Public bug reported:
Feature Description:
Sign POWER host and NV kernels with sign-file in anticipation of POWER
secure boot. Provide the associated certificate. Ideally it would be
possible to reuse the UEFI shim private key and certificate used to sign
and verify x86_64 kernels. More details to follow. Guest kernels will
be addressed in a future separate feature request.
Business Case:
As a system administrator I want to verify the integrity of my kernels
so that I can prevent malicious kernels from being executed.
Use Case:
Signed POWER kernels will be validated by OPAL as OpenPOWER systems boot
when keys are properly installed and the system is booted in secure
mode.
Test Case:
Sign and install a POWER kernel on an OpenPOWER machine with a firmware
level that supports secure boot. Install a PK, distro KEK certificat,
and distro DB certificate. Boot the system and verify that it will boot
the kernel. Negative tests: Separately remove the signature, install
an usigned kernel, and modify the kernel image and test that the kernel
will not boot.
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
Status: New
** Tags: architecture-ppc64le bugnameltc-155050 kernel-da-key severity-high
targetmilestone-inin1710
** Tags added: architecture-ppc64le bugnameltc-155050 severity-high
targetmilestone-inin1710
** Changed in: ubuntu
Assignee: (unassigned) => Ubuntu on IBM Power Systems Bug Triage
(ubuntu-power-triage)
** Package changed: ubuntu => linux (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696154
Title:
[17.10 FEAT] Sign POWER host/NV kernels
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1696154/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
