------- Comment From cclau...@br.ibm.com 2017-08-01 19:06 EDT------- (In reply to comment #15) > One open technical question from the Canonical side: can you confirm that > the POWER firmware implementation will support embedded certificate chains > as part of the vmlinux signature data? Our existing SecureBoot signing > regime uses an on-line signing key which is chained to a our CA certificate, > and it is the latter that we would normally provide for db. > > It appears that the kmodsign tools support embedded certificates in the > signature data, but we would like to confirm that the firmware > implementation is also compatible with this.
It seems that the Canonical CA should be added to the KEK and the "on- line signing key" should be added to the DB. In our current SecureBoot design, the vmlinux embedded signature will be verified only against the DB certificate list. However, in order to add a certificate to DB, the certificate should be signed by any of the KEK entries. The PK will be used to authorize updates to the KEK certificate list. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696154 Title: [17.10 FEAT] Sign POWER host/NV kernels To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1696154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs