Planned new target is 24.04.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel portion
Status in The Ubuntu-power-systems
[Expired for linux (Ubuntu) because there has been no activity for 60
days.]
** Changed in: linux (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
** Changed in: linux (Ubuntu)
Assignee: Canonical Kernel Team (canonical-kernel-team) => (unassigned)
** Changed in: ubuntu-power-systems
Status: Triaged => Incomplete
** Tags removed: kk-release
--
You received this bug notification because you are a member of Kernel
Packages,
** Tags added: kk-release
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel portion
Status in The Ubuntu-power-systems
** Tags removed: targetmilestone-inin2104
** Tags added: targetmilestone-inin2210
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys:
meanwhile v8 became available:
* Includes Jarkko's feedback on patch description and removed Reported-by for
Patch 1
The extracted v8 patch-set is attached.
Builds are currently running and are soon available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1903288-v8/
** Attachment added:
Over the year break a v7 was made available and was discussed at the mailing
list:
https://lore.kernel.org/linux-integrity/20220105175410.55-1-na...@linux.ibm.com/
Since this mainly seem to have structural changes (patch split etc.) and
comment changes compared to the previous versions and
I've just 'extracted' the v5 patch set from the upstream mailing-list and
attach it here.
(builds are ongoing ...)
** Attachment added: "v5 patch set"
I just kicked off another build for a new patched kernel that allows to try and
test the v4 patch-set in an Ubuntu kernel 5.15.0-9.9 context:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1903288-v4/
(will take a while until it's completed ...)
--
You received this bug notification because
I've just 'extracted' the v4 patch set from the upstream mailing-list and
attach it here.
(builds are ongoing ...)
** Attachment added: "v4 patch-set"
I've just noticed Nayna's v4 (from Nov 11th):
https://lore.kernel.org/linux-integrity/2021002057.123741-1-na...@linux.ibm.com/
"
v4:
* Split into two patches as per Mimi Zohar and Dimitri John Ledkov
recommendation.
"
--
You received this bug notification because you are a member of Kernel
Added my own review https://lore.kernel.org/linux-
integrity/8d7e1609-f77e-834e-cf40-05e19bbc3...@canonical.com/
A few optional comments; and one required change needed to add one more
ifdef.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed
Hi @Nayna even if it looks like your patch (v3) is still under discussion on
the mailing list
(https://lore.kernel.org/linux-integrity/beedd453a1ec674d3986f7c3851f30df516d2fbb.ca...@linux.ibm.com/)
we've built a test kernel that allows to try and test what you already have
(v3) in an Ubuntu
** Tags added: patch
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel portion
Status in The Ubuntu-power-systems project:
I just 'extracted' the patch from the upstream v3 discussion thread and attach
it here.
(Even if there seems to be a request to split it into two patches, but that
would probably have no functional impact.)
** Patch added: "patch v3"
Hi Nayna,
I agree that Reviewed-by or Tested-by are in general helpful, but these
tags follow strict rules in Linux kernel (see: "Reviewer's statement of
oversight" in kernel documentation). I cannot provide such tags without
performing review or testing. Unfortunately I cannot do the review
We are looking at the patches and following the upstream discussions.
Once the upstream discussions have settled out, we can build a test
kernel.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
Adjusting priority to high while waiting for patches to test.
** Changed in: ubuntu-power-systems
Importance: Critical => High
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1903288
** Attachment added: "opal.esl"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1903288/+attachment/5498450/+files/opal.esl
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1903288
We should not add opal keys to the built_trusted_keys_keyring as that's
not the purpose of these keys. We could add them direct to .platform or
.ima keyrings, but it would be best to load them from firmware direct.
Are the above attached keys & ESL available from the "powerpc:db"?
