_____| |_BIOS_____| |_kernel____| |__libvirt_|
# | __________
# |_________| |
# | |__qemu____|
# |
# | __________
# |_________| |
# |_vBIOS____|
Solution 2:
#
#
#
# _________ __________ ___________ __________
# | |_____| |___| |___| |
# |_RTM_____| |_BIOS_____| |_kernel____| |__libvirt_|
# | __________
__________
# |_________| |_____|
|
# |__qemu____|
|_vBIOS____|
#
#
#
#
Which solution shoule we choose?
Solution 1 seems much easier.
But when we consider TRUST BOOT in, in that situation, qemu HAS to measure
vBIOS image, and put the measured value into vTPM's PCR, that means,
qemu is responsible for measuring the vBIOS during TRUST BOOT, it plays a
role there.
So, as long as qemu has to play a role in TRUST BOOT, shall we let qemu play
a role in SECURE BOOT as well? Using solusion 2?
Or other suggestions? Thanks!
| [Prev in Thread] | Current Thread | [Next in Thread] |