Comment 15 for bug 1903288
Revision history for this message
| Dimitri John Ledkov (xnox) wrote Re: Power guest secure boot with static keys: kernel portion | #15 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
this is all very annoying! But I see what you mean now.
We probably should not add opal keys to the trusted_keyring then.
I would rather avoid introducing a new CA key whilst we cannot travel to assemble and distribute CA shards offline.
I'd rather somehow enable platform_keyring or IMA keyring, and make kernel have ability to specifies keys listed there at build time and ship the OPAL key there.
Cause the keys we use to sign kernel image & grub-image, are not the keys that are used to signed kernel modules, hence shouldn't be in the trusted kerying.
Or we can end up with a userspace .service that exports trusted_keyrings and imports them into ima keyring on everyboot. But that would be sad as well.
Let me find power machines to play around with this.