[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From naynj...@ibm.com 2020-04-10 16:15 EDT--- The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Fix Committed Status in linux package in Ubuntu: Fix Committed Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From naynj...@ibm.com 2020-04-06 11:23 EDT--- Tested the updated ppa kernel. Everything looks good and here are the test results: secure boot is enabled as seen by device-tree entry "os-secure-enforcing" ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/ compatibleibm,cvc phandle hw-key-hash name secure-enabled hw-key-hash-size os-secureboot-enforcing trusted-enabled IMA policies are as below. It doesn't have MODULE_CHECK enabled now. root@ltc-wspoon13:/home/ubuntu# cat /sys/kernel/security/ima/policy measure func=KEXEC_KERNEL_CHECK template=ima-modsig measure func=MODULE_CHECK template=ima-modsig appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist Platform keyring is loaded with db keys: root@ltc-wspoon13:/home/ubuntu# keyctl show %keyring:.platform Keyring 1002253804 ---lswrv 0 0 keyring: .platform 900087744 ---lswrv 0 0 \_ asymmetric: PPA sforshee lp1866909 Opal: d9be99d351bd1a2bdef604427612399dc47cb452 Build time generated key used for signing modules is: root@ltc-wspoon13:/home/ubuntu# keyctl show %keyring:.builtin_trusted_keys Keyring 929665685 ---lswrv 0 0 keyring: .builtin_trusted_keys 110783576 ---lswrv 0 0 \_ asymmetric: Build time autogenerated kernel key: d80d11780f22b0a033c0a787e075d0f0eb784d2c sysfs interface is enabled: root@ltc-wspoon13:/home/ubuntu# ls /sys/firmware/secvar/vars/ db dbx KEK PK TS kexec load is disabled: root@ltc-wspoon13:/boot# kexec -l /boot/vmlinux-5.4.0-21-generic -i /boot/initrd.img-5.4.0-21-generic Warning: append= option is not passed. Using the first kernel root partition Modified cmdline:root=UUID=49d000cb-dba2-4d70-809e-38f2b31d0f09 [ 1150.964096] ima: impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall. kexec_load failed: Permission denied entry = 0x39f0600 flags = 0x15 nr_segments = 3 segment[0].buf = 0x76a989590010 segment[0].bufsz = 0x1aca0d8 segment[0].mem = 0x1d0 segment[0].memsz = 0x1cf segment[1].buf = 0xac9705e7260 segment[1].bufsz = 0x38c0 segment[1].mem = 0x39f segment[1].memsz = 0x1 segment[2].buf = 0x76a989430010 segment[2].bufsz = 0x648dc segment[2].mem = 0x2ff9 segment[2].memsz = 0x7 kexec_file_load failed when trying for a kernel signed with a different key. The key for this kernel is not present in .platform keyring. It says "invalid-signature" in the audit log. root@ltc-wspoon13:/boot# kexec -s -l /boot/vmlinux-5.4.27signpatch.signed kexec_file_load failed: Permission denied-l /boot/vmlinux-5.4.27signpatch.signed And here is the audit log message for it: Apr 6 10:12:52 ltc-wspoon13 kernel: [ 233.996642] audit: type=1800 audit(158611 85972.332:16): pid=3385 uid=0 auid=1000 ses=1 op=appraise_data cause=invalid-sigg nature comm="kexec" name="/boot/vmlinux-5.4.27signpatch.signed" dev="sdb6" ino=22 017357 res=0 Next tried to load the signed kernel whose key is present in .platform keyring. root@ltc-wspoon13:/home/ubuntu# kexec -s -l /boot/vmlinux-5.4.0-21-generic root@ltc-wspoon13:/home/ubuntu# dmesg | tail [9.127873] Console: switching to colour frame buffer device 128x48 [ 233.996640] kauditd_printk_skb: 1 callbacks suppressed [ 233.996642] audit: type=1800 audit(1586185972.332:16): pid=3385 uid=0 auid=1000 ses=1 op=appraise_data cause=invalid-signature comm="kexec" name="/boot/vmlinux-5.4.27signpatch.signed" dev="sdb6" ino=2017357 res=0 [ 762.188842] ima dump: 01 00 00 00 00 00 00 00 8f 38 00 00 00 00 00 00 .8.. [ 762.188844] ima dump: 4a 00 00 00 00 00 00 00 0a 00 00 00 bc b0 e5 18 J... [ 762.188845] ima dump: b7 9d e0 d7 f2 cd 20 b8 a2 9a 70 92 e6 5d b7 ef .. ...p..].. [ 762.188846] ima dump: 07 00 00 00 69 6d 61 2d 73 69 67 35 00 00 00 1a ima-sig5 [ 762.188847] ima dump: 00 00 00 73 68 61 31 3a 00 00 00 00 00 00 00 00 ...sha1: [ 762.188847] ima dump: 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 00 [ 762.188848] ima dump: 00 62 6f 6f .boo root@ltc-wspoon13:/home/ubuntu# Thanks to Canonical for including the patch and respining the new kernel for testing. Thanks to Michael for installing the latest kernel and setting up the system and helping throughout the testing. Thanks to Mimi for helping with the fix to resolve the issue. Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From mranw...@us.ibm.com 2020-04-03 16:36 EDT--- We did some testing with that patch (previous comment) on top of the 5.4.0-21.25+lp1866909v202004020814 source/config file. We signed the kernel/modules and securely booted it. That fixed the module loading issue we were having when trying 5.4.0-21.25+lp1866909v202004020814 and seemed to be generally successful. We'll try the PPA once that's done building. Thank you, again. