You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Secureboot support in XenServer and XCP-ng is not as simple as it would seem at first sight. Setting platform.secureboot to True is merely a wish, but depending on the situation, this may end in:
A booted system with Secure Boot enforced, as wanted.
A UEFI shell, because the binaries to boot are not signed with a supported key.
A UEFI shell, because the VM's NVRAM doesn't contain the necessary certificates to verify the signed binaries. Common situation on XCP-ng until you installed certificates to the pool, then to all VMs having already booted at least once.
A booted system with Secure Boot disabled. Yes, no kidding. This happens if the VM is in setup mode, regardless of XAPI's VM parameter. It is not supposed to happen without the user explicitly asking for it, but bugs may happen as we just found out in XCP-ng 8.3, so let's cover this case too.
Other specific situations
Contrarily to XCP-ng 8.2, XCP-ng 8.3 will not auto-install the necessary SecureBoot certificates to VMs which have already been booted once without certificates. This could potentially leave many VMs either unbootable, or bootable with SecureBoot actually disabled and thus a false sense of security.
We need to add information about this to Xen Orchestra, to help users understand why a VM won't boot or we warned that SecureBoot is not enabled despite they may think it is. We added new endpoints in XAPI for XCP-ng 8.3 (not in XenServer 8.3, though, because it was released before we could contribute the changes).
We also need to offer them a way to truly enable SecureBoot for their VM.
Specifications
On XCP-ng/XenServer >= 8.3 (we don't cover 8.2 because 1. there are less potential issues for users and 2. we won't backport the new API endpoints).
This should be displayed both in the general VM view, because it's an important piece of information, and also below the Secure Boot switch in the Advanced view of the VM, updated whenever someone changes the switch's state.
On the general VM page, this information should be updated whenever the VM changes state.
To determine which case the VM is in, call VM.get_secureboot_readiness (new API being implemented in XCP-ng 8.3):
disabled => A
first_boot => B
ready => C
ready_no_dbx => D
setup_mode => E
certs_incomplete => F
In addition to the information display, we need a button to cause users to propagate certificates from the pool to the VM which has bad or no certificates.
Location of the button: under the "Secure Boot" switch.
Button Label: Copy the pool's default UEFI certificates to the VM
Displayed (or enabled) only for UEFI VMs. If just disabled, add an information stating why.
When clicked: if VM.get_secureboot_readiness is one of first_boot, setup_mode, certs_incomplete, don't ask for confirmation. Otherwise, ask: "This will overwrite the VM's UEFI certificates with certificates defined at the pool level. Continue?"
Action when submitted: call XAPI's VM.set_uefi_mode("user")
The text was updated successfully, but these errors were encountered:
stormi
changed the title
Display accurate Secure Boot status
Display accurate Secure Boot status and allow to fix a VM
Mar 26, 2024
stormi
changed the title
Display accurate Secure Boot status and allow to fix a VM
Display accurate Secure Boot status and allow to fix a VM's UEFI certs
Mar 26, 2024
@benjamreis has implemented the algorithm on XAPI side (upstream PR pending review), so this will leave mainly the UI aspects to XO. I'm going to update the specs.
Context
Secureboot support in XenServer and XCP-ng is not as simple as it would seem at first sight. Setting
platform.secureboot
to True is merely a wish, but depending on the situation, this may end in:Contrarily to XCP-ng 8.2, XCP-ng 8.3 will not auto-install the necessary SecureBoot certificates to VMs which have already been booted once without certificates. This could potentially leave many VMs either unbootable, or bootable with SecureBoot actually disabled and thus a false sense of security.
We need to add information about this to Xen Orchestra, to help users understand why a VM won't boot or we warned that SecureBoot is not enabled despite they may think it is. We added new endpoints in XAPI for XCP-ng 8.3 (not in XenServer 8.3, though, because it was released before we could contribute the changes).
We also need to offer them a way to truly enable SecureBoot for their VM.
Specifications
On XCP-ng/XenServer >= 8.3 (we don't cover 8.2 because 1. there are less potential issues for users and 2. we won't backport the new API endpoints).
Display secureboot status information in the VM, when its firmware is
uefi
.A. "SecureBoot not enforced"
B. "SecureBoot enforced, pending first boot"
C. "SecureBoot enforced"
D. "SecureBoot enforced, but no dbx present" => If host is XCP-ng, link to https://docs.xcp-ng.org/guides/guest-UEFI-Secure-Boot/#troubleshoot-guest-secure-boot-issues
E. ":warning: SecureBoot wanted, but disabled due to the VM being in UEFI setup mode" => If host is XCP-ng, link to https://docs.xcp-ng.org/guides/guest-UEFI-Secure-Boot/#troubleshoot-guest-secure-boot-issues
F. ":warning: SecureBoot wanted, but some EFI certificates are missing" => If host is XCP-ng, link to https://docs.xcp-ng.org/guides/guest-UEFI-Secure-Boot/#troubleshoot-guest-secure-boot-issues
This should be displayed both in the general VM view, because it's an important piece of information, and also below the Secure Boot switch in the Advanced view of the VM, updated whenever someone changes the switch's state.
On the general VM page, this information should be updated whenever the VM changes state.
To determine which case the VM is in, call
VM.get_secureboot_readiness
(new API being implemented in XCP-ng 8.3):disabled
=> Afirst_boot
=> Bready
=> Cready_no_dbx
=> Dsetup_mode
=> Ecerts_incomplete
=> FIn addition to the information display, we need a button to cause users to propagate certificates from the pool to the VM which has bad or no certificates.
Copy the pool's default UEFI certificates to the VM
pool.get_guest_secureboot_readiness
isNOT_READY
, disable the button, and add a warning next to it or under it, stating "This pool was not setup for Guest UEFI SecureBoot yet" + link to https://docs.xcp-ng.org/guides/guest-UEFI-Secure-Boot/#configure-the-poolVM.get_secureboot_readiness
is one offirst_boot
,setup_mode
,certs_incomplete
, don't ask for confirmation. Otherwise, ask: "This will overwrite the VM's UEFI certificates with certificates defined at the pool level. Continue?"VM.set_uefi_mode("user")
The text was updated successfully, but these errors were encountered: