[Skiboot] [PATCH] libstb/secureboot: Disable secureboot in OPAL by nvram
Nayna Jain
nayna at linux.vnet.ibm.com
Fri May 11 21:22:20 AEST 2018
On 05/09/2018 02:40 PM, Pridhiviraj Paidipeddi wrote:
> Currently custom debug petitboot kernels failed to boot on secureboot
> enabled systems as the key verification fails results in enforcing the
> boot. Due to which debugging any problems in petitboot kernel in secure
> boot enabled systems become hard.
> This patch provides a way to disable secureboot in OPAL by using below
> nvram command.
Petitboot verification should not be disabled if firmware secure boot is
on. Its only Host OS kernel
for which we can have the switch.
This patch can result in a loophole where someone as application user
can disable
verification of petitboot kernel using nvram utility.
Thanks & Regards,
- Nayna
> nvram -p ibm,skiboot --update-config force-secure-mode=false
>
> Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe at linux.vnet.ibm.com>
> ---
> libstb/secureboot.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libstb/secureboot.c b/libstb/secureboot.c
> index 348acf5..8c8a9d6 100644
> --- a/libstb/secureboot.c
> +++ b/libstb/secureboot.c
> @@ -107,6 +107,9 @@ void secureboot_init(void)
> if (nvram_query_eq("force-secure-mode", "always")) {
> secure_mode = true;
> prlog(PR_NOTICE, "secure mode on (FORCED by nvram)\n");
> + } else if (nvram_query_eq("force-secure-mode", "false")) {
> + secure_mode = false;
> + prlog(PR_NOTICE, "secure mode off (FORCED by nvram)\n");
> } else {
> secure_mode = dt_has_node_property(node, "secure-enabled", NULL);
> prlog(PR_NOTICE, "secure mode %s\n",
More information about the Skiboot
mailing list