C3Subtitles: 33c3: Virtual Secure Boot
back

Virtual Secure Boot

Secure Boot support in qemu, kvm and ovmf.

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:51:44
Language
English
Abstract
Over the last two years secure boot support for virtual machines was added to qemu, kvm (linux kernel) and ovmf (edk2/tianocore). This talk covers the implementation details and the issues we had to deal with along the way.

Well, to be exact ovmf (open virtual machine firmware, part of tianocore) has support for the secure boot interfaces for a long time already. But it used to not provide any actual security, the guest os could easily tamper with the secure boot variable storage by simply writing to the (virtual) firmware flash.

This is no longer the case now.

Making secure boot actually secure was a bigger effort than we initially expected and it required changes in three software projects: kvm got smm emulation support. qemu got smm emulation support, and the q35 chipset emulation needed some fixes and improvements too. ovmf makes use of the smm lockbox now as tamper-resitant storage for secure boot variables (and some other bits).

Talk ID
8142
Event:
33c3
Day
4
Room
Saal 6
Start
4 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Gerd Hoffmann