------- Comment From naynj...@ibm.com 2021-05-19 16:51 EDT------- (In reply to comment #28) > @Nayna Jain @Daniel > > Hm.... but we have CONFIG_LOAD_PPC_KEYS=y already which I would expect to be > the only thing that loads keys into .platform keyring which was enabled as > part of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1866909 > LTC-184073 . Which keys are present in firmware / get loaded into .platform > because of that? I would have expected canonical keys to be loaded by that > into the .platform keyring, or is that not the case?
Hi, Yes you are right that CONFIG_LOAD_PPC_KEYS enables loading of keys into .platform keyring from firmware at runtime. However, as Daniel has mentioned in his comment dated 2020-12-17 , that the .platform keyring is currently not loaded in pseries firmware as it is static keys based solution and at the moment doesn't have any mechanism to expose trusted keys (this will change with the full key management solution). > > Can you please share contents of "powerpc:db"? Ideally it should contain > Canonical's two OPAL signing certs. > > If canonical keys are not in "powerpc:db", does it make sense to then add > the two Canonical keys to the .builtin_trusted_keys_keyring, and then link > the whole keyring into .ima keyring? > > I will attach the two Canonical OPAL signing keys here, and the ESL for them. The final conclusion was to add a config option for PLATFORM KEYRING similar to SYSTEM_TRUSTED_KEYS mechanism. It would allow loading additional keys compiled into the kernel to be loaded only to .platform keyring. This would be in addition to the existing support for loading firmware keys at runtime on the platfom keyring. It aligns with xnox comment dated "2012-03-18". At some point we will probably close the loop hole that allows self signed certificates loaded onto the builtin keyring to be loaded onto the IMA keyring. It's better to define a mechanism for loading additional certs on the platform keyring that would work today and will continue to work in the future. I am supposed to start looking at the patches. I would be starting to look at them in June timeframe. Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion Status in The Ubuntu-power-systems project: Triaged Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #2 - Daniel John Axtens <daniel.axte...@ibm.com> - 2020-11-05 20:15:10 == This is the kernel side of changes needed for LPAR/guest secure boot. Because Ubuntu keeps its kernels so wonderfully up to date, I don't think there are any extra patches you need to pick up. (I'll double- check against the 21.04 tree once my git pulls finish!) However, we potentially need some configuration changes to make sure kexec-ing into a crashdump kernel still works. Because Lockdown requires that kexec kernels are signed by a key trusted by IMA, the public key for used for signing the kdump kernel needs to be in the IMA keyring or the platform keyring. For host secure boot (and in the UEFI case), it's loaded into the platform keyring. But in the case of guest secure boot with static keys, it's not loaded into the platform keyring so it needs to be loaded into the IMA keyring. This is easy enough to do. Firstly, load the Secure Boot CA into the .primary_trusted_keys keyring via the CONFIG_SYSTEM_TRUSTED_KEYS property. We assume the key used to sign the kernel is signed by this CA. Then, enable IMA_LOAD_X509, which allows certificates signed by a key on the .primary_trusted_keys keyring to be loaded into the IMA keyring. Then set IMA_X509_PATH to provide a path to the signing key on installed file system. (It may also be possible to do this step in userspace, so long as the CA is trusted by the kernel.) Then that key will be loaded into the .ima keyring at boot and be used to appraise the kexec kernel for crashdumps. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
