Michael Ellerman <mpe@xxxxxxxxxxxxxx> writes: > Thiago Jung Bauermann <bauerman@xxxxxxxxxxxxxxxxxx> writes: > >> On the OpenPOWER platform, secure boot and trusted boot are being >> implemented using IMA for taking measurements and verifying signatures. > > I still want you to implement arch_kexec_kernel_verify_sig() as well :) Yes, I will implement it! We are still working on loading the public keys for kernel signing from the firmware into a kernel keyring, so there's not much point in implementing arch_kexec_kernel_verify_sig without having that first. The same problem also affects IMA: even with these patches, new code still neededs to be added to make IMA use the platform keys for kernel signature verification. -- Thiago Jung Bauermann IBM Linux Technology Center