[PATCH 2/2] Add encrypted file support

Stewart Smith stewart at linux.vnet.ibm.com
Wed Aug 10 18:15:39 AEST 2016

Samuel Mendoza-Jonas <sam at ozlabs.au.ibm.com> writes:
> On Tue, 2016-08-02 at 22:07 -0500, Timothy Pearson wrote:
>> On 08/01/2016 11:16 PM, Samuel Mendoza-Jonas wrote:
>> > 
>> > On Mon, 2016-08-01 at 12:10 -0500, Timothy Pearson wrote:
>> > 
>> > What is the origin of the pb-lockdown file? Is it possible to verify
>> > that it hasn't been tampered with (ie. if a user has managed to drop to
>> > the shell)? Presumably this assumes the initrd from the PNOR can be
>> > trusted.
>> It is generated when the initrd is created, along with preloading the
>> root GPG keyring with the machine owner's keys.  Our risk model assumes
>> that the initrd, kernel, and root userspace are not compromised, as a
>> compromise in any one of those three would allow unauthorised access by
>> definition.
> Right
>> This is only one link in the security chain -- our next steps will be to
>> sign the petitboot kernel and initrd in PNOR and verify those signatures
>> from the firmware itself.  These patches at least allow a
>> write-protected firmware image to boot a secure operating system if the
>> machine is also located in a physically secure environment.
> In that case you should definitely have a look at what some IBM people
> are doing in that area to bring trusted boot to op-build.
> Stewart - are there some posted/merged patches to that effect that
> illustrate what IBM has done so far?

I'm assured that the trusted boot patches should hit my mailbox (and the
skiboot list) any day now.

Basically, keys stored in PNOR, hashes of keys on TPM. skiboot will
verify petitboot load (i.e. BOOTKERNEL partition, both kernel and

Stewart Smith
OPAL Architect, IBM.

More information about the Petitboot mailing list