direct kernel load, secure boot and editing igvm files #91
Description
I'm looking into implementing direct linux kernel boot with secure
boot verification in svsm and edk2. The linux kernel will be passed
as UKI (unified kernel image, i.e. efi binary with kernel, initrd and
command line), so the load mechanism will actually support any efi
binary and is not limited to linux kernels.
Creating such an igvm file will be a two-step process. The coconut
svsm build will produce an igvm file with the firmware only. The
linux kernel build process will produce an UKI. Some to-be-written
utility will take the bare igvm and the UKI and combine both into
combo igvm file.
The utility will also add the secure boot configuration to the igvm,
specifically a 'db' efi signature database, so the guest efi firmware
can verify the efi binary loaded. The database can either carry
certificate(s) if the intention is to allow -- for example -- all
redhat-signed linux kernels, or it can carry authenticode hashes if
the intention is to allow specific efi binaries. The signature
database should be included in the launch measurement.
Suggestions how to implement that best?
Using parameters doesn't look like a good fit, because they are
supposed to be filled by the hypervisor at launch time. We'll need
something simliar for the update utility though, so it can figure
where the firmware expects data (or a pointer to the data) being
placed.