[PATCH 2/2] Add encrypted file support

[Stewart Smith]

Samuel Mendoza-Jonas <sam at ozlabs.au.ibm.com> writes:
> On Tue, 2016-08-02 at 22:07 -0500, Timothy Pearson wrote:
>> On 08/01/2016 11:16 PM, Samuel Mendoza-Jonas wrote:
>> > 
>> > On Mon, 2016-08-01 at 12:10 -0500, Timothy Pearson wrote:
>> > 
>> > What is the origin of the pb-lockdown file? Is it possible to verify
>> > that it hasn't been tampered with (ie. if a user has managed to drop to
>> > the shell)? Presumably this assumes the initrd from the PNOR can be
>> > trusted.
>> 
>> It is generated when the initrd is created, along with preloading the
>> root GPG keyring with the machine owner's keys.  Our risk model assumes
>> that the initrd, kernel, and root userspace are not compromised, as a
>> compromise in any one of those three would allow unauthorised access by
>> definition.
>
> Right
>
>> 
>> This is only one link in the security chain -- our next steps will be to
>> sign the petitboot kernel and initrd in PNOR and verify those signatures
>> from the firmware itself.  These patches at least allow a
>> write-protected firmware image to boot a secure operating system if the
>> machine is also located in a physically secure environment.
>
> In that case you should definitely have a look at what some IBM people
> are doing in that area to bring trusted boot to op-build.
> Stewart - are there some posted/merged patches to that effect that
> illustrate what IBM has done so far?

https://github.com/open-power/skiboot/blob/master/doc/stb.rst
and
https://github.com/open-power/skiboot/blob/master/doc/device-tree/ibm%2Csecureboot.rst

very recently merged into skiboot master and are probably the current
best starting points for the state of Trusted Boot work that's been
going on. It's not complete, but we're on our way to have something.

With a bit of fiddling you can even get things kind of going in Mambo.

-- 
Stewart Smith
OPAL Architect, IBM.