Hi Claudio, > ------- Comment From cclau...@br.ibm.com 2017-09-27 16:47 EDT------- > (In reply to comment #30) > > Attached is the ESL db update for Canonical's POWER SecureBoot signing key. > > It is signed with Canonical's KEK key, which will be provided to IBM out of > > band to ensure integrity of the delivery channel.
> Thanks Andy and Vorlon for the attached files. The kernel appended > signature verified successfully. > We didn't test the Canonical-POWER-SB-20170926.esl.signed file yet. > Questions: > 1) The certificate provided contains a 4096-bit key and it was signed > using sha512WithRSAEncryption. We had no problem to use it to verify the > kernel appended signature - the kernel crypto API supports 4096-bit RSA > keys. However, we don't have much space in our keystore and that's why > we prefer to use 2048-bit RSA keys, same as UEFI SecureBoot. Could the > Canonical-POWER-SB-20170926.esl.signed file be regenerated to contain a > certificate that contains a 2048-bit RSA key instead? The certificate > would be signed using sha256WithRSAEncryption. The opal.x509 attachment is a test key only; it is not the same as Canonical-POWER-SB-20170926.esl.signed, which is our production 2048-bit key. > 2) We will need to put in the KEK a certificate that can be used to verify > the signed ESL db updates provided by Canonical. How does Canonical have > provided that for UEFI SecureBoot? certificate, ESL (not signed, since PK > is not provided by Canonical)? Currently, we are working on the code that > will validate/process the authenticated variable updates. We will > probably start testing it by the end of this year. The current plan is to deliver this KEK as a certificate via a secure in-person channel to George Wilson. I assume once delivered, if you need this in ESL form for loading that IBM can perform this transformation (since the only way to turn it into a signed ESL would be via the PK, which we don't have). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696154 Title: [17.10 FEAT] Sign POWER host/NV kernels To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad/+bug/1696154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
