[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YeuyUVVdFADCuDr4@kroah.com>
Date: Sat, 22 Jan 2022 08:29:21 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: Nayna Jain <nayna@...ux.ibm.com>
Cc: linuxppc-dev@...ts.ozlabs.org,
Michael Ellerman <mpe@...erman.id.au>,
Daniel Axtens <dja@...ens.net>,
George Wilson <gcwilson@...ux.ibm.com>,
Douglas Miller <dougmill@...ux.vnet.ibm.com>, gjoyce@....com,
linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 0/2] powerpc/pseries: add support for local secure
storage called Platform Keystore(PKS)
On Fri, Jan 21, 2022 at 07:56:35PM -0500, Nayna Jain wrote:
> PowerVM provides an isolated Platform Keystore(PKS) storage allocation
> for each partition with individually managed access controls to store
> sensitive information securely. Linux Kernel can access this storage by
> interfacing with hypervisor using a new set of hypervisor calls.
>
> PowerVM guest secure boot intend to use Platform Keystore for the
> purpose of storing public keys. Secure boot requires public keys to
> be able to verify the grub and boot kernel. To allow authenticated
> manipulation of keys, it supports variables to store key authorities
> - PK/KEK and code signing keys - db. It also supports denied list to
> disallow booting even if signed with valid key. This is done via
> denied list database - dbx or sbat. These variables would be stored in
> PKS, and are managed and controlled by firmware.
>
> The purpose of this patchset is to add support for users to
> read/write/add/delete variables required for secure boot on PowerVM.
Ok, this is like the 3rd or 4th different platform-specific proposal for
this type of functionality. I think we need to give up on
platform-specific user/kernel apis on this (random sysfs/securityfs
files scattered around the tree), and come up with a standard place for
all of this.
Please work with the other developers of the other drivers for this to
make this unified so that userspace has a chance to use this in a sane
manner.
thanks,
greg k-h
Powered by blists - more mailing lists