------- Comment From naynj...@ibm.com 2020-06-17 11:42 EDT------- Thanks !! This is exactly what I needed.
I am now able to boot the signed kernel both in "secure and trusted enabled" and "only secure enabled" case. The earlier patch was missing the fix for "only secure enabled" case. This patch took care of both. It works fine and here are the test results: 1. Kernel booted fine both with secure boot enabled/disabled and only "secure boot" enabled. 2. With trusted boot disabled, here is the IMA rules: ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/ compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist 2. With both secure and trusted boot enabled, here how the IMA rules looks like: ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/ compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled trusted-enabled ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy [sudo] password for ubuntu: measure func=KEXEC_KERNEL_CHECK template=ima-modsig measure func=MODULE_CHECK template=ima-modsig appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist And the config file has CONFIG_MODULE_SIG enabled, on which the powerpc IMA arch policies #ifdef are dependent. ubuntu@ltc-wspoon13:~$ grep -i MODULE_SIG /boot/config-5.4.0-38-generic CONFIG_MODULE_SIG_FORMAT=y CONFIG_MODULE_SIG=y # CONFIG_MODULE_SIG_FORCE is not set CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA1 is not set # CONFIG_MODULE_SIG_SHA224 is not set # CONFIG_MODULE_SIG_SHA256 is not set # CONFIG_MODULE_SIG_SHA384 is not set CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" Thanks & Regards, - Nayna ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs