[PATCH v4 3/3] integrity/platform_certs: Allow loading of keys in the static key management mode

the static key management mode, where the secvar format string takes the form "ibm,plpks-sb-v0". Signed-off-by: Srish Srinivasan Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger Reviewed-by: Nayna Jain Reviewed-by: Andrew Donnellan --- security/integrity/platform_certs/load_pow

[PATCH v4 1/3] powerpc/pseries: Correct secvar format representation for static key management

s-sb-v0" based on the key management mode, and return the length of the secvar format property. Co-developed-by: Souradeep Signed-off-by: Souradeep Signed-off-by: Srish Srinivasan Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger Reviewed-by: Nayna Jain Reviewed-by: Andrew Donnellan --- D

[PATCH v4 2/3] powerpc/secvar: Expose secvars relevant to the key management mode

mode. Expose only PK, trustedcadb, and moduledb in the static key management mode. Co-developed-by: Souradeep Signed-off-by: Souradeep Signed-off-by: Srish Srinivasan Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger Reviewed-by: Nayna Jain Reviewed-by: Andrew Donnellan --- Documentation

[PATCH v4 0/3] Enhancements to the secvar interface in static key management mode

/vars/. - Added reviewed-by from Nayna and Andrew. * Patch 3: - Added reviewed-by from Nayna and Andrew. Srish Srinivasan (3): powerpc/pseries: Correct secvar format representation for static key management powerpc/secvar: Expose secvars relevant to the key management mode integrity

Re: [PATCH v2 2/3] powerpc/secvar: Expose secvars relevant to the key management mode

On 6/4/25 10:11 PM, Michal Suchánek wrote: On Thu, May 29, 2025 at 10:39:58PM +0530, Srish Srinivasan wrote: On 5/23/25 11:49 AM, Michal Suchánek wrote: Hello, On Wed, May 21, 2025 at 04:27:58PM +0530, Srish Srinivasan wrote: The PLPKS enabled PowerVM LPAR sysfs exposes all of the secure

[PATCH v3 0/3] Enhancements to the secvar interface in static key management mode

reviewed-by from Nayna. * Patch 2: - Moved the documentaton changes relevant to secure variables from /sys/firmware/secvar/format to /sys/firmware/secvar/vars/. - Added reviewed-by from Nayna and Andrew. * Patch 3: - Added reviewed-by from Nayna and Andrew. Srish Srinivasan (3

[PATCH v3 3/3] integrity/platform_certs: Allow loading of keys in the static key management mode

the static key management mode, where the secvar format string takes the form "ibm,plpks-sb-v0". Signed-off-by: Srish Srinivasan Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger Reviewed-by: Nayna Jain Reviewed-by: Andrew Donnellan --- security/integrity/platform_certs/load_pow

[PATCH v3 2/3] powerpc/secvar: Expose secvars relevant to the key management mode

, trustedcadb, and moduledb in the static key mode to enable loading of signed third-party kernel modules. Co-developed-by: Souradeep Signed-off-by: Souradeep Signed-off-by: Srish Srinivasan Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger Reviewed-by: Nayna Jain Reviewed-by: Andrew Donnellan

[PATCH v3 1/3] powerpc/pseries: Correct secvar format representation for static key management

s-sb-v0" based on the key management mode, and return the length of the secvar format property. Co-developed-by: Souradeep Signed-off-by: Souradeep Signed-off-by: Srish Srinivasan Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger Reviewed-by: Nayna Jain Reviewed-by: Andrew Donnellan --- D

Re: [PATCH v2 1/3] powerpc/pseries: Correct secvar format representation for static key management

On 5/23/25 11:27 AM, Andrew Donnellan wrote: On Wed, 2025-05-21 at 16:27 +0530, Srish Srinivasan wrote: On a PLPKS enabled PowerVM LPAR, the secvar format property for static key management is misrepresented as "ibm,plpks-sb-unknown", creating reason for confusion. Static key manag

Re: [PATCH v2 2/3] powerpc/secvar: Expose secvars relevant to the key management mode

On 5/23/25 11:49 AM, Michal Suchánek wrote: Hello, On Wed, May 21, 2025 at 04:27:58PM +0530, Srish Srinivasan wrote: The PLPKS enabled PowerVM LPAR sysfs exposes all of the secure boot secvars irrespective of the key management mode. The PowerVM LPAR supports static and dynamic key

[PATCH v2 2/3] powerpc/secvar: Expose secvars relevant to the key management mode

, trustedcadb, and moduledb in the static key mode to enable loading of signed third-party kernel modules. Co-developed-by: Souradeep Signed-off-by: Souradeep Signed-off-by: Srish Srinivasan Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger Reviewed-by: Nayna Jain Reviewed-by: Andrew Donnellan

