Comment 8 for bug 1903288

------- Comment From <email address hidden> 2020-12-17 19:59 EDT-------
I checked out LP: #1643652. I don't know why we asked for IMA_X509_PATH there, we don't need it for OpenPower secure boot.

For guest secure boot, the end goal of my request here is to get the pieces in place to enable signed kexec - at least for the kdump case. Under secure boot, only signed kernels can be kexeced. The kernel will verify the appended signature against the .platform and .ima keyrings. The .platform keyring is fine on OpenPower secure boot and UEFI secure boot because the keyring gets populated by keys out of firmware. However, at the moment pseries firmware doesn't have any mechanism to expose trusted keys (this will change with the full key management solution!), so nothing ends up in .platform. So we want to get a key into the .ima keychain instead.

IMA_X509_PATH purports to achieve this, but unfortunately just setting it isn't quite sufficient. The key will only be loaded into the .ima keychain if it's signed by a key already trusted by the kernel, that is, in .builtin_trusted_keys.

(I discovered recently that it's also possible to load a key into .ima at runtime with keyctl, so loading the key as part of the kexec scripts could be an alternative. However, this also requires that the key being loaded into .ima be trusted by the kernel.)

So, what I think I need is:

- the key that signs the kernel on the filesystem so that it can be loaded by IMA_X509_PATH or keyctl.

- the CA key that signs the kernel-signing key to be trusted by the kernel by being included in the .pem file that gets loaded by CONFIG_SYSTEM_TRUSTED_KEYS.