[PATCH v2 0/6] Appended signatures support for IMA appraisal
Thiago Jung Bauermann
bauerman at linux.vnet.ibm.com
Sat Jun 10 07:19:19 AEST 2017
Michael Ellerman <mpe at ellerman.id.au> writes:
> Thiago Jung Bauermann <bauerman at linux.vnet.ibm.com> writes:
>
>> On the OpenPOWER platform, secure boot and trusted boot are being
>> implemented using IMA for taking measurements and verifying signatures.
>
> I still want you to implement arch_kexec_kernel_verify_sig() as well :)
Yes, I will implement it! We are still working on loading the public
keys for kernel signing from the firmware into a kernel keyring, so
there's not much point in implementing arch_kexec_kernel_verify_sig
without having that first.
The same problem also affects IMA: even with these patches, new code
still neededs to be added to make IMA use the platform keys for kernel
signature verification.
--
Thiago Jung Bauermann
IBM Linux Technology Center
More information about the Linuxppc-dev
mailing list