[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
** Tags added: kk-release -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
** Tags removed: targetmilestone-inin2104 ** Tags added: targetmilestone-inin2210 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
meanwhile v8 became available: * Includes Jarkko's feedback on patch description and removed Reported-by for Patch 1 The extracted v8 patch-set is attached. Builds are currently running and are soon available here: https://launchpad.net/~fheimes/+archive/ubuntu/lp1903288-v8/ ** Attachment added: "v8 patch-set" https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+attachment/168/+files/v8-integrity-support-including-firmware-platform-keys-at-build-time.tar.xz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
Over the year break a v7 was made available and was discussed at the mailing list: https://lore.kernel.org/linux-integrity/20220105175410.55-1-na...@linux.ibm.com/ Since this mainly seem to have structural changes (patch split etc.) and comment changes compared to the previous versions and since there is a request to expand/rework the description a bit more, I'll wait for a version > v7 to test build again in the PPA. I hope that we are close to a version that will be recommended for upstream acceptance, so that we can take it from there and consider integration into the Ubuntu kernel. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
I've just 'extracted' the v5 patch set from the upstream mailing-list and attach it here. (builds are ongoing ...) ** Attachment added: "v5 patch set" https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+attachment/5544611/+files/v5-integrity-support-including-firmware-platform-keys-at-build-time.tar.xz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
I just kicked off another build for a new patched kernel that allows to try and test the v4 patch-set in an Ubuntu kernel 5.15.0-9.9 context: https://launchpad.net/~fheimes/+archive/ubuntu/lp1903288-v4/ (will take a while until it's completed ...) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
I've just 'extracted' the v4 patch set from the upstream mailing-list and attach it here. (builds are ongoing ...) ** Attachment added: "v4 patch-set" https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+attachment/5541228/+files/v4-integrity-support-including-firmware-platform-keys-at-build-time.tar.xz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
I've just noticed Nayna's v4 (from Nov 11th): https://lore.kernel.org/linux-integrity/2021002057.123741-1-na...@linux.ibm.com/ " v4: * Split into two patches as per Mimi Zohar and Dimitri John Ledkov recommendation. " -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
Added my own review https://lore.kernel.org/linux- integrity/8d7e1609-f77e-834e-cf40-05e19bbc3...@canonical.com/ A few optional comments; and one required change needed to add one more ifdef. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
Hi @Nayna even if it looks like your patch (v3) is still under discussion on the mailing list (https://lore.kernel.org/linux-integrity/beedd453a1ec674d3986f7c3851f30df516d2fbb.ca...@linux.ibm.com/) we've built a test kernel that allows to try and test what you already have (v3) in an Ubuntu kernel (5.15.0-9.9) context: https://launchpad.net/~fheimes/+archive/ubuntu/lp1903288/ Not sure if your focus is still on this v3 or if you already proceeded ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
I just 'extracted' the patch from the upstream v3 discussion thread and attach it here. (Even if there seems to be a request to split it into two patches, but that would probably have no functional impact.) ** Patch added: "patch v3" https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+attachment/5538292/+files/0001-integrity-support-including-firmware-platform-keys-at-build-time.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
Hi Nayna, I agree that Reviewed-by or Tested-by are in general helpful, but these tags follow strict rules in Linux kernel (see: "Reviewer's statement of oversight" in kernel documentation). I cannot provide such tags without performing review or testing. Unfortunately I cannot do the review because it is not an area of my expertise. About testing - I simply cannot test it. Instead, you or your colleagues should engage in discussions with open- source upstream community and resolve the kbuild reported bugs and address raised concerns (about missing use-case). None of additional tags would help in avoiding doing it. Best regards, Krzysztof -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
We are looking at the patches and following the upstream discussions. Once the upstream discussions have settled out, we can build a test kernel. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
Adjusting priority to high while waiting for patches to test. ** Changed in: ubuntu-power-systems Importance: Critical => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
We should not add opal keys to the built_trusted_keys_keyring as that's not the purpose of these keys. We could add them direct to .platform or .ima keyrings, but it would be best to load them from firmware direct. Are the above attached keys & ESL available from the "powerpc:db"? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
** Attachment added: "opal.esl" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1903288/+attachment/5498450/+files/opal.esl -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
** Attachment added: "opal-2019-ppc64el.pem" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1903288/+attachment/5498449/+files/opal-2019-ppc64el.pem -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
** Attachment added: "opal-2017-ppc64el.pem" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1903288/+attachment/5498448/+files/opal-2017-ppc64el.pem -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
@Nayna Jain @Daniel Hm but we have CONFIG_LOAD_PPC_KEYS=y already which I would expect to be the only thing that loads keys into .platform keyring which was enabled as part of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1866909 LTC-184073 . Which keys are present in firmware / get loaded into .platform because of that? I would have expected canonical keys to be loaded by that into the .platform keyring, or is that not the case? Can you please share contents of "powerpc:db"? Ideally it should contain Canonical's two OPAL signing certs. If canonical keys are not in "powerpc:db", does it make sense to then add the two Canonical keys to the .builtin_trusted_keys_keyring, and then link the whole keyring into .ima keyring? I will attach the two Canonical OPAL signing keys here, and the ESL for them. ** Changed in: linux (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
BTW. is https://patchwork.kernel.org/project/linux- integrity/patch/20210330131636.21711-4-na...@linux.ibm.com/ of any help to us? Ideally we'd want to do that, but load the 2017 & 2019 keys there into the .ima keyring instead of the kernel module signing ones. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
