Comment 21 for bug 1696154

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 1696154] Comment bridged from LTC Bugzilla

Hi Claudio,

> ------- Comment From <email address hidden> 2017-09-27 16:47 EDT-------
> (In reply to comment #30)
> > Attached is the ESL db update for Canonical's POWER SecureBoot signing key.
> > It is signed with Canonical's KEK key, which will be provided to IBM out of
> > band to ensure integrity of the delivery channel.

> Thanks Andy and Vorlon for the attached files. The kernel appended
> signature verified successfully.

> We didn't test the Canonical-POWER-SB-20170926.esl.signed file yet.

> Questions:

> 1) The certificate provided contains a 4096-bit key and it was signed
> using sha512WithRSAEncryption. We had no problem to use it to verify the
> kernel appended signature - the kernel crypto API supports 4096-bit RSA
> keys. However, we don't have much space in our keystore and that's why
> we prefer to use 2048-bit RSA keys, same as UEFI SecureBoot. Could the
> Canonical-POWER-SB-20170926.esl.signed file be regenerated to contain a
> certificate that contains a 2048-bit RSA key instead? The certificate
> would be signed using sha256WithRSAEncryption.

The opal.x509 attachment is a test key only; it is not the same as
Canonical-POWER-SB-20170926.esl.signed, which is our production 2048-bit
key.

> 2) We will need to put in the KEK a certificate that can be used to verify
> the signed ESL db updates provided by Canonical. How does Canonical have
> provided that for UEFI SecureBoot? certificate, ESL (not signed, since PK
> is not provided by Canonical)? Currently, we are working on the code that
> will validate/process the authenticated variable updates. We will
> probably start testing it by the end of this year.

The current plan is to deliver this KEK as a certificate via a secure
in-person channel to George Wilson. I assume once delivered, if you need
this in ESL form for loading that IBM can perform this transformation (since
the only way to turn it into a signed ESL would be via the PK, which we
don't have).