The RISC-V platform specification requires UEFI. Secure boot is defined
in the UEFI specification.
With U-Boot, Shim, GRUB, and a signed kernel I am able demonstrate
secure boot on RISC-V. I am upstreaming the necessary patches.
Roots of trust for RISC-V are in active development but not yet available on
commercial boards:
Cf.
https://riscv.org/wp-content/uploads/2019/03/15.05-RISC-V-Security-Multizone-v-TrustZone-3-12-19.pdf
Canonical has started discussing with SiFive how a root of trust can be
supplied. A boot ROM checking the first bootstage (U-Boot SPL) using a
certificate from the OTP memory would be a good start. This only
requires a software change on the vendor side.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-riscv in Ubuntu.
https://bugs.launchpad.net/bugs/1941950
Title:
linux-riscv: missing kernel signature
Status in linux-riscv package in Ubuntu:
New
Bug description:
U-Boot and EDK II both support secure boot. But
vmlinuz-5.11.0-1014-generic and vmlinuz-5.13.0-1002-generic are not
signed via sbsign.
Please, adjust the RISC-V build system to sign new kernels.
Best regards
Heinrich
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-riscv/+bug/1941950/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
