------- Comment From <email address hidden> 2020-04-02 21:53 EDT-------
The kernel seems to be having the secure boot functions after enabling those CONFIGs. Now, I was trying to boot to this kernel when secure boot is enabled.
I have taken the key from here -
ppa.launchpad.net/sforshee/lp1866909/ubuntu/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz
I have taken opal.x509 in the control directory as the key.
The secure boot is enabled "os-secure-enforcing" and .platform has loaded the key.
# cd /proc/device-tree/ibm,secureboot/
# ls
compatible ibm,cvc phandle
hw-key-hash name secure-enabled
hw-key-hash-size os-secureboot-enforcing trusted-enabled
# keyctl show %keyring:.platform
Keyring
337432176 ---lswrv 0 0 keyring: .platform
471022331 ---lswrv 0 0 \_ asymmetric: DB: e6b84e62dbbd988abbfda008355aa6a08001c58c
However, it seems the verification is failing as shown below:
# kexec -s /var/petitboot/mnt/dev/sdb6/boot/vmlinux-5.4.0-21-generic
file_load failed: Permission denied
I have two questions:
* I hope the key is right.
* I hope the signature is not stored as detached file because that is how I saw it in - ppa.launchpad.net/sforshee/lp1866909/ubuntu/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz.
Please confirm. I will continue to look at it more.
------- Comment From <email address hidden> 2020-04-02 21:53 EDT-------
The kernel seems to be having the secure boot functions after enabling those CONFIGs. Now, I was trying to boot to this kernel when secure boot is enabled.
I have taken the key from here - net/sforshee/ lp1866909/ ubuntu/ dists/focal/ main/signed/ linux-ppc64el/ current/ signed. tar.gz
ppa.launchpad.
I have taken opal.x509 in the control directory as the key.
The secure boot is enabled "os-secure- enforcing" and .platform has loaded the key.
# cd /proc/device- tree/ibm, secureboot/ enforcing trusted-enabled abbfda008355aa6 a08001c58c
# ls
compatible ibm,cvc phandle
hw-key-hash name secure-enabled
hw-key-hash-size os-secureboot-
# keyctl show %keyring:.platform
Keyring
337432176 ---lswrv 0 0 keyring: .platform
471022331 ---lswrv 0 0 \_ asymmetric: DB: e6b84e62dbbd988
However, it seems the verification is failing as shown below: mnt/dev/ sdb6/boot/ vmlinux- 5.4.0-21- generic
# kexec -s /var/petitboot/
file_load failed: Permission denied
I have two questions: net/sforshee/ lp1866909/ ubuntu/ dists/focal/ main/signed/ linux-ppc64el/ current/ signed. tar.gz.
* I hope the key is right.
* I hope the signature is not stored as detached file because that is how I saw it in - ppa.launchpad.
Please confirm. I will continue to look at it more.