** Tags added: kk-release
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel portion
To manage notifications about this bug go to:
https:/
** Tags removed: targetmilestone-inin2104
** Tags added: targetmilestone-inin2210
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel portio
meanwhile v8 became available:
* Includes Jarkko's feedback on patch description and removed Reported-by for
Patch 1
The extracted v8 patch-set is attached.
Builds are currently running and are soon available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1903288-v8/
** Attachment added:
Over the year break a v7 was made available and was discussed at the mailing
list:
https://lore.kernel.org/linux-integrity/20220105175410.55-1-na...@linux.ibm.com/
Since this mainly seem to have structural changes (patch split etc.) and
comment changes compared to the previous versions and si
I've just 'extracted' the v5 patch set from the upstream mailing-list and
attach it here.
(builds are ongoing ...)
** Attachment added: "v5 patch set"
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+attachment/5544611/+files/v5-integrity-support-including-firmware-platform-keys
I just kicked off another build for a new patched kernel that allows to try and
test the v4 patch-set in an Ubuntu kernel 5.15.0-9.9 context:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1903288-v4/
(will take a while until it's completed ...)
--
You received this bug notification because yo
I've just 'extracted' the v4 patch set from the upstream mailing-list and
attach it here.
(builds are ongoing ...)
** Attachment added: "v4 patch-set"
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+attachment/5541228/+files/v4-integrity-support-including-firmware-platform-keys-
I've just noticed Nayna's v4 (from Nov 11th):
https://lore.kernel.org/linux-integrity/2021002057.123741-1-na...@linux.ibm.com/
"
v4:
* Split into two patches as per Mimi Zohar and Dimitri John Ledkov
recommendation.
"
--
You received this bug notification because you are a member of Ubuntu
Bu
Added my own review https://lore.kernel.org/linux-
integrity/8d7e1609-f77e-834e-cf40-05e19bbc3...@canonical.com/
A few optional comments; and one required change needed to add one more
ifdef.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ub
Hi @Nayna even if it looks like your patch (v3) is still under discussion on
the mailing list
(https://lore.kernel.org/linux-integrity/beedd453a1ec674d3986f7c3851f30df516d2fbb.ca...@linux.ibm.com/)
we've built a test kernel that allows to try and test what you already have
(v3) in an Ubuntu kern
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel portion
To manage notifications about this bug go to:
https://bugs
I just 'extracted' the patch from the upstream v3 discussion thread and attach
it here.
(Even if there seems to be a request to split it into two patches, but that
would probably have no functional impact.)
** Patch added: "patch v3"
https://bugs.launchpad.net/ubuntu-power-systems/+bug/19032
Hi Nayna,
I agree that Reviewed-by or Tested-by are in general helpful, but these
tags follow strict rules in Linux kernel (see: "Reviewer's statement of
oversight" in kernel documentation). I cannot provide such tags without
performing review or testing. Unfortunately I cannot do the review
becau
We are looking at the patches and following the upstream discussions.
Once the upstream discussions have settled out, we can build a test
kernel.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Adjusting priority to high while waiting for patches to test.
** Changed in: ubuntu-power-systems
Importance: Critical => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power
We should not add opal keys to the built_trusted_keys_keyring as that's
not the purpose of these keys. We could add them direct to .platform or
.ima keyrings, but it would be best to load them from firmware direct.
Are the above attached keys & ESL available from the "powerpc:db"?
--
You received
** Attachment added: "opal.esl"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1903288/+attachment/5498450/+files/opal.esl
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Powe
** Attachment added: "opal-2019-ppc64el.pem"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1903288/+attachment/5498449/+files/opal-2019-ppc64el.pem
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
** Attachment added: "opal-2017-ppc64el.pem"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1903288/+attachment/5498448/+files/opal-2017-ppc64el.pem
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
@Nayna Jain @Daniel
Hm but we have CONFIG_LOAD_PPC_KEYS=y already which I would expect
to be the only thing that loads keys into .platform keyring which was
enabled as part of
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1866909 LTC-184073
. Which keys are present in firmware / get loa
BTW. is https://patchwork.kernel.org/project/linux-
integrity/patch/20210330131636.21711-4-na...@linux.ibm.com/ of any help
to us?
Ideally we'd want to do that, but load the 2017 & 2019 keys there into
the .ima keyring instead of the kernel module signing ones.
--
You received this bug notifica
Sorry, I wasn't seeing emails for this bug despite being subscribed. Not
sure what's going on with that.
If the key is self-signed, shouldn't having the key in
.builtin_trusted_keys allow for loading it into the IMA keyring? Or is
that insufficient for some reason?
--
You received this bug notif
Kind of wish for a config option that would do add_to_platform_keyring a
built-in set of keys, until we have something like the other platforms
have (ipl on s390x, uefi db on EFI platforms).
Similar to how the built-in trusted keys are initialized.
--
You received this bug notification because y
this is all very annoying! But I see what you mean now.
We probably should not add opal keys to the trusted_keyring then.
I would rather avoid introducing a new CA key whilst we cannot travel to
assemble and distribute CA shards offline.
I'd rather somehow enable platform_keyring or IMA keyring,
@Daniel
"In either case, however, the CA that signs the kernel signing key needs to be
built in to the kernel's .builtin_trusted_keys keyring."
On Ubuntu, for OPAL singing, on PowerPC, we do not use CA at all. It is
our understanding that firmware doesn't support verifying signature
chains to a C
I should have mentioned, the kernel in comment #11 is not signed with
the archive signing key since it's in a personal ppa, but the cert which
is built into the kernel is for the archive key.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubu
Here's a test build with public cert for the opal signing key built into
.builtin_trusted_keys:
https://launchpad.net/~sforshee/+archive/ubuntu/lp1903288
I'm still working out exactly how we want to distribute the key in the
filesystem, but if you can try that out and let me know whether that
wor
Sorry for the delayed response here, it's taken me a while to get some
of the needed information.
In general this should be fine. One thing to note is that the key is
self-signed, so we will need to add the signing key itself into
.builtin_trusted_keys. This should still allow loading the key into
I think I've got a good idea of what you're after here. Let me look into
this, and I'll try to get back to you soon.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure b
I had a look at our 'Ubuntu unstable' 5.10 tree:
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/unstable
(that will once become the hirsute/21.04 kernel)
And found that the commit 61f879d97ce4 "powerpc/pseries: Detect secure and
trusted boot state of the system" is already in (
** Changed in: ubuntu-power-systems
Status: Incomplete => Triaged
** Changed in: linux (Ubuntu)
Status: Incomplete => Triaged
** Changed in: linux (Ubuntu)
Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) =>
Canonical Kernel Team (canonical-kernel-team)
To confirm, this bug only requires that commit 61f879d97ce4
("powerpc/pseries: Detect secure and trusted boot state of the system.")
lands in hirsute. Is that correct, or are other patches also required?
** Changed in: ubuntu-power-systems
Status: Confirmed => Incomplete
** Changed in: lin
Just cross-referencing, this is the grub part: LP 1903289
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel portion
To manage notificatio
yes kernel config changes will be needed for this.
** Changed in: ubuntu-power-systems
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power gues
** Changed in: ubuntu-power-systems
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel portion
To manage
Hi Daniel, btw. in which upstream kernel did the kernel patches for this landed
(or will land)?
Just to be sure - 5.10 or 5.11 or already in with an earlier version?
** Package changed: kernel-package (Ubuntu) => linux (Ubuntu)
** Also affects: ubuntu-power-systems
Importance: Undecided
36 matches
Mail list logo