[Bug 2064345] Re: Power guest secure boot with key management: userspace portion

Frank Heimes 2064345 at bugs.launchpad.net
Wed Jun 5 08:58:01 UTC 2024 

Since this is about a new ppc64el specific tool ("secvarctl", that does not yet exists in LP),
I'll marked this ticket as temp. affecting "powerpc-utils", until we have a first upload.

** Changed in: ubuntu-power-systems
     Assignee: (unassigned) => Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)

** Changed in: linux (Ubuntu)
     Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) => (unassigned)

** Package changed: linux (Ubuntu) => powerpc-utils (Ubuntu)

** Changed in: powerpc-utils (Ubuntu)
     Assignee: (unassigned) => Patricia Domingues (patriciasd)

** Changed in: ubuntu-power-systems
   Importance: Undecided => High

** Changed in: powerpc-utils (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to powerpc-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2064345

Title:
  Power guest secure boot with key management: userspace portion

Status in The Ubuntu-power-systems project:
  New
Status in powerpc-utils package in Ubuntu:
  New

Bug description:
  Covering the userspace portion (secvarctl)

  Feature:

  This feature comprises PowerVM LPAR guest OS kernel verification to
  extend the chain of trust from partition firmware to the OS kernel and
  includes key management.  GRUB and the host OS kernel are signed with
  2 separate public key pairs.  Partition firmware includes the the
  public verification key for GRUB in its build and uses it to verify
  GRUB.  GRUB includes the public verification key for the OS kernel in
  its build and uses it to verify the OS kernel image

  Test case:

  If secure boot is switched off, any GRUB and kernel boots.
  If secure boot is switched on:
    - Properly signed GRUB boots.
    - Improperly signed GRUB does not boot.
    - Tampered signed GRUB does not boot.
    - Properly signed kernels boot.
    - Improperly signed kernels do not boot.
    - Tampered signed kernels do not boot.
  TPM PCRs are extended roughly following the TCG PC Client and UEFI specs as they apply to POWER.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/2064345/+subscriptions

More information about the foundations-bugs mailing list