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From mranw...@us.ibm.com 2020-04-03 12:45 EDT--- We've been working with Mimi and I think that what we need now aren't config option changes, but this patch: diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c index e341162..c1ea55d 100644 --- a/arch/powerpc/kernel/ima_arch.c +++ b/arch/powerpc/kernel/ima_arch.c @@ -50,7 +50,7 @@ bool arch_ima_get_secureboot(void) "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", "measure func=MODULE_CHECK template=ima-modsig", "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", -#ifndef CONFIG_MODULE_SIG_FORCE +#ifndef CONFIG_MODULE_SIG "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", #endif NULL We're going to test that, but it's similar to commit 8db5da0b8618 on the x86 side. It looks like the MODULE_SIG_FORCE/IMA_ARCH_POLICY change is the wrong path right now. But testing that, too. ;) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From mranw...@us.ibm.com 2020-04-03 10:30 EDT--- Sorry, we don't know if we want CONFIG_MODULE_SIG_FORCE set. The modules aren't loading, and we weren't sure what needed to change. We're happy to try a kernel with IMA_ARCH_POLICY if that fixed it on x86. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From mranw...@us.ibm.com 2020-04-03 00:39 EDT--- We did check the modules - at least the package 5.4.0-21.25+lp1866909v202004020814 and from modinfo: signer: Build time autogenerated kernel key sig_key:3B:AB:B6:13:BE:1C:39:7C:C5:17:8E:6F:B4:C9:A1:7F:52:30:9B:8F MODULE_SIG_FORCE looks like it's off for all archs, too. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From naynj...@ibm.com 2020-04-03 00:35 EDT--- With Michael's help, I could get the right key for the kernel. I updated the new key and then tried booting to signed kernel in secure boot enabled state. It seems kernel is being verified. # kexec -l /var/petitboot/mnt/dev/sdb6/boot/vmlinux-5.4.0-21-generic kexec syscall failed: Permission denied > Expected to fail as insecure load is disabled during secure boot # kexec -s /var/petitboot/mnt/dev/sdb6/boot/vmlinux-5.4.0-21-generic # dmesg | tail -f [9.573882] IPv6: ADDRCONF(NETDEV_CHANGE): enP5p1s0f0: link becomes ready [ 94.085611] ima: impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall. [ 94.085615] ima: impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall. [ 102.049306] ima dump: 01 00 00 00 00 00 00 00 fd 1c 00 00 00 00 00 00 [ 102.049308] ima dump: 28 00 00 00 00 00 00 00 0a 00 00 00 bc b0 e5 18 (... [ 102.049309] ima dump: b7 9d e0 d7 f2 cd 20 b8 a2 9a 70 92 e6 5d b7 ef .. ...p..].. [ 102.049310] ima dump: 07 00 00 00 69 6d 61 2d 73 69 67 35 00 00 00 1a ima-sig5 [ 102.049310] ima dump: 00 00 00 73 68 61 31 3a 00 00 00 00 00 00 00 00 ...sha1: [ 102.049311] ima dump: 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 00 [ 102.049312] ima dump: 00 62 6f 6f .boo However, it failed on doing kexec -e. It failed at: [ 42.315484] kexec_core: Starting new kernel Gave up waiting for root file system device. Common problems: - Boot args (cat /proc/cmdline) - Check rootdelay= (did the system wait long enough?) - Missing modules (cat /proc/modules; ls /dev) ALERT! UUID=49d000cb-dba2-4d70-809e-38f2b31d0f09 does not exist. Dropping to a shell! BusyBox v1.30.1 (Ubuntu 1:1.30.1-4ubuntu5) built-in shell (ash) Enter 'help' for a list of built-in commands. (initramfs) Michael investigated that it seems modules are not getting loaded. He looked for the modules and they seemed to be signed. Next we checked the CONFIG. And it seems MODULE_SIG_FORCE is not enabled though MODULE_SIG and MODULE_SIG_ALL are enabled. As per powerpc arch specific policies for secure boot which are: static const char *const secure_and_trusted_rules[] = { "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", "measure func=MODULE_CHECK template=ima-modsig", "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", #ifndef CONFIG_MODULE_SIG_FORCE "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", #endif NULL As per these policies, if MODULE_SIG_FORCE is not enabled, IMA policy for MODULE_CHECK gets added. However, IMA looks for keys only in .ima keyring for module verification and therefore does not find Buildtime generated key and fails to verify. I think that explains why booting failed. We wanted to understand if there is a reason for not enabling MODULE_SIG_FORCE even though modules are signed at build time. Michael please add any other info if I missed.. Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From naynj...@ibm.com 2020-04-02 21:53 EDT--- The kernel seems to be having the secure boot functions after enabling those CONFIGs. Now, I was trying to boot to this kernel when secure boot is enabled. I have taken the key from here - ppa.launchpad.net/sforshee/lp1866909/ubuntu/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz I have taken opal.x509 in the control directory as the key. The secure boot is enabled "os-secure-enforcing" and .platform has loaded the key. # cd /proc/device-tree/ibm,secureboot/ # ls compatible ibm,cvc phandle hw-key-hash name secure-enabled hw-key-hash-size os-secureboot-enforcing trusted-enabled # keyctl show %keyring:.platform Keyring 337432176 ---lswrv 0 0 keyring: .platform 471022331 ---lswrv 0 0 \_ asymmetric: DB: e6b84e62dbbd988abbfda008355aa6a08001c58c However, it seems the verification is failing as shown below: # kexec -s /var/petitboot/mnt/dev/sdb6/boot/vmlinux-5.4.0-21-generic file_load failed: Permission denied I have two questions: * I hope the key is right. * I hope the signature is not stored as detached file because that is how I saw it in - ppa.launchpad.net/sforshee/lp1866909/ubuntu/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz. Please confirm. I will continue to look at it more. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From mranw...@us.ibm.com 2020-04-02 17:37 EDT--- Thank you! I saw it finished and grabbed it, I saw it had the latest from lp 1855668. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From mranw...@us.ibm.com 2020-04-02 10:34 EDT--- Thank you, I grabbed that. Is there any chance of a PPA respin with those options? We did test on our rebuild, but we can't completely test without those options on plus the signing. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From mranw...@us.ibm.com 2020-04-01 18:31 EDT--- Thank you for spinning that so quickly. We neglected to request these config options get turned on: CONFIG_PPC_SECURE_BOOT=y CONFIG_PPC_SECVAR_SYSFS=y CONFIG_LOAD_PPC_KEYS=y CONFIG_IMA_READ_POLICY=y CONFIG_IMA_ARCH_POLICY=y We did enable those and rebuilt the kernel and that seems to allow the basics to work (ie, policies are there). We'll do some more testing on it. The signing key - our systems don't have same chain of trust and the key needs to be added to the firmware. Can you direct us to that, please? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From naynj...@ibm.com 2020-03-30 11:56 EDT--- I am sorry for the repetition on this question. Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From naynj...@ibm.com 2020-03-27 11:57 EDT--- Ok. Thanks for sharing the info. These ones should be very straightforward to backport. Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From naynj...@ibm.com 2020-03-27 10:00 EDT--- Below is the list of commits for specified TBDs (sysfs enablement/platform keyring changes for powerpc):. These were upstreamed in kernel v5.5 version. Platform Keyring changes for powerpc: 8220e22 - powerpc: Load firmware trusted keys/hashes into kernel keyring ad72367 - x86/efi: move common keyring handler functions to new file bd5d9c7 - powerpc: expose secure variables to userspace via sysfs 9155e23 - powerpc/powernv: Add OPAL API interface to access secure variable 39a963b - sysfs: Fixes __BIN_ATTR_WO() macro sysfs enablement: d72ea49 - powerpc/ima: Indicate kernel modules appended signatures are enforced dc87f18 - powerpc/ima: Update ima arch policy to check for blacklist 273df86 - ima: Check against blacklisted hashes for files with modsig 2434f7d - certs: Add wrapper function to check blacklisted binary hash e14555e - ima: Make process_buffer_measurement() generic 1917855 - powerpc/ima: Define trusted boot policy 2702809 - powerpc: Detect the trusted boot state of the system 4238fad - powerpc/ima: Add support to initialize ima policy rules 1a8916e - powerpc: Detect the secure boot mode of the system 82af5b6 - sysfs: Fixes __BIN_ATTR_WO() macro May I ask the kernel version that Ubuntu will be using for 20.04 ? Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1866909] Comment bridged from LTC Bugzilla
--- Comment From mranw...@us.ibm.com 2020-03-23 19:45 EDT--- Hi Frank, That's what I see, too, and all of those are in focal already, along with the other three whose titles matched. The config options in 500c7ab1a9db are already on in focal, too. The ones we're not sure of are these two TBD ones: sysfs enablement: TBD platform keyring changes for powerpc: TBD I think Nanya can confirm and add TBD ids. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp