RunDXERun: safely running DXE bootloaders, in a VM, with a Go VMM

RunDXERun allows safe execution of UEFI boot applications. It runs these applications in a KVM-based VM, using a Virtual Machine Manager (VMM) written in Go. As the boot applications call UEFI services, they exit the VM and and the RunDXERun VMM handles them. The services themselves are also implemented in Go.

RunDXERun is intended to be compiled as part of u-root and used in firmware images. As of October, RunDXERun successfully starts the u-boot EFItest program, and runs one of its tests.

RunDXERun in a u-root image increases its size by about 500K (uncompressed) or 145K (xz compressed). This is not much larger than building in a full EDK2. It fits easily in payloads destined for coreboot.

The reason to use RunDXERun is for the security it provides. Normally, UEFI boot applications run at the highest privilege level of a machine, as do the boot services. RunDXERun allows running both applications and UEFI services at the lowest privilege level, and the services are implemented in a memory safe language. RunDXERun is similar in spirit to the "safe" ROM support already in coreboot.

RunDXERun compiles for both x86 and ARM64; writing the initial port for ARM64 took four hours.