| Message ID | 20250430090350.30023-4-ssrish@linux.ibm.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Enhancements to the secvar interface in static key management mode | expand |
On 4/30/25 5:03 AM, Srish Srinivasan wrote: > On PLPKS enabled PowerVM LPAR, there is no provision to load signed > third-party kernel modules when the key management mode is static. This > is because keys from secure boot secvars are only loaded when the key > management mode is dynamic. > > Allow loading of the trustedcadb and moduledb keys even in the static > key management mode, where the secvar format string takes the form > "ibm,plpks-sb-v0". Reviewed-by: Nayna Jain <nayna@linux.ibm.com> Thanks & Regards, - Nayna > > Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> > --- > security/integrity/platform_certs/load_powerpc.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c > index c85febca3343..714c961a00f5 100644 > --- a/security/integrity/platform_certs/load_powerpc.c > +++ b/security/integrity/platform_certs/load_powerpc.c > @@ -75,12 +75,13 @@ static int __init load_powerpc_certs(void) > return -ENODEV; > > // Check for known secure boot implementations from OPAL or PLPKS > - if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf)) { > + if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf) && > + strcmp("ibm,plpks-sb-v0", buf)) { > pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf); > return -ENODEV; > } > > - if (strcmp("ibm,plpks-sb-v1", buf) == 0) > + if (strcmp("ibm,plpks-sb-v1", buf) == 0 || strcmp("ibm,plpks-sb-v0", buf) == 0) > /* PLPKS authenticated variables ESL data is prefixed with 8 bytes of timestamp */ > offset = 8; >
On Wed, 2025-04-30 at 14:33 +0530, Srish Srinivasan wrote: > On PLPKS enabled PowerVM LPAR, there is no provision to load signed > third-party kernel modules when the key management mode is static. > This > is because keys from secure boot secvars are only loaded when the key > management mode is dynamic. > > Allow loading of the trustedcadb and moduledb keys even in the static > key management mode, where the secvar format string takes the form > "ibm,plpks-sb-v0". > > Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com> > --- > security/integrity/platform_certs/load_powerpc.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/platform_certs/load_powerpc.c > b/security/integrity/platform_certs/load_powerpc.c > index c85febca3343..714c961a00f5 100644 > --- a/security/integrity/platform_certs/load_powerpc.c > +++ b/security/integrity/platform_certs/load_powerpc.c > @@ -75,12 +75,13 @@ static int __init load_powerpc_certs(void) > return -ENODEV; > > // Check for known secure boot implementations from OPAL or > PLPKS > - if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks- > sb-v1", buf)) { > + if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks- > sb-v1", buf) && > + strcmp("ibm,plpks-sb-v0", buf)) { > pr_err("Unsupported secvar implementation \"%s\", > not loading certs\n", buf); > return -ENODEV; > } > > - if (strcmp("ibm,plpks-sb-v1", buf) == 0) > + if (strcmp("ibm,plpks-sb-v1", buf) == 0 || > strcmp("ibm,plpks-sb-v0", buf) == 0) > /* PLPKS authenticated variables ESL data is > prefixed with 8 bytes of timestamp */ > offset = 8; >
On 5/5/25 1:25 PM, Andrew Donnellan wrote: > On Wed, 2025-04-30 at 14:33 +0530, Srish Srinivasan wrote: >> On PLPKS enabled PowerVM LPAR, there is no provision to load signed >> third-party kernel modules when the key management mode is static. >> This >> is because keys from secure boot secvars are only loaded when the key >> management mode is dynamic. >> >> Allow loading of the trustedcadb and moduledb keys even in the static >> key management mode, where the secvar format string takes the form >> "ibm,plpks-sb-v0". >> >> Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com> >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> >> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> > Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com> Hi Andrew, Thanks a lot for the review. Thanks and Regards, Srish >> --- >> security/integrity/platform_certs/load_powerpc.c | 5 +++-- >> 1 file changed, 3 insertions(+), 2 deletions(-) >> >> diff --git a/security/integrity/platform_certs/load_powerpc.c >> b/security/integrity/platform_certs/load_powerpc.c >> index c85febca3343..714c961a00f5 100644 >> --- a/security/integrity/platform_certs/load_powerpc.c >> +++ b/security/integrity/platform_certs/load_powerpc.c >> @@ -75,12 +75,13 @@ static int __init load_powerpc_certs(void) >> return -ENODEV; >> >> // Check for known secure boot implementations from OPAL or >> PLPKS >> - if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks- >> sb-v1", buf)) { >> + if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks- >> sb-v1", buf) && >> + strcmp("ibm,plpks-sb-v0", buf)) { >> pr_err("Unsupported secvar implementation \"%s\", >> not loading certs\n", buf); >> return -ENODEV; >> } >> >> - if (strcmp("ibm,plpks-sb-v1", buf) == 0) >> + if (strcmp("ibm,plpks-sb-v1", buf) == 0 || >> strcmp("ibm,plpks-sb-v0", buf) == 0) >> /* PLPKS authenticated variables ESL data is >> prefixed with 8 bytes of timestamp */ >> offset = 8; >>
diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index c85febca3343..714c961a00f5 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -75,12 +75,13 @@ static int __init load_powerpc_certs(void) return -ENODEV; // Check for known secure boot implementations from OPAL or PLPKS - if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf)) { + if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf) && + strcmp("ibm,plpks-sb-v0", buf)) { pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf); return -ENODEV; } - if (strcmp("ibm,plpks-sb-v1", buf) == 0) + if (strcmp("ibm,plpks-sb-v1", buf) == 0 || strcmp("ibm,plpks-sb-v0", buf) == 0) /* PLPKS authenticated variables ESL data is prefixed with 8 bytes of timestamp */ offset = 8;