beshleman

Two questions: Is the firmware in UEFI mode? Does the target disk contain an EFI system partition? `efibootmgr` reporting no "file" means it can't find the boot variable in `/sys/firmware/efi/efivarfs/*`...

> Happens over and over again. Even tried going in with Ubuntu/Gparted and clearing the install drive and creating a clean GPT partition table. Same result. > > Device is...

> > Could you provide the output from dmesg? > > as requested > [dmesg.txt](https://github.com/xcp-ng/xcp/files/6260820/dmesg.txt) Thanks. `efivarfs` subsystem doesn't seem to be complaining at all. Could you invoke the same...

Thanks for the info Casey. `efibootmgr -c -L XCP-ng -l \\EFI\\xenserver\\grubx64.efi -d /dev/sda -p 3 -v` should work on any device with `/dev/sda`, even if partition 3 doesn't exist, which...

Awesome, thanks for the reference to the patchset Tamas

@rjt That is something we can look into supporting, although the vTPM is orthogonal to UEFI Secure Boot, and could be accomplished without UEFI Secure Boot AFAIK. I just created...

It'll be important to build grub with the load/iorw/memrw modules disabled. We'll need to audit other modules for compromising functionality.

Just an update here: the Xen patch set is complete and has passed (very) preliminary testing. Putting some final touches on it before hitting the mailing list with it. This...

> @beshleman Anything to report here? For a basic chain-of-trust boot chain, I have a working PoC. The verification chain successfully extends from the firmware, through Xen, and into the...

> @beshleman do you have any instructions for self-signing to enable secure boot? For what it is worth, that is probably just security theater until Xen + grub is secure...