[PATCH 3/3] integrity/platform_certs: Allow loading of keys in static key management mode
Srish Srinivasan
ssrish at linux.ibm.com
Wed May 7 05:00:36 AEST 2025
On 5/5/25 1:25 PM, Andrew Donnellan wrote:
> On Wed, 2025-04-30 at 14:33 +0530, Srish Srinivasan wrote:
>> On PLPKS enabled PowerVM LPAR, there is no provision to load signed
>> third-party kernel modules when the key management mode is static.
>> This
>> is because keys from secure boot secvars are only loaded when the key
>> management mode is dynamic.
>>
>> Allow loading of the trustedcadb and moduledb keys even in the static
>> key management mode, where the secvar format string takes the form
>> "ibm,plpks-sb-v0".
>>
>> Signed-off-by: Srish Srinivasan <ssrish at linux.ibm.com>
>> Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>
>> Reviewed-by: Stefan Berger <stefanb at linux.ibm.com>
> Reviewed-by: Andrew Donnellan <ajd at linux.ibm.com>
Hi Andrew,
Thanks a lot for the review.
Thanks and Regards,
Srish
>> ---
>> security/integrity/platform_certs/load_powerpc.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/integrity/platform_certs/load_powerpc.c
>> b/security/integrity/platform_certs/load_powerpc.c
>> index c85febca3343..714c961a00f5 100644
>> --- a/security/integrity/platform_certs/load_powerpc.c
>> +++ b/security/integrity/platform_certs/load_powerpc.c
>> @@ -75,12 +75,13 @@ static int __init load_powerpc_certs(void)
>> return -ENODEV;
>>
>> // Check for known secure boot implementations from OPAL or
>> PLPKS
>> - if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-
>> sb-v1", buf)) {
>> + if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-
>> sb-v1", buf) &&
>> + strcmp("ibm,plpks-sb-v0", buf)) {
>> pr_err("Unsupported secvar implementation \"%s\",
>> not loading certs\n", buf);
>> return -ENODEV;
>> }
>>
>> - if (strcmp("ibm,plpks-sb-v1", buf) == 0)
>> + if (strcmp("ibm,plpks-sb-v1", buf) == 0 ||
>> strcmp("ibm,plpks-sb-v0", buf) == 0)
>> /* PLPKS authenticated variables ESL data is
>> prefixed with 8 bytes of timestamp */
>> offset = 8;
>>
More information about the Linuxppc-dev
mailing list