| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610211907.101384-4-ssrish@linux.ibm.com>
Date: Wed, 11 Jun 2025 02:49:07 +0530
From: Srish Srinivasan <ssrish@...ux.ibm.com>
To: linux-integrity@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org
Cc: maddy@...ux.ibm.com, mpe@...erman.id.au, npiggin@...il.com,
christophe.leroy@...roup.eu, naveen@...nel.org, ajd@...ux.ibm.com,
zohar@...ux.ibm.com, nayna@...ux.ibm.com, rnsastry@...ux.ibm.com,
msuchanek@...e.de, linux-kernel@...r.kernel.org
Subject: [PATCH v4 3/3] integrity/platform_certs: Allow loading of keys in the static key management mode
On PLPKS enabled PowerVM LPAR, there is no provision to load signed
third-party kernel modules when the key management mode is static. This
is because keys from secure boot secvars are only loaded when the key
management mode is dynamic.
Allow loading of the trustedcadb and moduledb keys even in the static
key management mode, where the secvar format string takes the form
"ibm,plpks-sb-v0".
Signed-off-by: Srish Srinivasan <ssrish@...ux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@...ux.ibm.com>
Reviewed-by: Nayna Jain <nayna@...ux.ibm.com>
Reviewed-by: Andrew Donnellan <ajd@...ux.ibm.com>
---
security/integrity/platform_certs/load_powerpc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
index c85febca3343..714c961a00f5 100644
--- a/security/integrity/platform_certs/load_powerpc.c
+++ b/security/integrity/platform_certs/load_powerpc.c
@@ -75,12 +75,13 @@ static int __init load_powerpc_certs(void)
return -ENODEV;
// Check for known secure boot implementations from OPAL or PLPKS
- if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf)) {
+ if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf) &&
+ strcmp("ibm,plpks-sb-v0", buf)) {
pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf);
return -ENODEV;
}
- if (strcmp("ibm,plpks-sb-v1", buf) == 0)
+ if (strcmp("ibm,plpks-sb-v1", buf) == 0 || strcmp("ibm,plpks-sb-v0", buf) == 0)
/* PLPKS authenticated variables ESL data is prefixed with 8 bytes of timestamp */
offset = 8;
--
2.47.1
Powered by blists - more mailing lists