Public bug reported:
== Comment: #2 - Daniel John Axtens <daniel.axte...@ibm.com> - 2020-11-05
20:15:10 ==
This is the kernel side of changes needed for LPAR/guest secure boot.
Because Ubuntu keeps its kernels so wonderfully up to date, I don't
think there are any extra patches you need to pick up. (I'll double-
check against the 21.04 tree once my git pulls finish!)
However, we potentially need some configuration changes to make sure
kexec-ing into a crashdump kernel still works.
Because Lockdown requires that kexec kernels are signed by a key trusted
by IMA, the public key for used for signing the kdump kernel needs to be
in the IMA keyring or the platform keyring. For host secure boot (and in
the UEFI case), it's loaded into the platform keyring. But in the case
of guest secure boot with static keys, it's not loaded into the platform
keyring so it needs to be loaded into the IMA keyring.
This is easy enough to do. Firstly, load the Secure Boot CA into the
.primary_trusted_keys keyring via the CONFIG_SYSTEM_TRUSTED_KEYS
property. We assume the key used to sign the kernel is signed by this
CA.
Then, enable IMA_LOAD_X509, which allows certificates signed by a key on the
.primary_trusted_keys keyring to be loaded into the IMA keyring. Then set
IMA_X509_PATH to provide a path to the signing key on installed file system.
(It may also be possible to do this step in userspace, so long as the CA is
trusted by the kernel.)
Then that key will be loaded into the .ima keyring at boot and be used to
appraise the kexec kernel for crashdumps.
** Affects: ubuntu-power-systems
Importance: Critical
Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
Status: New
** Tags: architecture-ppc64le bugnameltc-189099 severity-critical
targetmilestone-inin2104
** Tags added: architecture-ppc64le bugnameltc-189099 severity-critical
targetmilestone-inin2104
** Changed in: ubuntu
Assignee: (unassigned) => Ubuntu on IBM Power Systems Bug Triage
(ubuntu-power-triage)
** Package changed: ubuntu => kernel-package (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel portion
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
