[PATCH 1/2] Add support for GPG signature enforcement on booted

Stewart Smith stewart at linux.vnet.ibm.com
Thu Oct 13 18:06:26 AEDT 2016

Timothy Pearson <tpearson at raptorengineering.com> writes:
> On 08/03/2016 07:12 PM, George Wilson wrote:
>> Hi Timothy,
>> Thanks for this feedback!  It will help us maintain our position, which
>> I hope you'll find congenial.
>> I can't speak for IBM or manufacturer polices.  However, our team's
>> intent from an overall OpenPOWER perspective is to permit owners to sign
>> their own firmware with their own keys.  Further, we intend for owners to
>> be able to sign their own host/NV kernels.  We plan to make the full code
>> for the secure boot and trusted boot features available via the OpenPOWER
>> github project.  How individual manufacturers choose to apply OpenPOWER
>> designs is outside of our control.  However, our approach will be
>> completely open by default with no manufacturer interaction required by
>> end users to sign their own bits.  I hope that OpenPOWER partners will
>> see the wisdom of letting customers control their own machines.  Others
>> in the broader IBM Linux Technology Center team are fully supportive of
>> (and even demanding) this stance.  So I think we're in violent agreement
>> with you.
>> Regards,
>> George
> Very glad to hear it!  Fully understood on the vendors (we've already
> passed up OpenPOWER vendors that have decided to lock down their
> machines), but as long as the core platform remains under owner control
> I don't see any long-term problems with this approach.

for certain definitions of locked :)

so... the OpenPOWER Ready working group is getting off the ground as
part of teh OpenPOWER foundation and its job is to maintain the
OpenPOWER Ready definition.

I think it's important that we solidify some of these things in that
definition and use OpenPOWER Ready to help mean *open* in regards to
this sort of thing, or at least define the levels and have vendors be
open and transparent.

Would you be willing to join that workgroup?

Stewart Smith
OPAL Architect, IBM.

More information about the Petitboot mailing list