Re: [PATCH 0/4] Enabling secure boot on PowerNV systems

Hi Matthew, Thanks for the feedback and sorry for the delay in responding. On 4/10/19 2:36 PM, Matthew Garrett wrote: > (Cc:ing Peter Jones) > > On Tue, Apr 9, 2019 at 3:55 PM Claudio Carvalho > wrote: >> >> On 4/5/19 7:19 PM, Matthew Garrett wrote: >>&

Re: [PATCH 0/4] Enabling secure boot on PowerNV systems

On 4/5/19 7:19 PM, Matthew Garrett wrote: > On Fri, Apr 5, 2019 at 2:11 PM Claudio Carvalho > wrote: >> >> On 4/3/19 7:27 PM, Matthew Garrett wrote: >>> Not supporting dbx seems like a pretty significant shortcoming. How >>> are signatures meant to be

Re: [PATCH 0/4] Enabling secure boot on PowerNV systems

On 4/3/19 7:27 PM, Matthew Garrett wrote: > On Tue, Apr 2, 2019 at 4:31 PM Claudio Carvalho > wrote: >> >> On 4/2/19 6:51 PM, Matthew Garrett wrote: >>> So you implement the full PK/KEK/db/dbx/dbt infrastructure, and >>> updates are signed in the sam

Re: [PATCH 0/4] Enabling secure boot on PowerNV systems

On 4/3/19 10:21 AM, Michael Ellerman wrote: > Hi Claudio, > > Thanks for posting this. > > Claudio Carvalho writes: >> This patch set is part of a series that implements secure boot on >> PowerNV systems. >> >> In order to verify the OS kernel

Re: [PATCH 0/4] Enabling secure boot on PowerNV systems

On 4/2/19 6:51 PM, Matthew Garrett wrote: > On Tue, Apr 2, 2019 at 2:11 PM Claudio Carvalho > wrote: >> We want to use the efivarfs for compatibility with existing userspace >> tools. We will track and match any EFI changes that affect us. > So you implement the f

Re: [PATCH 0/4] Enabling secure boot on PowerNV systems

On 4/2/19 4:36 PM, Matthew Garrett wrote: > On Tue, Apr 2, 2019 at 11:15 AM Claudio Carvalho > wrote: >> 1. Enable efivarfs by selecting CONFIG_EFI in the CONFIG_OPAL_SECVAR >>introduced in this patch set. With CONFIG_EFIVAR_FS, userspace tools can >>be u

[PATCH 4/4] powerpc: Add support to initialize ima policy rules

From: Nayna Jain PowerNV secure boot relies on the kernel IMA security subsystem to perform the OS kernel image signature verification. Since each secure boot mode has different IMA policy requirements, dynamic definition of the policy rules based on the runtime secure boot mode of the system is

[PATCH 3/4] powerpc/powernv: Detect the secure boot mode of the system

From: Nayna Jain PowerNV secure boot defines different IMA policies based on the secure boot state of the system. This patch defines a function to detect the secure boot state of the system. Signed-off-by: Nayna Jain --- arch/powerpc/include/asm/secboot.h | 21 +

[PATCH 2/4] powerpc/powernv: Add support for OPAL secure variables

CONFIG_OPAL_SECVAR for enabling the OPAL secure variables support in the kernel. Since CONFIG_OPAL_SECVAR selects CONFIG_EFI, it also allow us to manage the OPAL secure variables from userspace via efivarfs. Signed-off-by: Claudio Carvalho --- This patch depends on new OPAL calls that are being added

[PATCH 1/4] powerpc/include: Override unneeded early ioremap functions

. Signed-off-by: Claudio Carvalho --- arch/powerpc/include/asm/early_ioremap.h | 41 1 file changed, 41 insertions(+) create mode 100644 arch/powerpc/include/asm/early_ioremap.h diff --git a/arch/powerpc/include/asm/early_ioremap.h b/arch/powerpc/include/asm/early_ioremap.h

[PATCH 0/4] Enabling secure boot on PowerNV systems

appreciated. 3. Define IMA arch-specific policies based on the secure boot state and mode of the system. On secure boot enabled powernv systems, the host OS kernel signature will be verified by IMA appraisal. Claudio Carvalho (2): powerpc/include: Override unneeded early ioremap functions