[RFC PATCH 02/12] powerpc: Add support for adding an ESM blob to the zImage wrapper
Paul Mackerras
paulus at ozlabs.org
Wed May 22 09:15:54 AEST 2019
On Tue, May 21, 2019 at 07:13:26AM +0200, Christoph Hellwig wrote:
> On Tue, May 21, 2019 at 01:49:02AM -0300, Thiago Jung Bauermann wrote:
> > From: Benjamin Herrenschmidt <benh at kernel.crashing.org>
> >
> > For secure VMs, the signing tool will create a ticket called the "ESM blob"
> > for the Enter Secure Mode ultravisor call with the signatures of the kernel
> > and initrd among other things.
> >
> > This adds support to the wrapper script for adding that blob via the "-e"
> > option to the zImage.pseries.
> >
> > It also adds code to the zImage wrapper itself to retrieve and if necessary
> > relocate the blob, and pass its address to Linux via the device-tree, to be
> > later consumed by prom_init.
>
> Where does the "BLOB" come from? How is it licensed and how can we
> satisfy the GPL with it?
The blob is data, not code, and it will be created by a tool that will
be open source. My understanding is that most of it will be encrypted
with a session key that is encrypted with the secret key of the
ultravisor. Ram Pai's KVM Forum talk last year explained how this
works.
Paul.
More information about the Linuxppc-dev
mailing list