Comment 27 for bug 1903288
Revision history for this message
| bugproxy (bugproxy) wrote Comment bridged from LTC Bugzilla | #27 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
------- Comment From <email address hidden> 2021-05-19 16:51 EDT-------
(In reply to comment #28)
> @Nayna Jain @Daniel
>
> Hm.... but we have CONFIG_
> the only thing that loads keys into .platform keyring which was enabled as
> part of https:/
> LTC-184073 . Which keys are present in firmware / get loaded into .platform
> because of that? I would have expected canonical keys to be loaded by that
> into the .platform keyring, or is that not the case?
Hi,
Yes you are right that CONFIG_
>
> Can you please share contents of "powerpc:db"? Ideally it should contain
> Canonical's two OPAL signing certs.
>
> If canonical keys are not in "powerpc:db", does it make sense to then add
> the two Canonical keys to the .builtin_
> the whole keyring into .ima keyring?
>
> I will attach the two Canonical OPAL signing keys here, and the ESL for them.
The final conclusion was to add a config option for PLATFORM KEYRING similar to SYSTEM_TRUSTED_KEYS mechanism. It would allow loading additional keys compiled into the kernel to be loaded only to .platform keyring. This would be in addition to the existing support for loading firmware keys at runtime on the platfom keyring. It aligns with xnox comment dated "2012-03-18".
At some point we will probably close the loop hole that allows self signed certificates loaded onto the builtin keyring to be loaded onto the IMA keyring. It's better to define a mechanism for loading additional certs on the platform keyring that would work today and will continue to work in the future.
I am supposed to start looking at the patches. I would be starting to look at them in June timeframe.
Thanks & Regards,
- Nayna