[PATCH 1/2] Add support for GPG signature enforcement on booted

[Timothy Pearson]

On 08/03/2016 07:12 PM, George Wilson wrote:
> Hi Timothy,
> 
> Thanks for this feedback!  It will help us maintain our position, which
> I hope you'll find congenial.
> 
> I can't speak for IBM or manufacturer polices.  However, our team's
> intent from an overall OpenPOWER perspective is to permit owners to sign
> their own firmware with their own keys.  Further, we intend for owners to
> be able to sign their own host/NV kernels.  We plan to make the full code
> for the secure boot and trusted boot features available via the OpenPOWER
> github project.  How individual manufacturers choose to apply OpenPOWER
> designs is outside of our control.  However, our approach will be
> completely open by default with no manufacturer interaction required by
> end users to sign their own bits.  I hope that OpenPOWER partners will
> see the wisdom of letting customers control their own machines.  Others
> in the broader IBM Linux Technology Center team are fully supportive of
> (and even demanding) this stance.  So I think we're in violent agreement
> with you.
> 
> Regards,
> George

Very glad to hear it!  Fully understood on the vendors (we've already
passed up OpenPOWER vendors that have decided to lock down their
machines), but as long as the core platform remains under owner control
I don't see any long-term problems with this approach.

On a related note, something that we would eventually like to see is the
kernel/initrd/argument signature of the kernel booted by petitboot added
as a TPM measurement, along with the signatures on the previous firmware
components.  This should handle, at least to some extent, corner cases
where physical access to the machine compromises the extant chain of
trust (e.g. direct hardware hacking).

-- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com