[Skiboot] [PATCH] libstb/secureboot: Disable secureboot in OPAL by nvram

ppaidipe ppaidipe at linux.vnet.ibm.com
Fri May 11 22:07:24 AEST 2018 

On 2018-05-11 16:52, Nayna Jain wrote:
> On 05/09/2018 02:40 PM, Pridhiviraj Paidipeddi wrote:
>> Currently custom debug petitboot kernels failed to boot on secureboot
>> enabled systems as the key verification fails results in enforcing the
>> boot. Due to which debugging any problems in petitboot kernel in 
>> secure
>> boot enabled systems become hard.
>> This patch provides a way to disable secureboot in OPAL by using below
>> nvram command.
> 
> Petitboot verification should not be disabled if firmware secure boot
> is on. Its only Host OS kernel
> for which we can have the switch.
> 
> This patch can result in a loophole where someone as application user
> can disable
> verification of petitboot kernel using nvram utility.

Yeah, agree, but this is really a debug hack, without that there are 
bugs related to keys
in upstream vs vendor released firmware, due to which verification fails 
and boot enforce
happening on secureboot enabled systems, so we need a way to force 
disable it, like the way
we have for enabling it via nvram. Otherwise debugging petitboot kernels 
on such systems
became really hard.

Thanks
Pridhiviraj

> 
> Thanks & Regards,
>    - Nayna
> 
>> nvram -p ibm,skiboot --update-config force-secure-mode=false
>> 
>> Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe at linux.vnet.ibm.com>
>> ---
>>   libstb/secureboot.c | 3 +++
>>   1 file changed, 3 insertions(+)
>> 
>> diff --git a/libstb/secureboot.c b/libstb/secureboot.c
>> index 348acf5..8c8a9d6 100644
>> --- a/libstb/secureboot.c
>> +++ b/libstb/secureboot.c
>> @@ -107,6 +107,9 @@ void secureboot_init(void)
>>   	if (nvram_query_eq("force-secure-mode", "always")) {
>>   		secure_mode = true;
>>   		prlog(PR_NOTICE, "secure mode on (FORCED by nvram)\n");
>> +	} else if (nvram_query_eq("force-secure-mode", "false")) {
>> +		secure_mode = false;
>> +		prlog(PR_NOTICE, "secure mode off (FORCED by nvram)\n");
>>   	} else {
>>   		secure_mode = dt_has_node_property(node, "secure-enabled", NULL);
>>   		prlog(PR_NOTICE, "secure mode %s\n",

More information about the Skiboot mailing list