--- Comment From gcwil...@us.ibm.com 2024-03-12 17:34 EDT---
Closing on our side as ALT_SOLUTION_AVAIL.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
[24.04] Power guest
(builds are ongoing ...)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel portion
To manage notifications about this bug go to:
--- Comment From naynj...@ibm.com 2021-10-14 11:12 EDT---
(In reply to comment #40)
> Hi Nayna,
>
> I agree that Reviewed-by or Tested-by are in general helpful, but these tags
> follow strict rules in Linux kernel (see: "Reviewer's statement of
> oversight" in kernel documentation). I
--- Comment From naynj...@ibm.com 2021-10-13 16:43 EDT---
Thanks !!
I guess a Reviewed-by or Tested-by might be helpful.
Thanks & Regards,
- Nayna
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--- Comment From naynj...@ibm.com 2021-09-10 13:31 EDT---
I have posted the patch today -
https://lore.kernel.org/linux-integrity/20210910172515.8430-1-na...@linux.ibm.com/T/#u
.
It would be very helpful if someone from Canonical can test it and
confirm.
Thanks & Regards,
- Nayna
--
--- Comment From naynj...@ibm.com 2021-05-19 16:51 EDT---
(In reply to comment #28)
> @Nayna Jain @Daniel
>
> Hm but we have CONFIG_LOAD_PPC_KEYS=y already which I would expect to be
> the only thing that loads keys into .platform keyring which was enabled as
> part of
--- Comment From daniel.axte...@ibm.com 2021-04-20 23:25 EDT---
Hi,
Yes, actually. I've asked Nayna if she can extend those patches to also
allow things to be loaded into .platform.
Kind regards,
Daniel
--
You received this bug notification because you are a member of Ubuntu
Bugs,
--- Comment From daniel.axte...@ibm.com 2021-03-31 10:31 EDT---
Hi,
> If the key is self-signed, shouldn't having the key in .builtin_trusted_keys
> allow for loading it into the IMA keyring? Or is that insufficient for some
> reason?
Yes, you could do that (I tried recently, in fact!),
--- Comment From daniel.axte...@ibm.com 2021-03-18 09:39 EDT---
(In reply to comment #22)
> Kind of wish for a config option that would do add_to_platform_keyring a
> built-in set of keys, until we have something like the other platforms have
> (ipl on s390x, uefi db on EFI platforms).
>
>
--- Comment From daniel.axte...@ibm.com 2021-03-18 00:22 EDT---
Apologies once again for the delay.
> @Daniel
> "In either case, however, the CA that signs the kernel signing key needs to
> be built in to the kernel's .builtin_trusted_keys keyring."
>
> On Ubuntu, for OPAL singing, on
--- Comment From daniel.axte...@ibm.com 2020-12-17 19:59 EDT---
I checked out LP: #1643652. I don't know why we asked for IMA_X509_PATH there,
we don't need it for OpenPower secure boot.
For guest secure boot, the end goal of my request here is to get the
pieces in place to enable signed
--- Comment From daniel.axte...@ibm.com 2020-11-19 20:25 EDT---
Hi,
I think that's the only feature patch required. There's not a lot
because at this stage it's all based on static keys. So unlike the
OpenPower secure boot, there's no code to interact with keys stored in
firmware.
There
--- Comment From daniel.axte...@ibm.com 2020-11-12 01:12 EDT---
Hi,
So, here are what I believe are the relevant kernel changes.
Firstly, there is a common core with the support for OpenPower/PowerNV
Secure Boot - LP#1866909 and friends. This covers things like securing
kexec under
13 matches
Mail list logo
