;
> + attr->read = sysfs_bin_attr_simple_read;
> attr->private = __va(vals[0]);
> attr->size = vals[1];
I gave it a quick boot and checked I could still read the attributes,
everything seems fine.
Acked-by: Michael Ellerman (powerpc)
cheers
Nayna Jain writes:
> diff --git a/arch/powerpc/kernel/secure_boot.c
> b/arch/powerpc/kernel/secure_boot.c
> index 99bba7915629..9753470ab08a 100644
> --- a/arch/powerpc/kernel/secure_boot.c
> +++ b/arch/powerpc/kernel/secure_boot.c
> @@ -28,3 +39,16 @@ bool is_ppc_secureboot_enabled(void)
>
Nayna Jain writes:
> diff --git a/arch/powerpc/kernel/secure_boot.c
> b/arch/powerpc/kernel/secure_boot.c
> new file mode 100644
> index ..99bba7915629
> --- /dev/null
> +++ b/arch/powerpc/kernel/secure_boot.c
> @@ -0,0 +1,30 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyr
Hi Nayna,
Just a few comments.
Nayna Jain writes:
> Secure boot on PowerNV defines different IMA policies based on the secure
> boot state of the system.
This description has got out of sync with what the patch does I think.
There's no IMA in here. I think you can just drop that sentence.
> Th
Nayna Jain writes:
> PowerNV systems uses kernel based bootloader, thus its secure boot
> implementation uses kernel IMA security subsystem to verify the kernel
> before kexec. Since the verification policy might differ based on the
> secure boot mode of the system, the policies are defined at run
Nayna Jain writes:
> This patch adds the measurement rules to the arch specific policies on
> trusted boot enabled systems.
>
> Signed-off-by: Nayna Jain
> Reviewed-by: Mimi Zohar
> ---
> arch/powerpc/kernel/ima_arch.c | 45 +++---
> 1 file changed, 42 insertions(+),
Nayna Jain writes:
> PowerNV systems enables the IMA measurement rules only if the
> trusted boot is enabled on the system.
That confused me a lot. But the key is the distinction between appraisal
rules vs measurement rules, right?
I think it would be clearer if it was phrased as a positive stat
Mimi Zohar writes:
> On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote:
...
>> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
>> index b4a221886fcf..deb19ec6ba3d 100644
>> --- a/arch/powerpc/Kconfig
>> +++ b/arch/powerpc/Kconfig
>> @@ -938,6 +938,8 @@ config PPC_SECURE_BOOT
>> pro
Mimi Zohar writes:
> (Cc'ing Josh Boyer, David Howells)
>
> On Mon, 2019-09-02 at 21:55 +1000, Michael Ellerman wrote:
>> Nayna Jain writes:
>>
>> > The handlers to add the keys to the .platform keyring and blacklisted
>> > hashes to the .black
Greg Kroah-Hartman writes:
> This variant was missing from sysfs.h, I guess no one noticed it before.
>
> Turns out the powerpc secure variable code can use it, so add it to the
> tree for it, and potentially others to take advantage of, instead of
> open-coding it.
>
> Reported-by: Nayna Jain
>
Nayna Jain writes:
> The handlers to add the keys to the .platform keyring and blacklisted
> hashes to the .blacklist keyring is common for both the uefi and powerpc
> mechanisms of loading the keys/hashes from the firmware.
>
> This patch moves the common code from load_uefi.c to keyring_handler
Hi Nayna,
Nayna Jain writes:
> As part of PowerNV secure boot support, OS verification keys are stored
> and controlled by OPAL as secure variables. These need to be exposed to
> the userspace so that sysadmins can perform key management tasks.
>
> This patch adds the support to expose secure var
Hi Claudio,
Thanks for posting this.
Claudio Carvalho writes:
> This patch set is part of a series that implements secure boot on
> PowerNV systems.
>
> In order to verify the OS kernel on PowerNV, secure boot requires X.509
> certificates trusted by the platform, the secure boot modes, and seve
13 matches
Mail list logo
