Power guest secure boot with key management: userspace portion

Bug #2064345 reported by bugproxy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
The Ubuntu-power-systems project
New
High
Ubuntu on IBM Power Systems Bug Triage
powerpc-utils (Ubuntu)
New
High
Patricia Domingues

Bug Description

Covering the userspace portion (secvarctl)

Feature:

This feature comprises PowerVM LPAR guest OS kernel verification to extend the chain of trust from partition firmware to the OS kernel and includes key management. GRUB and the host OS kernel are signed with 2 separate public key pairs. Partition firmware includes the the public verification key for GRUB in its build and uses it to verify GRUB. GRUB includes the public verification key for the OS kernel in its build and uses it to verify the OS kernel image

Test case:

If secure boot is switched off, any GRUB and kernel boots.
If secure boot is switched on:
  - Properly signed GRUB boots.
  - Improperly signed GRUB does not boot.
  - Tampered signed GRUB does not boot.
  - Properly signed kernels boot.
  - Improperly signed kernels do not boot.
  - Tampered signed kernels do not boot.
TPM PCRs are extended roughly following the TCG PC Client and UEFI specs as they apply to POWER.

bugproxy (bugproxy)
tags: added: architecture-ppc64le bugnameltc-205843 severity-critical targetmilestone-inin2404
Changed in ubuntu:
assignee: nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
affects: ubuntu → linux (Ubuntu)
bugproxy (bugproxy)
tags: added: targetmilestone-inin2410
removed: targetmilestone-inin2404
Revision history for this message
Frank Heimes (fheimes) wrote :

Since this is about a new ppc64el specific tool ("secvarctl", that does not yet exists in LP),
I'll marked this ticket as temp. affecting "powerpc-utils", until we have a first upload.

Changed in ubuntu-power-systems:
assignee: nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
Changed in linux (Ubuntu):
assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) → nobody
affects: linux (Ubuntu) → powerpc-utils (Ubuntu)
Changed in powerpc-utils (Ubuntu):
assignee: nobody → Patricia Domingues (patriciasd)
Changed in ubuntu-power-systems:
importance: Undecided → High
Changed in powerpc-utils (Ubuntu):
importance: Undecided → High
Revision history for this message
Frank Heimes (fheimes) wrote :

I'm assuming that this is the upstream repository of 'secvarctl':
https://github.com/open-power/secvarctl

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.