-
Notifications
You must be signed in to change notification settings - Fork 542
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce kernel-mshv-signed, hvloader-signed #7173
Conversation
8a8f787
to
cf7197c
Compare
@@ -0,0 +1,153 @@ | |||
%global debug_package %{nil} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please update the entangled spec checker script for hvloader and kernel-mshv - toolkit/scripts/check_entangled_specs.py
@@ -0,0 +1,153 @@ | |||
%global debug_package %{nil} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also update the codeowners files so @microsoft/cbl-mariner-kata-containers are automatically added as reviewers for updates to these new specs
0bb0f14
to
32fbdd3
Compare
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-static
subpackages, etc.) have had theirRelease
tag incremented../cgmanifest.json
,./toolkit/scripts/toolchain/cgmanifest.json
,.github/workflows/cgmanifest.json
)./SPECS/LICENSES-AND-NOTICES/data/licenses.json
,./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
,./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON
)*.signatures.json
filessudo make go-tidy-all
andsudo make go-test-coverage
passSummary
What does the PR accomplish, why was it needed?
Introduce kernel-mshv-signed, hvloader-signed for the SecureBoot signing process. In MSHV-enabled images, the boot chain includes a new kernel (kernel-mshv) as well as an extra loader component (hvloader) for loading the hypervisor during boot. These must be signed by Microsoft so that the chain of trust is not broken.
Change Log
Does this affect the toolchain?
NO
Test Methodology