[PATCH v2 3/3] integrity/platform_certs: Allow loading of keys in the static key management mode

the static key management mode, where the secvar format string takes the form "ibm,plpks-sb-v0". Signed-off-by: Srish Srinivasan Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger Reviewed-by: Nayna Jain Reviewed-by: Andrew Donnellan --- security/integrity/platform_certs/load_pow

[PATCH v2 1/3] powerpc/pseries: Correct secvar format representation for static key management

s-sb-v0" based on the key management mode, and return the length of the secvar format property. Co-developed-by: Souradeep Signed-off-by: Souradeep Signed-off-by: Srish Srinivasan Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger Reviewed-by: Nayna Jain --- Documentation/ABI/testing/sysf

[PATCH v2 0/3] Enhancements to the secvar interface in static key management mode

/secvar/format to /sys/firmware/secvar/vars/. - Added reviewed-by from Nayna and Andrew. * Patch 3: - Added reviewed-by from Nayna and Andrew. Srish Srinivasan (3): powerpc/pseries: Correct secvar format representation for static key management powerpc/secvar: Expose secvars

Re: [PATCH 1/3] powerpc/pseries: Correct secvar format representation for static key management

On 5/12/25 3:25 PM, Andrew Donnellan wrote: On Wed, 2025-05-07 at 00:29 +0530, Srish Srinivasan wrote: I think you should handle this as the existing code does: if it's ENOENT, return 0, and for other codes print an error and return - EIO. Currently, the other layers in the boot stack a

Re: [PATCH 1/3] powerpc/pseries: Correct secvar format representation for static key management

On 5/7/25 11:47 AM, Andrew Donnellan wrote: On Wed, 2025-05-07 at 00:29 +0530, Srish Srinivasan wrote: + rc = plpks_read_fw_var(&var); + if (rc) { + pr_info("Error %ld reading SB_VERSION from firmware\n", rc); We need to check for -ENOENT, otherwise t

Re: [PATCH 3/3] integrity/platform_certs: Allow loading of keys in static key management mode

On 5/5/25 1:25 PM, Andrew Donnellan wrote: On Wed, 2025-04-30 at 14:33 +0530, Srish Srinivasan wrote: On PLPKS enabled PowerVM LPAR, there is no provision to load signed third-party kernel modules when the key management mode is static. This is because keys from secure boot secvars are only

Re: [PATCH 2/3] powerpc/secvar: Expose secvars relevant to the key management mode

On 5/5/25 12:53 PM, Andrew Donnellan wrote: On Wed, 2025-04-30 at 14:33 +0530, Srish Srinivasan wrote: The PLPKS enabled PowerVM LPAR sysfs exposes all of the secure boot secvars irrespective of the key management mode. The PowerVM LPAR supports static and dynamic key management for secure

Re: [PATCH 1/3] powerpc/pseries: Correct secvar format representation for static key management

On 5/5/25 2:06 PM, Andrew Donnellan wrote: On Wed, 2025-04-30 at 14:33 +0530, Srish Srinivasan wrote: On a PLPKS enabled PowerVM LPAR, the secvar format property for static key management is misrepresented as "ibm,plpks-sb-unknown", creating reason for confusion. Static key manag

[PATCH 3/3] integrity/platform_certs: Allow loading of keys in static key management mode

the static key management mode, where the secvar format string takes the form "ibm,plpks-sb-v0". Signed-off-by: Srish Srinivasan Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger --- security/integrity/platform_certs/load_powerpc.c | 5 +++-- 1 file changed, 3 insertions(+), 2

[PATCH 2/3] powerpc/secvar: Expose secvars relevant to the key management mode

, trustedcadb, and moduledb in the static key mode to enable loading of signed third-party kernel modules. Co-developed-by: Souradeep Signed-off-by: Souradeep Signed-off-by: Srish Srinivasan Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger --- Documentation/ABI/testing/sysfs-secvar| 9

[PATCH 0/3] Enhancements to the secvar interface in static key management mode

expose only the secure variables relevant to the key management mode. Enable loading of signed third-party kernel modules in the static key mode when the platform keystore is enabled. Srish Srinivasan (3): powerpc/pseries: Correct secvar format representation for static key management powerpc

[PATCH 1/3] powerpc/pseries: Correct secvar format representation for static key management

s-sb-v0" based on the key management mode, and return the length of the secvar format property. Co-developed-by: Souradeep Signed-off-by: Souradeep Signed-off-by: Srish Srinivasan Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger --- arch/powerpc/platforms/pseries/plpks-secvar.c | 70 +