[Skiboot] [PATCH] libstb/secureboot: Disable secureboot in OPAL by nvram

Pridhiviraj Paidipeddi ppaidipe at linux.vnet.ibm.com
Wed May 9 19:10:24 AEST 2018

Currently custom debug petitboot kernels failed to boot on secureboot
enabled systems as the key verification fails results in enforcing the
boot. Due to which debugging any problems in petitboot kernel in secure
boot enabled systems become hard.
This patch provides a way to disable secureboot in OPAL by using below
nvram command.
nvram -p ibm,skiboot --update-config force-secure-mode=false

Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe at linux.vnet.ibm.com>
 libstb/secureboot.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libstb/secureboot.c b/libstb/secureboot.c
index 348acf5..8c8a9d6 100644
--- a/libstb/secureboot.c
+++ b/libstb/secureboot.c
@@ -107,6 +107,9 @@ void secureboot_init(void)
 	if (nvram_query_eq("force-secure-mode", "always")) {
 		secure_mode = true;
 		prlog(PR_NOTICE, "secure mode on (FORCED by nvram)\n");
+	} else if (nvram_query_eq("force-secure-mode", "false")) {
+		secure_mode = false;
+		prlog(PR_NOTICE, "secure mode off (FORCED by nvram)\n");
 	} else {
 		secure_mode = dt_has_node_property(node, "secure-enabled", NULL);
 		prlog(PR_NOTICE, "secure mode %s\n",

More information about the Skiboot mailing list