--
You
** Attachment added: "opal-2019-ppc64el.pem"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1903288/+attachment/5498449/+files/opal-2019-ppc64el.pem
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
** Attachment added: "opal-2017-ppc64el.pem"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1903288/+attachment/5498448/+files/opal-2017-ppc64el.pem
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
@Nayna Jain @Daniel
Hm but we have CONFIG_LOAD_PPC_KEYS=y already which I would expect
to be the only thing that loads keys into .platform keyring which was
enabled as part of
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1866909 LTC-184073
. Which keys are present in firmware / get
BTW. is https://patchwork.kernel.org/project/linux-
integrity/patch/20210330131636.21711-4-na...@linux.ibm.com/ of any help
to us?
Ideally we'd want to do that, but load the 2017 & 2019 keys there into
the .ima keyring instead of the kernel module signing ones.
--
You received this bug
Sorry, I wasn't seeing emails for this bug despite being subscribed. Not
sure what's going on with that.
If the key is self-signed, shouldn't having the key in
.builtin_trusted_keys allow for loading it into the IMA keyring? Or is
that insufficient for some reason?
--
You received this bug
Kind of wish for a config option that would do add_to_platform_keyring a
built-in set of keys, until we have something like the other platforms
have (ipl on s390x, uefi db on EFI platforms).
Similar to how the built-in trusted keys are initialized.
--
You received this bug notification because
this is all very annoying! But I see what you mean now.
We probably should not add opal keys to the trusted_keyring then.
I would rather avoid introducing a new CA key whilst we cannot travel to
assemble and distribute CA shards offline.
I'd rather somehow enable platform_keyring or IMA
@Daniel
"In either case, however, the CA that signs the kernel signing key needs to be
built in to the kernel's .builtin_trusted_keys keyring."
On Ubuntu, for OPAL singing, on PowerPC, we do not use CA at all. It is
our understanding that firmware doesn't support verifying signature
chains to a
I should have mentioned, the kernel in comment #11 is not signed with
the archive signing key since it's in a personal ppa, but the cert which
is built into the kernel is for the archive key.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed
Here's a test build with public cert for the opal signing key built into
.builtin_trusted_keys:
https://launchpad.net/~sforshee/+archive/ubuntu/lp1903288
I'm still working out exactly how we want to distribute the key in the
filesystem, but if you can try that out and let me know whether that
Sorry for the delayed response here, it's taken me a while to get some
of the needed information.
In general this should be fine. One thing to note is that the key is
self-signed, so we will need to add the signing key itself into
.builtin_trusted_keys. This should still allow loading the key
I think I've got a good idea of what you're after here. Let me look into
this, and I'll try to get back to you soon.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power
I had a look at our 'Ubuntu unstable' 5.10 tree:
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/unstable
(that will once become the hirsute/21.04 kernel)
And found that the commit 61f879d97ce4 "powerpc/pseries: Detect secure and
trusted boot state of the system" is already in
** Changed in: ubuntu-power-systems
Status: Incomplete => Triaged
** Changed in: linux (Ubuntu)
Status: Incomplete => Triaged
** Changed in: linux (Ubuntu)
Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) =>
Canonical Kernel Team (canonical-kernel-team)
To confirm, this bug only requires that commit 61f879d97ce4
("powerpc/pseries: Detect secure and trusted boot state of the system.")
lands in hirsute. Is that correct, or are other patches also required?
** Changed in: ubuntu-power-systems
Status: Confirmed => Incomplete
** Changed in:
Just cross-referencing, this is the grub part: LP 1903289
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel portion
Status
yes kernel config changes will be needed for this.
** Changed in: ubuntu-power-systems
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1903288
** Changed in: ubuntu-power-systems
Status: New => Incomplete
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel
Hi Daniel, btw. in which upstream kernel did the kernel patches for this landed
(or will land)?
Just to be sure - 5.10 or 5.11 or already in with an earlier version?
** Package changed: kernel-package (Ubuntu) => linux (Ubuntu)
** Also affects: ubuntu-power-systems
Importance: Undecided
39 matches
Mail list logo