On 11/5/21 09:14, Michal Suchánek wrote:
On Fri, Nov 05, 2021 at 09:55:52PM +1100, Daniel Axtens wrote:
Michal Suchanek <msuchanek@xxxxxxx> writes:
S390 uses appended signature for kernel but implements the check
separately from module loader.
Support for secure boot on powerpc with appended signature is planned -
grub patches submitted upstream but not yet merged.
Power Non-Virtualised / OpenPower already supports secure boot via kexec
with signature verification via IMA. I think you have now sent a
follow-up series that merges some of the IMA implementation, I just
wanted to make sure it was clear that we actually already have support
So is IMA_KEXEC and KEXEC_SIG redundant?
I see some architectures have both. I also see there is a lot of overlap
between the IMA framework and the KEXEC_SIG and MODULE_SIg.
Originally, KEXEC_SIG was meant for PECOFF based signatures, while
IMA_KEXEC mainly supported xattr based signatures.
Power (Non-virtualized/OpenPOWER) doesn't support PECOFF. Extended
attributes based signature verification doesn't work with netboot.
That's when appended signature support was added to IMA.
Using IMA_KEXEC has the benefit of being able to enable both signature
verification and measurement of the kernel image.
Thanks & Regards,
- Nayna
