------- Comment From [email protected] 2020-11-19 20:25 EDT------- Hi,
I think that's the only feature patch required. There's not a lot because at this stage it's all based on static keys. So unlike the OpenPower secure boot, there's no code to interact with keys stored in firmware. There is one config change that we also need: because there are no keys advertised by firmware or early boot, and because lockdown requires that kexec kernels be signed, we need to get the kernel signing key into the .ima keyring somehow. One way to do this is at boot with IMA_X509_PATH, but it can also be done at runtime. In either case, however, the CA that signs the kernel signing key needs to be built in to the kernel's .builtin_trusted_keys keyring. I haven't attempted this because I don't know much about how the signing process works in your build infrastructure, but I'm happy to help. Of course, I expect there will also be bug fixes later! Kind regards, Daniel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
