------- Comment From cclau...@br.ibm.com 2017-09-27 16:47 EDT------- (In reply to comment #30) > Attached is the ESL db update for Canonical's POWER SecureBoot signing key. > It is signed with Canonical's KEK key, which will be provided to IBM out of > band to ensure integrity of the delivery channel.
Thanks Andy and Vorlon for the attached files. The kernel appended signature verified successfully. We didn't test the Canonical-POWER-SB-20170926.esl.signed file yet. Questions: 1) The certificate provided contains a 4096-bit key and it was signed using sha512WithRSAEncryption. We had no problem to use it to verify the kernel appended signature - the kernel crypto API supports 4096-bit RSA keys. However, we don't have much space in our keystore and that's why we prefer to use 2048-bit RSA keys, same as UEFI SecureBoot. Could the Canonical-POWER-SB-20170926.esl.signed file be regenerated to contain a certificate that contains a 2048-bit RSA key instead? The certificate would be signed using sha256WithRSAEncryption. 2) We will need to put in the KEK a certificate that can be used to verify the signed ESL db updates provided by Canonical. How does Canonical have provided that for UEFI SecureBoot? certificate, ESL (not signed, since PK is not provided by Canonical)? Currently, we are working on the code that will validate/process the authenticated variable updates. We will probably start testing it by the end of this year. Thanks, Claudio -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696154 Title: [17.10 FEAT] Sign POWER host/NV kernels To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad/+bug/1696154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
