[RFC PATCH 0/2] powerpc/pseries: add support for local secure storage called Platform Keystore(PKS)
Greg KH
gregkh at linuxfoundation.org
Sat Jan 22 18:29:21 AEDT 2022
On Fri, Jan 21, 2022 at 07:56:35PM -0500, Nayna Jain wrote:
> PowerVM provides an isolated Platform Keystore(PKS) storage allocation
> for each partition with individually managed access controls to store
> sensitive information securely. Linux Kernel can access this storage by
> interfacing with hypervisor using a new set of hypervisor calls.
>
> PowerVM guest secure boot intend to use Platform Keystore for the
> purpose of storing public keys. Secure boot requires public keys to
> be able to verify the grub and boot kernel. To allow authenticated
> manipulation of keys, it supports variables to store key authorities
> - PK/KEK and code signing keys - db. It also supports denied list to
> disallow booting even if signed with valid key. This is done via
> denied list database - dbx or sbat. These variables would be stored in
> PKS, and are managed and controlled by firmware.
>
> The purpose of this patchset is to add support for users to
> read/write/add/delete variables required for secure boot on PowerVM.
Ok, this is like the 3rd or 4th different platform-specific proposal for
this type of functionality. I think we need to give up on
platform-specific user/kernel apis on this (random sysfs/securityfs
files scattered around the tree), and come up with a standard place for
all of this.
Please work with the other developers of the other drivers for this to
make this unified so that userspace has a chance to use this in a sane
manner.
thanks,
greg k-h
More information about the Linuxppc-dev
mailing list