[RFC PATCH 02/12] powerpc: Add support for adding an ESM blob to the zImage wrapper
Ram Pai
linuxram at us.ibm.com
Wed May 22 01:09:35 AEST 2019
On Tue, May 21, 2019 at 07:13:26AM +0200, Christoph Hellwig wrote:
> On Tue, May 21, 2019 at 01:49:02AM -0300, Thiago Jung Bauermann wrote:
> > From: Benjamin Herrenschmidt <benh at kernel.crashing.org>
> >
> > For secure VMs, the signing tool will create a ticket called the "ESM blob"
> > for the Enter Secure Mode ultravisor call with the signatures of the kernel
> > and initrd among other things.
> >
> > This adds support to the wrapper script for adding that blob via the "-e"
> > option to the zImage.pseries.
> >
> > It also adds code to the zImage wrapper itself to retrieve and if necessary
> > relocate the blob, and pass its address to Linux via the device-tree, to be
> > later consumed by prom_init.
>
> Where does the "BLOB" come from? How is it licensed and how can we
> satisfy the GPL with it?
The "BLOB" is not a piece of code. Its just a piece of data that gets
generated by our build tools. This data contains the
signed hash of the kernel, initrd, and kernel command line parameters.
Also it contains any information that the creator the the BLOB wants to
be made available to anyone needing it, inside the
secure-virtual-machine. All of this is integrity-protected and encrypted
to safegaurd it when at rest and at runtime.
Bottomline -- Blob is data, and hence no licensing implication. And due
to some reason, even data needs to have licensing statement, we can
make it available to have no conflicts with GPL.
--
Ram Pai
More information about the Linuxppc-dev
mailing list