Ubuntu
linux package

  1. Bug #1903288
  2. Comment #22

Comment 22 for bug 1903288

Revision history for this message
Dimitri John Ledkov (xnox) wrote : Re: Power guest secure boot with static keys: kernel portion

@Nayna Jain @Daniel

Hm.... but we have CONFIG_LOAD_PPC_KEYS=y already which I would expect to be the only thing that loads keys into .platform keyring which was enabled as part of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1866909 LTC-184073 . Which keys are present in firmware / get loaded into .platform because of that? I would have expected canonical keys to be loaded by that into the .platform keyring, or is that not the case?

Can you please share contents of "powerpc:db"? Ideally it should contain Canonical's two OPAL signing certs.

If canonical keys are not in "powerpc:db", does it make sense to then add the two Canonical keys to the .builtin_trusted_keys_keyring, and then link the whole keyring into .ima keyring?

I will attach the two Canonical OPAL signing keys here, and the ESL for them.