--- Comment From naynj...@ibm.com 2020-04-10 16:15 EDT---
The upstream patch has an additional fix but it?s not critical for GA. It can
get included as part of bug fixes. It also affects only power. The
patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to
linux-int
--- Comment From naynj...@ibm.com 2020-04-06 11:23 EDT---
Tested the updated ppa kernel.
Everything looks good and here are the test results:
secure boot is enabled as seen by device-tree entry "os-secure-enforcing"
ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible
--- Comment From mranw...@us.ibm.com 2020-04-03 16:36 EDT---
We did some testing with that patch (previous comment) on top of the
5.4.0-21.25+lp1866909v202004020814 source/config file. We signed the
kernel/modules and securely booted it. That fixed the module loading issue we
were havi
--- Comment From mranw...@us.ibm.com 2020-04-03 12:45 EDT---
We've been working with Mimi and I think that what we need now aren't config
option changes, but this patch:
diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index e341162..c1ea55d 100644
--- a/arch/p
--- Comment From mranw...@us.ibm.com 2020-04-03 10:30 EDT---
Sorry, we don't know if we want CONFIG_MODULE_SIG_FORCE set. The modules
aren't loading, and we weren't sure what needed to change. We're happy to try
a kernel with IMA_ARCH_POLICY if that fixed it on x86.
--
You received th
--- Comment From mranw...@us.ibm.com 2020-04-03 00:39 EDT---
We did check the modules - at least the package
5.4.0-21.25+lp1866909v202004020814 and from modinfo:
signer: Build time autogenerated kernel key
sig_key:3B:AB:B6:13:BE:1C:39:7C:C5:17:8E:6F:B4:C9:A1:7F:52:30:9B:8
--- Comment From naynj...@ibm.com 2020-04-03 00:35 EDT---
With Michael's help, I could get the right key for the kernel.
I updated the new key and then tried booting to signed kernel in secure boot
enabled state.
It seems kernel is being verified.
# kexec -l /var/petitboot/mnt/dev/sdb6/bo
--- Comment From naynj...@ibm.com 2020-04-02 21:53 EDT---
The kernel seems to be having the secure boot functions after enabling those
CONFIGs. Now, I was trying to boot to this kernel when secure boot is enabled.
I have taken the key from here -
ppa.launchpad.net/sforshee/lp1866909/ubunt
--- Comment From mranw...@us.ibm.com 2020-04-02 17:37 EDT---
Thank you! I saw it finished and grabbed it, I saw it had the latest from lp
1855668.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bug
--- Comment From mranw...@us.ibm.com 2020-04-02 10:34 EDT---
Thank you, I grabbed that.
Is there any chance of a PPA respin with those options? We did test on
our rebuild, but we can't completely test without those options on plus
the signing.
--
You received this bug notification becau
--- Comment From mranw...@us.ibm.com 2020-04-01 18:31 EDT---
Thank you for spinning that so quickly. We neglected to request these config
options get turned on:
CONFIG_PPC_SECURE_BOOT=y
CONFIG_PPC_SECVAR_SYSFS=y
CONFIG_LOAD_PPC_KEYS=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_ARCH_POLICY=y
We
--- Comment From naynj...@ibm.com 2020-03-30 11:56 EDT---
I am sorry for the repetition on this question.
Thanks & Regards,
- Nayna
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
Title
--- Comment From naynj...@ibm.com 2020-03-27 11:57 EDT---
Ok. Thanks for sharing the info.
These ones should be very straightforward to backport.
Thanks & Regards,
- Nayna
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https
--- Comment From naynj...@ibm.com 2020-03-27 10:00 EDT---
Below is the list of commits for specified TBDs (sysfs enablement/platform
keyring changes for powerpc):. These were upstreamed in kernel v5.5 version.
Platform Keyring changes for powerpc:
8220e22 - powerpc: Load firmware trusted
--- Comment From mranw...@us.ibm.com 2020-03-23 19:45 EDT---
Hi Frank,
That's what I see, too, and all of those are in focal already, along
with the other three whose titles matched. The config options in
500c7ab1a9db are already on in focal, too.
The ones we're not sure of are these two
15 matches
Mail list logo
