Power guest secure boot with key management: GRUB2 portion

Bug #2064319 reported by bugproxy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
The Ubuntu-power-systems project
New
Critical
Ubuntu on IBM Power Systems Bug Triage
grub2 (Ubuntu)
New
High
Unassigned

Bug Description

Covering the GRUB2 portion:

Feature:

This feature comprises PowerVM LPAR guest OS kernel verification using static keys to extend the chain of trust from partition firmware to the OS kernel. GRUB and the host OS kernel are signed with 2 separate public key pairs. Partition firmware includes the the public verification key for GRUB in its build and uses it to verify GRUB. GRUB includes the public verification key for the OS kernel in its build and uses it to verify the OS kernel image

Test case:

If secure boot is switched off, any GRUB and kernel boots.
If secure boot is switched on:
  - Properly signed GRUB boots.
  - Improperly signed GRUB does not boot.
  - Tampered signed GRUB does not boot.
  - Properly signed kernels boot.
  - Improperly signed kernels do not boot.
  - Tampered signed kernels do not boot.
TPM PCRs are extended roughly following the TCG PC Client and UEFI specs as they apply to POWER.

bugproxy (bugproxy)
tags: added: architecture-ppc64le bugnameltc-205841 severity-critical targetmilestone-inin2404
Changed in ubuntu:
assignee: nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
affects: ubuntu → grub2 (Ubuntu)
bugproxy (bugproxy)
tags: added: targetmilestone-inin2410
removed: targetmilestone-inin2404
Frank Heimes (fheimes)
Changed in ubuntu-power-systems:
assignee: nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
Changed in grub2 (Ubuntu):
assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) → nobody
Changed in ubuntu-power-systems:
importance: Undecided → Critical
Changed in grub2 (Ubuntu):
importance: Undecided → High
Revision history for this message
Frank Heimes (fheimes) wrote (last edit ):

Thanks to Mate there is now an initial draft version of grub2 available in this PPA:
https://launchpad.net/~mkukri/+archive/ubuntu/power-grub/+packages
(https://code.launchpad.net/~ubuntu-uefi-team/grub/+git/ubuntu/+ref/power-sb)
that has the patch set merged (and some issues fixed with the patch set) -- but it's untested yet.

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2024-07-30 08:53 EDT-------
Do you mean this has guest secure boot with dynamic keys related patches merged?

Could you please confirm from where the patches are picked?

Thanks & Regards,
- Nayna

Revision history for this message
Frank Heimes (fheimes) wrote :

Hi Nayna,
I believe that Mate took the patches from the discussion upstream.
Afaict it is still not merged, nor officially upstream accepted (last time I checked).

We (esp. Mate) just picked it and created an early grub2 package in PPA for checking and testing. It is not in the archives yet - for that upstream acceptance is mandatory.

The code of this test package can be found here:
https://code.launchpad.net/~ubuntu-uefi-team/grub/+git/ubuntu/+ref/power-sb
respectively here:
https://git.launchpad.net/~ubuntu-uefi-team/grub/+git/ubuntu/log/?h=power-sb
with (as you can see) some additional adjustments ...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.