RFC: Inclusion of Secure Boot Key Manager
Eric Richter
erichte at linux.vnet.ibm.com
Fri Jan 13 12:17:16 AEDT 2017
On 01/12/2017 04:37 PM, Stewart Smith wrote:
> Eric Richter <erichte at linux.vnet.ibm.com> writes:
>> The second option requires a bit of abstraction between potential secure
>> boot key mechanisms. POWER and x86 both have a similar key hierarchy, so
>> the Petitboot front-end would be identical, but the method for how the
>> keys are manipulated under the hood would need to be implemented per
>> platform (x86 using efivars or similar, POWER via pnor).
>
> There's no reason we couldn't write a file system that looks like
> efivars but does whatever it is we need under the hood.
>
> I've been thinking for a little while that a dummy "opalfs" that gives a
> nice file based interface to various things that are relevant may be
> better than our current way of direct pnor access/misc sysfs files/ipmi/etc.
>
This sounds useful for potentially providing an auditable trail too,
rather than ambiguous direct accesses to pnor (theoretically could log
in-kernel what is manipulated).
Either way, I like the idea of this if not only to have a similar
interface as on other platforms. Has any development consideration been
put into an opalfs, or is it just a wandering thought at the moment?
Thanks,
Eric Richter
More information about the Petitboot
mailing list