Comment 16 for bug 1877955

------- Comment From <email address hidden> 2020-06-17 11:42 EDT-------
Thanks !! This is exactly what I needed.

I am now able to boot the signed kernel both in "secure and trusted enabled" and "only secure enabled" case. The earlier patch was missing the fix for "only secure enabled" case. This patch took care of both.

It works fine and here are the test results:

1. Kernel booted fine both with secure boot enabled/disabled and only "secure boot" enabled.

2. With trusted boot disabled, here is the IMA rules:

ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist

2. With both secure and trusted boot enabled, here how the IMA rules looks like:

ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled trusted-enabled
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy
[sudo] password for ubuntu:
measure func=KEXEC_KERNEL_CHECK template=ima-modsig
measure func=MODULE_CHECK template=ima-modsig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist

And the config file has CONFIG_MODULE_SIG enabled, on which the powerpc IMA arch policies #ifdef are dependent.
ubuntu@ltc-wspoon13:~$ grep -i MODULE_SIG /boot/config-5.4.0-38-generic
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

Thanks & Regards,
- Nayna