From: Nayna Jain <nayna@linux.ibm.com>
To: Srish Srinivasan <ssrish@linux.ibm.com>,
linux-integrity@vger.kernel.org, linuxppc-dev@lists.ozlabs.org
Cc: maddy@linux.ibm.com, mpe@ellerman.id.au, npiggin@gmail.com,
christophe.leroy@csgroup.eu, naveen@kernel.org,
ajd@linux.ibm.com, zohar@linux.ibm.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/3] integrity/platform_certs: Allow loading of keys in static key management mode
Date: Wed, 30 Apr 2025 11:22:29 -0400 [thread overview]
Message-ID: <135ceca8-e98a-407f-a301-8b4720c8e8f0@linux.ibm.com> (raw)
In-Reply-To: <20250430090350.30023-4-ssrish@linux.ibm.com>
On 4/30/25 5:03 AM, Srish Srinivasan wrote:
> On PLPKS enabled PowerVM LPAR, there is no provision to load signed
> third-party kernel modules when the key management mode is static. This
> is because keys from secure boot secvars are only loaded when the key
> management mode is dynamic.
>
> Allow loading of the trustedcadb and moduledb keys even in the static
> key management mode, where the secvar format string takes the form
> "ibm,plpks-sb-v0".
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Thanks & Regards,
- Nayna
>
> Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> security/integrity/platform_certs/load_powerpc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
> index c85febca3343..714c961a00f5 100644
> --- a/security/integrity/platform_certs/load_powerpc.c
> +++ b/security/integrity/platform_certs/load_powerpc.c
> @@ -75,12 +75,13 @@ static int __init load_powerpc_certs(void)
> return -ENODEV;
>
> // Check for known secure boot implementations from OPAL or PLPKS
> - if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf)) {
> + if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf) &&
> + strcmp("ibm,plpks-sb-v0", buf)) {
> pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf);
> return -ENODEV;
> }
>
> - if (strcmp("ibm,plpks-sb-v1", buf) == 0)
> + if (strcmp("ibm,plpks-sb-v1", buf) == 0 || strcmp("ibm,plpks-sb-v0", buf) == 0)
> /* PLPKS authenticated variables ESL data is prefixed with 8 bytes of timestamp */
> offset = 8;
>
next prev parent reply other threads:[~2025-04-30 15:22 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-30 9:03 [PATCH 0/3] Enhancements to the secvar interface in static key management mode Srish Srinivasan
2025-04-30 9:03 ` [PATCH 1/3] powerpc/pseries: Correct secvar format representation for static key management Srish Srinivasan
2025-04-30 15:20 ` Nayna Jain
2025-05-05 8:36 ` Andrew Donnellan
2025-05-06 18:59 ` Srish Srinivasan
2025-05-07 6:17 ` Andrew Donnellan
2025-05-07 15:48 ` Srish Srinivasan
2025-05-12 9:51 ` Andrew Donnellan
2025-05-12 9:55 ` Andrew Donnellan
2025-05-12 10:16 ` Srish Srinivasan
2025-05-06 19:27 ` Nayna Jain
2025-05-07 6:03 ` Andrew Donnellan
2025-04-30 9:03 ` [PATCH 2/3] powerpc/secvar: Expose secvars relevant to the key management mode Srish Srinivasan
2025-04-30 15:22 ` Nayna Jain
2025-05-05 7:23 ` Andrew Donnellan
2025-05-06 19:00 ` Srish Srinivasan
2025-04-30 9:03 ` [PATCH 3/3] integrity/platform_certs: Allow loading of keys in static " Srish Srinivasan
2025-04-30 15:22 ` Nayna Jain [this message]
2025-05-05 7:55 ` Andrew Donnellan
2025-05-06 19:00 ` Srish Srinivasan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=135ceca8-e98a-407f-a301-8b4720c8e8f0@linux.ibm.com \
--to=nayna@linux.ibm.com \
--cc=ajd@linux.ibm.com \
--cc=christophe.leroy@csgroup.eu \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=naveen@kernel.org \
--cc=npiggin@gmail.com \
--cc=ssrish@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.