Hi Claudio, > ------- Comment From cclau...@br.ibm.com 2017-09-27 16:47 EDT------- > (In reply to comment #30) > > Attached is the ESL db update for Canonical's POWER SecureBoot signing key. > > It is signed with Canonical's KEK key, which will be provided to IBM out of > > band to ensure integrity of the delivery channel.
> Thanks Andy and Vorlon for the attached files. The kernel appended > signature verified successfully. > We didn't test the Canonical-POWER-SB-20170926.esl.signed file yet. > Questions: > 1) The certificate provided contains a 4096-bit key and it was signed > using sha512WithRSAEncryption. We had no problem to use it to verify the > kernel appended signature - the kernel crypto API supports 4096-bit RSA > keys. However, we don't have much space in our keystore and that's why > we prefer to use 2048-bit RSA keys, same as UEFI SecureBoot. Could the > Canonical-POWER-SB-20170926.esl.signed file be regenerated to contain a > certificate that contains a 2048-bit RSA key instead? The certificate > would be signed using sha256WithRSAEncryption. The opal.x509 attachment is a test key only; it is not the same as Canonical-POWER-SB-20170926.esl.signed, which is our production 2048-bit key. > 2) We will need to put in the KEK a certificate that can be used to verify > the signed ESL db updates provided by Canonical. How does Canonical have > provided that for UEFI SecureBoot? certificate, ESL (not signed, since PK > is not provided by Canonical)? Currently, we are working on the code that > will validate/process the authenticated variable updates. We will > probably start testing it by the end of this year. The current plan is to deliver this KEK as a certificate via a secure in-person channel to George Wilson. I assume once delivered, if you need this in ESL form for loading that IBM can perform this transformation (since the only way to turn it into a signed ESL would be via the PK, which we don't have). -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-signed in Ubuntu. https://bugs.launchpad.net/bugs/1696154 Title: [17.10 FEAT] Sign POWER host/NV kernels Status in Launchpad itself: Fix Committed Status in The Ubuntu-power-systems project: In Progress Status in linux package in Ubuntu: In Progress Status in linux-signed package in Ubuntu: In Progress Bug description: Feature Description: Sign POWER host and NV kernels with sign-file in anticipation of POWER secure boot. Provide the associated certificate. Ideally it would be possible to reuse the UEFI shim private key and certificate used to sign and verify x86_64 kernels. More details to follow. Guest kernels will be addressed in a future separate feature request. Business Case: As a system administrator I want to verify the integrity of my kernels so that I can prevent malicious kernels from being executed. Use Case: Signed POWER kernels will be validated by OPAL as OpenPOWER systems boot when keys are properly installed and the system is booted in secure mode. Test Case: Sign and install a POWER kernel on an OpenPOWER machine with a firmware level that supports secure boot. Install a PK, distro KEK certificat, and distro DB certificate. Boot the system and verify that it will boot the kernel. Negative tests: Separately remove the signature, install an usigned kernel, and modify the kernel image and test that the kernel will not boot. To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad/+bug/1696154/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
