[Skiboot] [PATCH] libstb/secureboot: Disable secureboot in OPAL by nvram

Nayna Jain nayna at linux.vnet.ibm.com
Fri May 11 21:22:20 AEST 2018



On 05/09/2018 02:40 PM, Pridhiviraj Paidipeddi wrote:
> Currently custom debug petitboot kernels failed to boot on secureboot
> enabled systems as the key verification fails results in enforcing the
> boot. Due to which debugging any problems in petitboot kernel in secure
> boot enabled systems become hard.
> This patch provides a way to disable secureboot in OPAL by using below
> nvram command.

Petitboot verification should not be disabled if firmware secure boot is 
on. Its only Host OS kernel
for which we can have the switch.

This patch can result in a loophole where someone as application user 
can disable
verification of petitboot kernel using nvram utility.

Thanks & Regards,
    - Nayna

> nvram -p ibm,skiboot --update-config force-secure-mode=false
>
> Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe at linux.vnet.ibm.com>
> ---
>   libstb/secureboot.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/libstb/secureboot.c b/libstb/secureboot.c
> index 348acf5..8c8a9d6 100644
> --- a/libstb/secureboot.c
> +++ b/libstb/secureboot.c
> @@ -107,6 +107,9 @@ void secureboot_init(void)
>   	if (nvram_query_eq("force-secure-mode", "always")) {
>   		secure_mode = true;
>   		prlog(PR_NOTICE, "secure mode on (FORCED by nvram)\n");
> +	} else if (nvram_query_eq("force-secure-mode", "false")) {
> +		secure_mode = false;
> +		prlog(PR_NOTICE, "secure mode off (FORCED by nvram)\n");
>   	} else {
>   		secure_mode = dt_has_node_property(node, "secure-enabled", NULL);
>   		prlog(PR_NOTICE, "secure mode %s\n",



More information about the Skiboot mailing list