[PATCH 1/2] Add support for GPG signature enforcement on booted

Timothy Pearson tpearson at raptorengineering.com
Fri Oct 14 02:08:58 AEDT 2016

Hash: SHA1

On 10/13/2016 02:06 AM, Stewart Smith wrote:
> Timothy Pearson <tpearson at raptorengineering.com> writes:
>> On 08/03/2016 07:12 PM, George Wilson wrote:
>>> Hi Timothy,
>>> Thanks for this feedback!  It will help us maintain our position, which
>>> I hope you'll find congenial.
>>> I can't speak for IBM or manufacturer polices.  However, our team's
>>> intent from an overall OpenPOWER perspective is to permit owners to sign
>>> their own firmware with their own keys.  Further, we intend for owners to
>>> be able to sign their own host/NV kernels.  We plan to make the full code
>>> for the secure boot and trusted boot features available via the OpenPOWER
>>> github project.  How individual manufacturers choose to apply OpenPOWER
>>> designs is outside of our control.  However, our approach will be
>>> completely open by default with no manufacturer interaction required by
>>> end users to sign their own bits.  I hope that OpenPOWER partners will
>>> see the wisdom of letting customers control their own machines.  Others
>>> in the broader IBM Linux Technology Center team are fully supportive of
>>> (and even demanding) this stance.  So I think we're in violent agreement
>>> with you.
>>> Regards,
>>> George
>> Very glad to hear it!  Fully understood on the vendors (we've already
>> passed up OpenPOWER vendors that have decided to lock down their
>> machines), but as long as the core platform remains under owner control
>> I don't see any long-term problems with this approach.
> for certain definitions of locked :)
> so... the OpenPOWER Ready working group is getting off the ground as
> part of teh OpenPOWER foundation and its job is to maintain the
> OpenPOWER Ready definition.
> I think it's important that we solidify some of these things in that
> definition and use OpenPOWER Ready to help mean *open* in regards to
> this sort of thing, or at least define the levels and have vendors be
> open and transparent.
> Would you be willing to join that workgroup?

Absolutely!  This functionality is vital for us and many of our
customers, and I would be honored to assist in keeping these machines
truly owner-controlled.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Petitboot mailing list