From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B267C433EF for ; Fri, 5 Nov 2021 13:14:47 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D149F61108 for ; Fri, 5 Nov 2021 13:14:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D149F61108 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=suse.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.ozlabs.org Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4Hm1FK2jj4z30JT for ; Sat, 6 Nov 2021 00:14:45 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=gZlL3n9d; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=rpqjS5Jw; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.220.29; helo=smtp-out2.suse.de; envelope-from=msuchanek@suse.de; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=gZlL3n9d; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=rpqjS5Jw; dkim-atps=neutral Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4Hm1DZ3rwgz2y7W for ; Sat, 6 Nov 2021 00:14:06 +1100 (AEDT) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id 6DE281FD37; Fri, 5 Nov 2021 13:14:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1636118043; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=GJZ3yTXhrzi4whvrAIl3BNUnX0rED/L5GxqfhBDh6mo=; b=gZlL3n9dgK20NLv/q4Tjf8za+Zyb+vEPJJUCccpbyATFt+Y7qamzrZHILKT9OUJ1BDOpPE 6AUtJ39tV5G5CkBXkovM3M0AimFa/4v0orHsoAiPnLPL+Vrp3xHSbaFeI/V2Mvx06BDd4U xagoOQY0ft2lt1LbyFCz+E2f+cfSCJs= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1636118043; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=GJZ3yTXhrzi4whvrAIl3BNUnX0rED/L5GxqfhBDh6mo=; b=rpqjS5Jwt1qeWSytrXnsbDBHXb+K6Ov6jka10AwhMpvrngwpe4rn1SqFeZHtW9mE0QF0xO 5yTO9V5A3dK305DQ== Received: from kunlun.suse.cz (unknown [10.100.128.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id DA9E12C144; Fri, 5 Nov 2021 13:14:02 +0000 (UTC) Date: Fri, 5 Nov 2021 14:14:01 +0100 From: Michal =?iso-8859-1?Q?Such=E1nek?= To: Daniel Axtens Subject: Re: [PATCH 0/3] KEXEC_SIG with appended signature Message-ID: <20211105131401.GL11195@kunlun.suse.cz> References: <87czneeurr.fsf@dja-thinkpad.axtens.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87czneeurr.fsf@dja-thinkpad.axtens.net> User-Agent: Mutt/1.10.1 (2018-07-13) X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thiago Jung Bauermann , Rob Herring , Vasily Gorbik , linux-s390@vger.kernel.org, Heiko Carstens , linux-kernel@vger.kernel.org, David Howells , Lakshmi Ramasubramanian , Luis Chamberlain , keyrings@vger.kernel.org, Paul Mackerras , Frank van der Linden , Jessica Yu , Alexander Gordeev , linuxppc-dev@lists.ozlabs.org, Christian Borntraeger , Hari Bathini Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Fri, Nov 05, 2021 at 09:55:52PM +1100, Daniel Axtens wrote: > Michal Suchanek writes: > > > S390 uses appended signature for kernel but implements the check > > separately from module loader. > > > > Support for secure boot on powerpc with appended signature is planned - > > grub patches submitted upstream but not yet merged. > > Power Non-Virtualised / OpenPower already supports secure boot via kexec > with signature verification via IMA. I think you have now sent a > follow-up series that merges some of the IMA implementation, I just > wanted to make sure it was clear that we actually already have support So is IMA_KEXEC and KEXEC_SIG redundant? I see some architectures have both. I also see there is a lot of overlap between the IMA framework and the KEXEC_SIG and MODULE_SIg. Thanks Michal