From: Greg KH <gregkh@linuxfoundation.org>
To: Nayna Jain <nayna@linux.ibm.com>
Cc: linux-kernel@vger.kernel.org,
Douglas Miller <dougmill@linux.vnet.ibm.com>,
George Wilson <gcwilson@linux.ibm.com>,
linuxppc-dev@lists.ozlabs.org, gjoyce@ibm.com,
Daniel Axtens <dja@axtens.net>
Subject: Re: [RFC PATCH 0/2] powerpc/pseries: add support for local secure storage called Platform Keystore(PKS)
Date: Sat, 22 Jan 2022 08:29:21 +0100 [thread overview]
Message-ID: <YeuyUVVdFADCuDr4@kroah.com> (raw)
In-Reply-To: <20220122005637.28199-1-nayna@linux.ibm.com>
On Fri, Jan 21, 2022 at 07:56:35PM -0500, Nayna Jain wrote:
> PowerVM provides an isolated Platform Keystore(PKS) storage allocation
> for each partition with individually managed access controls to store
> sensitive information securely. Linux Kernel can access this storage by
> interfacing with hypervisor using a new set of hypervisor calls.
>
> PowerVM guest secure boot intend to use Platform Keystore for the
> purpose of storing public keys. Secure boot requires public keys to
> be able to verify the grub and boot kernel. To allow authenticated
> manipulation of keys, it supports variables to store key authorities
> - PK/KEK and code signing keys - db. It also supports denied list to
> disallow booting even if signed with valid key. This is done via
> denied list database - dbx or sbat. These variables would be stored in
> PKS, and are managed and controlled by firmware.
>
> The purpose of this patchset is to add support for users to
> read/write/add/delete variables required for secure boot on PowerVM.
Ok, this is like the 3rd or 4th different platform-specific proposal for
this type of functionality. I think we need to give up on
platform-specific user/kernel apis on this (random sysfs/securityfs
files scattered around the tree), and come up with a standard place for
all of this.
Please work with the other developers of the other drivers for this to
make this unified so that userspace has a chance to use this in a sane
manner.
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: Nayna Jain <nayna@linux.ibm.com>
Cc: linuxppc-dev@lists.ozlabs.org,
Michael Ellerman <mpe@ellerman.id.au>,
Daniel Axtens <dja@axtens.net>,
George Wilson <gcwilson@linux.ibm.com>,
Douglas Miller <dougmill@linux.vnet.ibm.com>,
gjoyce@ibm.com, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH 0/2] powerpc/pseries: add support for local secure storage called Platform Keystore(PKS)
Date: Sat, 22 Jan 2022 08:29:21 +0100 [thread overview]
Message-ID: <YeuyUVVdFADCuDr4@kroah.com> (raw)
In-Reply-To: <20220122005637.28199-1-nayna@linux.ibm.com>
On Fri, Jan 21, 2022 at 07:56:35PM -0500, Nayna Jain wrote:
> PowerVM provides an isolated Platform Keystore(PKS) storage allocation
> for each partition with individually managed access controls to store
> sensitive information securely. Linux Kernel can access this storage by
> interfacing with hypervisor using a new set of hypervisor calls.
>
> PowerVM guest secure boot intend to use Platform Keystore for the
> purpose of storing public keys. Secure boot requires public keys to
> be able to verify the grub and boot kernel. To allow authenticated
> manipulation of keys, it supports variables to store key authorities
> - PK/KEK and code signing keys - db. It also supports denied list to
> disallow booting even if signed with valid key. This is done via
> denied list database - dbx or sbat. These variables would be stored in
> PKS, and are managed and controlled by firmware.
>
> The purpose of this patchset is to add support for users to
> read/write/add/delete variables required for secure boot on PowerVM.
Ok, this is like the 3rd or 4th different platform-specific proposal for
this type of functionality. I think we need to give up on
platform-specific user/kernel apis on this (random sysfs/securityfs
files scattered around the tree), and come up with a standard place for
all of this.
Please work with the other developers of the other drivers for this to
make this unified so that userspace has a chance to use this in a sane
manner.
thanks,
greg k-h
next prev parent reply other threads:[~2022-01-22 7:30 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-22 0:56 [RFC PATCH 0/2] powerpc/pseries: add support for local secure storage called Platform Keystore(PKS) Nayna Jain
2022-01-22 0:56 ` Nayna Jain
2022-01-22 0:56 ` [RFC PATCH 1/2] pseries: define driver for Platform Keystore Nayna Jain
2022-01-22 0:56 ` Nayna Jain
2022-01-22 0:56 ` [RFC PATCH 2/2] pseries: define sysfs interface to expose PKS variables Nayna Jain
2022-01-22 0:56 ` Nayna Jain
2022-02-09 9:13 ` Dov Murik
2022-02-09 9:13 ` Dov Murik
2022-01-22 7:29 ` Greg KH [this message]
2022-01-22 7:29 ` [RFC PATCH 0/2] powerpc/pseries: add support for local secure storage called Platform Keystore(PKS) Greg KH
2022-01-24 0:25 ` Daniel Axtens
2022-01-24 0:25 ` Daniel Axtens
2022-02-01 13:49 ` Greg KH
2022-02-01 13:49 ` Greg KH
2022-02-01 15:22 ` Dave Hansen
2022-02-01 15:22 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YeuyUVVdFADCuDr4@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=dja@axtens.net \
--cc=dougmill@linux.vnet.ibm.com \
--cc=gcwilson@linux.ibm.com \
--cc=gjoyce@ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nayna@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.