Re: [PATCH v2 0/6] Appended signatures support for IMA appraisal

From: Thiago Jung Bauermann
Date: Fri Jun 09 2017 - 17:20:06 EST

Next message: Tom Lendacky: "Re: [PATCH v6 10/34] x86, x86/mm, x86/xen, olpc: Use __va() against just the physical address in cr3"
Previous message: Joe Perches: "[PATCH] hil_kbd: Use more common logging style"
In reply to: Michael Ellerman: "Re: [PATCH v2 0/6] Appended signatures support for IMA appraisal"
Next in thread: Michael Ellerman: "Re: [PATCH v2 0/6] Appended signatures support for IMA appraisal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michael Ellerman <mpe@xxxxxxxxxxxxxx> writes:

> Thiago Jung Bauermann <bauerman@xxxxxxxxxxxxxxxxxx> writes:
>
>> On the OpenPOWER platform, secure boot and trusted boot are being
>> implemented using IMA for taking measurements and verifying signatures.
>
> I still want you to implement arch_kexec_kernel_verify_sig() as well :)

Yes, I will implement it! We are still working on loading the public
keys for kernel signing from the firmware into a kernel keyring, so
there's not much point in implementing arch_kexec_kernel_verify_sig
without having that first.

The same problem also affects IMA: even with these patches, new code
still neededs to be added to make IMA use the platform keys for kernel
signature verification.

--
Thiago Jung Bauermann
IBM Linux Technology Center

Next message: Tom Lendacky: "Re: [PATCH v6 10/34] x86, x86/mm, x86/xen, olpc: Use __va() against just the physical address in cr3"
Previous message: Joe Perches: "[PATCH] hil_kbd: Use more common logging style"
In reply to: Michael Ellerman: "Re: [PATCH v2 0/6] Appended signatures support for IMA appraisal"
Next in thread: Michael Ellerman: "Re: [PATCH v2 0/6] Appended signatures support for IMA appraisal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]