Public bug reported:
Covering the userspace portion (secvarctl)
Feature:
This feature comprises PowerVM LPAR guest OS kernel verification to
extend the chain of trust from partition firmware to the OS kernel and
includes key management. GRUB and the host OS kernel are signed with 2
separate public key pairs. Partition firmware includes the the public
verification key for GRUB in its build and uses it to verify GRUB. GRUB
includes the public verification key for the OS kernel in its build and
uses it to verify the OS kernel image
Test case:
If secure boot is switched off, any GRUB and kernel boots.
If secure boot is switched on:
- Properly signed GRUB boots.
- Improperly signed GRUB does not boot.
- Tampered signed GRUB does not boot.
- Properly signed kernels boot.
- Improperly signed kernels do not boot.
- Tampered signed kernels do not boot.
TPM PCRs are extended roughly following the TCG PC Client and UEFI specs as
they apply to POWER.
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
Status: New
** Tags: architecture-ppc64le bugnameltc-205843 severity-critical
targetmilestone-inin2404
** Tags added: architecture-ppc64le bugnameltc-205843 severity-critical
targetmilestone-inin2404
** Changed in: ubuntu
Assignee: (unassigned) => Ubuntu on IBM Power Systems Bug Triage
(ubuntu-power-triage)
** Package changed: ubuntu => linux (Ubuntu)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2064345
Title:
Power guest secure boot with key management: userspace portion
Status in linux package in Ubuntu:
New
Bug description:
Covering the userspace portion (secvarctl)
Feature:
This feature comprises PowerVM LPAR guest OS kernel verification to
extend the chain of trust from partition firmware to the OS kernel and
includes key management. GRUB and the host OS kernel are signed with
2 separate public key pairs. Partition firmware includes the the
public verification key for GRUB in its build and uses it to verify
GRUB. GRUB includes the public verification key for the OS kernel in
its build and uses it to verify the OS kernel image
Test case:
If secure boot is switched off, any GRUB and kernel boots.
If secure boot is switched on:
- Properly signed GRUB boots.
- Improperly signed GRUB does not boot.
- Tampered signed GRUB does not boot.
- Properly signed kernels boot.
- Improperly signed kernels do not boot.
- Tampered signed kernels do not boot.
TPM PCRs are extended roughly following the TCG PC Client and UEFI specs as
they apply to POWER.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2064345/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
