Hm.... but we have CONFIG_LOAD_PPC_KEYS=y already which I would expect to be the only thing that loads keys into .platform keyring which was enabled as part of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1866909 LTC-184073 . Which keys are present in firmware / get loaded into .platform because of that? I would have expected canonical keys to be loaded by that into the .platform keyring, or is that not the case?
Can you please share contents of "powerpc:db"? Ideally it should contain Canonical's two OPAL signing certs.
If canonical keys are not in "powerpc:db", does it make sense to then add the two Canonical keys to the .builtin_trusted_keys_keyring, and then link the whole keyring into .ima keyring?
I will attach the two Canonical OPAL signing keys here, and the ESL for them.
@Nayna Jain @Daniel
Hm.... but we have CONFIG_ LOAD_PPC_ KEYS=y already which I would expect to be the only thing that loads keys into .platform keyring which was enabled as part of https:/ /bugs.launchpad .net/ubuntu/ +source/ linux/+ bug/1866909 LTC-184073 . Which keys are present in firmware / get loaded into .platform because of that? I would have expected canonical keys to be loaded by that into the .platform keyring, or is that not the case?
Can you please share contents of "powerpc:db"? Ideally it should contain Canonical's two OPAL signing certs.
If canonical keys are not in "powerpc:db", does it make sense to then add the two Canonical keys to the .builtin_ trusted_ keys_keyring, and then link the whole keyring into .ima keyring?
I will attach the two Canonical OPAL signing keys here, and the ESL for them.