Comment 18 for bug 1866909

------- Comment From <email address hidden> 2020-04-02 21:53 EDT-------
The kernel seems to be having the secure boot functions after enabling those CONFIGs. Now, I was trying to boot to this kernel when secure boot is enabled.

I have taken the key from here -
ppa.launchpad.net/sforshee/lp1866909/ubuntu/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz

I have taken opal.x509 in the control directory as the key.

The secure boot is enabled "os-secure-enforcing" and .platform has loaded the key.

# cd /proc/device-tree/ibm,secureboot/
# ls
compatible ibm,cvc phandle
hw-key-hash name secure-enabled
hw-key-hash-size os-secureboot-enforcing trusted-enabled
# keyctl show %keyring:.platform
Keyring
337432176 ---lswrv 0 0 keyring: .platform
471022331 ---lswrv 0 0 \_ asymmetric: DB: e6b84e62dbbd988abbfda008355aa6a08001c58c

However, it seems the verification is failing as shown below:
# kexec -s /var/petitboot/mnt/dev/sdb6/boot/vmlinux-5.4.0-21-generic
file_load failed: Permission denied

I have two questions:
* I hope the key is right.
* I hope the signature is not stored as detached file because that is how I saw it in - ppa.launchpad.net/sforshee/lp1866909/ubuntu/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz.

Please confirm. I will continue to look at it more.