Sorry, I wasn't seeing emails for this bug despite being subscribed. Not sure what's going on with that. If the key is self-signed, shouldn't having the key in .builtin_trusted_keys allow for loading it into the IMA keyring? Or is that insufficient for some reason? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
Kind of wish for a config option that would do add_to_platform_keyring a built-in set of keys, until we have something like the other platforms have (ipl on s390x, uefi db on EFI platforms). Similar to how the built-in trusted keys are initialized. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
this is all very annoying! But I see what you mean now. We probably should not add opal keys to the trusted_keyring then. I would rather avoid introducing a new CA key whilst we cannot travel to assemble and distribute CA shards offline. I'd rather somehow enable platform_keyring or IMA keyring, and make kernel have ability to specifies keys listed there at build time and ship the OPAL key there. Cause the keys we use to sign kernel image & grub-image, are not the keys that are used to signed kernel modules, hence shouldn't be in the trusted kerying. Or we can end up with a userspace .service that exports trusted_keyrings and imports them into ima keyring on everyboot. But that would be sad as well. Let me find power machines to play around with this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
@Daniel "In either case, however, the CA that signs the kernel signing key needs to be built in to the kernel's .builtin_trusted_keys keyring." On Ubuntu, for OPAL singing, on PowerPC, we do not use CA at all. It is our understanding that firmware doesn't support verifying signature chains to a CA. Thus instead we use self-signed certificates for the kernel which have not been signed by a CA. Thus we should simply include them all in trusted keyring, and there is no need to ship anything on disk or load anything from the userspace. We have UEFI CA which is used for UEFI booting and embedded in the UEFI shim, but I do not believe it is appropriate to use that CA here, as the revocations are controlled by a KEK key which has no relationship with POWER firmware vendors. @sforshee Subject: CN = Canonical Ltd. Live Patch Signing Subject: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., OU = Secure Boot, CN = "Canonical Ltd. Secure Boot Signing (POWER, 2017)" Subject: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Kernel Module Signing This is all that's needed for now. However, we should start also shipping the next/future OPAL signing certificate that we have generated in 2019. Please add the 2019 opal signing certificate as debian/opal-2019-ppc64el.pem Key ID: 6B:E5:A1:25:FC:48:97:91:02:2C:2B:FB:54:91:16:F6:07:16:EA:81 There are no CA to add, and no keys to load from userspace. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
I should have mentioned, the kernel in comment #11 is not signed with the archive signing key since it's in a personal ppa, but the cert which is built into the kernel is for the archive key. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
Here's a test build with public cert for the opal signing key built into .builtin_trusted_keys: https://launchpad.net/~sforshee/+archive/ubuntu/lp1903288 I'm still working out exactly how we want to distribute the key in the filesystem, but if you can try that out and let me know whether that works for you. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
Sorry for the delayed response here, it's taken me a while to get some of the needed information. In general this should be fine. One thing to note is that the key is self-signed, so we will need to add the signing key itself into .builtin_trusted_keys. This should still allow loading the key into the IMA keyring. It might not be necessary to do so, if IMA trusts keys in .builtin_trusted_keys for signing kexec kernels (I don't know if it does or not), but it seems to be that structuring this as though the CA and signing keys are separate keys is a good idea to ensure that this continues to work if the key setup ever changes in the future. I'll work on getting some test packages put together in a PPA for testing. Let me know if you see any changes which need to be made as a result of the information I've provided. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
I think I've got a good idea of what you're after here. Let me look into this, and I'll try to get back to you soon. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
I had a look at our 'Ubuntu unstable' 5.10 tree: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/unstable (that will once become the hirsute/21.04 kernel) And found that the commit 61f879d97ce4 "powerpc/pseries: Detect secure and trusted boot state of the system" is already in (like expected, since it was upstream accepted with 5.9). So that's good. The CONFIG_IMA_X509_PATH is set to "/etc/keys/x509_ima.der" and CONFIG_IMA_LOAD_X509 is active ('y') for ppc64el - both was done based on LP 1643652. And the CONFIG_SYSTEM_TRUSTED_KEYS is currently set to "". That let's me think that there is not much to do on this particular ticket. right now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
** Changed in: ubuntu-power-systems Status: Incomplete => Triaged ** Changed in: linux (Ubuntu) Status: Incomplete => Triaged ** Changed in: linux (Ubuntu) Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) => Canonical Kernel Team (canonical-kernel-team) ** Changed in: linux (Ubuntu) Status: Triaged => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
To confirm, this bug only requires that commit 61f879d97ce4 ("powerpc/pseries: Detect secure and trusted boot state of the system.") lands in hirsute. Is that correct, or are other patches also required? ** Changed in: ubuntu-power-systems Status: Confirmed => Incomplete ** Changed in: linux (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
Just cross-referencing, this is the grub part: LP 1903289 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
yes kernel config changes will be needed for this. ** Changed in: ubuntu-power-systems Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
** Changed in: ubuntu-power-systems Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1903288] Re: Power guest secure boot with static keys: kernel portion
Hi Daniel, btw. in which upstream kernel did the kernel patches for this landed (or will land)? Just to be sure - 5.10 or 5.11 or already in with an earlier version? ** Package changed: kernel-package (Ubuntu) => linux (Ubuntu) ** Also affects: ubuntu-power-systems Importance: Undecided Status: New ** Changed in: ubuntu-power-systems Importance: Undecided => Critical ** Changed in: ubuntu-power-systems Assignee: (unassigned) => Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs