| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610211907.101384-1-ssrish@linux.ibm.com>
Date: Wed, 11 Jun 2025 02:49:04 +0530
From: Srish Srinivasan <ssrish@...ux.ibm.com>
To: linux-integrity@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org
Cc: maddy@...ux.ibm.com, mpe@...erman.id.au, npiggin@...il.com,
christophe.leroy@...roup.eu, naveen@...nel.org, ajd@...ux.ibm.com,
zohar@...ux.ibm.com, nayna@...ux.ibm.com, rnsastry@...ux.ibm.com,
msuchanek@...e.de, linux-kernel@...r.kernel.org
Subject: [PATCH v4 0/3] Enhancements to the secvar interface in static key management mode
The PLPKS enabled Power LPAR sysfs exposes all of the secure boot secure
variables irrespective of the key management mode. There is support for
both static and dynamic key management and the key management mode can
be updated using the management console. The user should be able to read
from and write to the secure boot secvars db, dbx, grubdb, grubdbx, and
sbat only in the dynamic managememnt key mode. But the sysfs interface
exposes these secvars even in the static key management mode even
though they are not getting consumed in this mode.
Update the secvar format property based on the key management mode and
expose only the secure variables relevant to the key management mode.
Enable loading of signed third-party kernel modules in the static key
mode when the platform keystore is enabled.
Changelog:
v4:
* Patch 2:
- Changes to the documentation and the patch description based on
feedback from Michal.
v3:
* Patch 1:
- Minor changes to the docmentation based on feedback from Andrew.
- Added reviewed-by from Andrew.
v2:
* Patch 1:
- Updated plpks_get_sb_keymgmt_mode to handle -ENOENT and -EPERM in
the case of static key management mode, based on feedback from
Andrew.
- Moved the documentation changes relevant to the secvar format
property from Patch 2 to Patch 1.
- Added reviewed-by from Nayna.
* Patch 2:
- Moved the documentaton changes relevant to secure variables from
/sys/firmware/secvar/format to
/sys/firmware/secvar/vars/<variable name>.
- Added reviewed-by from Nayna and Andrew.
* Patch 3:
- Added reviewed-by from Nayna and Andrew.
Srish Srinivasan (3):
powerpc/pseries: Correct secvar format representation for static key
management
powerpc/secvar: Expose secvars relevant to the key management mode
integrity/platform_certs: Allow loading of keys in the static key
management mode
Documentation/ABI/testing/sysfs-secvar | 17 ++-
arch/powerpc/platforms/pseries/plpks-secvar.c | 104 ++++++++++++------
.../integrity/platform_certs/load_powerpc.c | 5 +-
3 files changed, 87 insertions(+), 39 deletions(-)
--
2.47.1
Powered by blists - more mailing lists