[PATCH 1/2] Add support for GPG signature enforcement on booted

[Stewart Smith]

Timothy Pearson <tpearson at raptorengineering.com> writes:
> On 08/03/2016 07:12 PM, George Wilson wrote:
>> Hi Timothy,
>> 
>> Thanks for this feedback!  It will help us maintain our position, which
>> I hope you'll find congenial.
>> 
>> I can't speak for IBM or manufacturer polices.  However, our team's
>> intent from an overall OpenPOWER perspective is to permit owners to sign
>> their own firmware with their own keys.  Further, we intend for owners to
>> be able to sign their own host/NV kernels.  We plan to make the full code
>> for the secure boot and trusted boot features available via the OpenPOWER
>> github project.  How individual manufacturers choose to apply OpenPOWER
>> designs is outside of our control.  However, our approach will be
>> completely open by default with no manufacturer interaction required by
>> end users to sign their own bits.  I hope that OpenPOWER partners will
>> see the wisdom of letting customers control their own machines.  Others
>> in the broader IBM Linux Technology Center team are fully supportive of
>> (and even demanding) this stance.  So I think we're in violent agreement
>> with you.
>> 
>> Regards,
>> George
>
> Very glad to hear it!  Fully understood on the vendors (we've already
> passed up OpenPOWER vendors that have decided to lock down their
> machines), but as long as the core platform remains under owner control
> I don't see any long-term problems with this approach.

for certain definitions of locked :)

so... the OpenPOWER Ready working group is getting off the ground as
part of teh OpenPOWER foundation and its job is to maintain the
OpenPOWER Ready definition.

I think it's important that we solidify some of these things in that
definition and use OpenPOWER Ready to help mean *open* in regards to
this sort of thing, or at least define the levels and have vendors be
open and transparent.

Would you be willing to join that workgroup?

-- 
Stewart Smith
OPAL Architect, IBM.