1. Patchew
  2. linux
  3. [PATCH 0/3] Enhancements to the secvar interface in static key management mode
  4. View patch

[PATCH 3/3] integrity/platform_certs: Allow loading of keys in static key management mode

Srish Srinivasan posted 3 patches 9 months, 1 week ago
There is a newer version of this series
[PATCH 3/3] integrity/platform_certs: Allow loading of keys in static key management mode
Posted by Srish Srinivasan 9 months, 1 week ago 
On PLPKS enabled PowerVM LPAR, there is no provision to load signed
third-party kernel modules when the key management mode is static. This
is because keys from secure boot secvars are only loaded when the key
management mode is dynamic.

Allow loading of the trustedcadb and moduledb keys even in the static
key management mode, where the secvar format string takes the form
"ibm,plpks-sb-v0".

Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
 security/integrity/platform_certs/load_powerpc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
index c85febca3343..714c961a00f5 100644
--- a/security/integrity/platform_certs/load_powerpc.c
+++ b/security/integrity/platform_certs/load_powerpc.c
@@ -75,12 +75,13 @@ static int __init load_powerpc_certs(void)
 		return -ENODEV;
 
 	// Check for known secure boot implementations from OPAL or PLPKS
-	if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf)) {
+	if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf) &&
+	    strcmp("ibm,plpks-sb-v0", buf)) {
 		pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf);
 		return -ENODEV;
 	}
 
-	if (strcmp("ibm,plpks-sb-v1", buf) == 0)
+	if (strcmp("ibm,plpks-sb-v1", buf) == 0 || strcmp("ibm,plpks-sb-v0", buf) == 0)
 		/* PLPKS authenticated variables ESL data is prefixed with 8 bytes of timestamp */
 		offset = 8;
 
-- 
2.47.1
Re: [PATCH 3/3] integrity/platform_certs: Allow loading of keys in static key management mode
Posted by Andrew Donnellan 9 months, 1 week ago 
On Wed, 2025-04-30 at 14:33 +0530, Srish Srinivasan wrote:
> On PLPKS enabled PowerVM LPAR, there is no provision to load signed
> third-party kernel modules when the key management mode is static.
> This
> is because keys from secure boot secvars are only loaded when the key
> management mode is dynamic.
> 
> Allow loading of the trustedcadb and moduledb keys even in the static
> key management mode, where the secvar format string takes the form
> "ibm,plpks-sb-v0".
> 
> Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>

> ---
>  security/integrity/platform_certs/load_powerpc.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/platform_certs/load_powerpc.c
> b/security/integrity/platform_certs/load_powerpc.c
> index c85febca3343..714c961a00f5 100644
> --- a/security/integrity/platform_certs/load_powerpc.c
> +++ b/security/integrity/platform_certs/load_powerpc.c
> @@ -75,12 +75,13 @@ static int __init load_powerpc_certs(void)
>  		return -ENODEV;
>  
>  	// Check for known secure boot implementations from OPAL or
> PLPKS
> -	if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-
> sb-v1", buf)) {
> +	if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-
> sb-v1", buf) &&
> +	    strcmp("ibm,plpks-sb-v0", buf)) {
>  		pr_err("Unsupported secvar implementation \"%s\",
> not loading certs\n", buf);
>  		return -ENODEV;
>  	}
>  
> -	if (strcmp("ibm,plpks-sb-v1", buf) == 0)
> +	if (strcmp("ibm,plpks-sb-v1", buf) == 0 ||
> strcmp("ibm,plpks-sb-v0", buf) == 0)
>  		/* PLPKS authenticated variables ESL data is
> prefixed with 8 bytes of timestamp */
>  		offset = 8;
>  

-- 
Andrew Donnellan    OzLabs, ADL Canberra
ajd@linux.ibm.com   IBM Australia Limited
Re: [PATCH 3/3] integrity/platform_certs: Allow loading of keys in static key management mode
Posted by Srish Srinivasan 9 months, 1 week ago 
On 5/5/25 1:25 PM, Andrew Donnellan wrote:
> On Wed, 2025-04-30 at 14:33 +0530, Srish Srinivasan wrote:
>> On PLPKS enabled PowerVM LPAR, there is no provision to load signed
>> third-party kernel modules when the key management mode is static.
>> This
>> is because keys from secure boot secvars are only loaded when the key
>> management mode is dynamic.
>>
>> Allow loading of the trustedcadb and moduledb keys even in the static
>> key management mode, where the secvar format string takes the form
>> "ibm,plpks-sb-v0".
>>
>> Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
>> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
Hi Andrew,
Thanks a lot for the review.

Thanks and Regards,
Srish
>> ---
>>   security/integrity/platform_certs/load_powerpc.c | 5 +++--
>>   1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/integrity/platform_certs/load_powerpc.c
>> b/security/integrity/platform_certs/load_powerpc.c
>> index c85febca3343..714c961a00f5 100644
>> --- a/security/integrity/platform_certs/load_powerpc.c
>> +++ b/security/integrity/platform_certs/load_powerpc.c
>> @@ -75,12 +75,13 @@ static int __init load_powerpc_certs(void)
>>   		return -ENODEV;
>>   
>>   	// Check for known secure boot implementations from OPAL or
>> PLPKS
>> -	if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-
>> sb-v1", buf)) {
>> +	if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-
>> sb-v1", buf) &&
>> +	    strcmp("ibm,plpks-sb-v0", buf)) {
>>   		pr_err("Unsupported secvar implementation \"%s\",
>> not loading certs\n", buf);
>>   		return -ENODEV;
>>   	}
>>   
>> -	if (strcmp("ibm,plpks-sb-v1", buf) == 0)
>> +	if (strcmp("ibm,plpks-sb-v1", buf) == 0 ||
>> strcmp("ibm,plpks-sb-v0", buf) == 0)
>>   		/* PLPKS authenticated variables ESL data is
>> prefixed with 8 bytes of timestamp */
>>   		offset = 8;
>>
Re: [PATCH 3/3] integrity/platform_certs: Allow loading of keys in static key management mode
Posted by Nayna Jain 9 months, 1 week ago 
On 4/30/25 5:03 AM, Srish Srinivasan wrote:
> On PLPKS enabled PowerVM LPAR, there is no provision to load signed
> third-party kernel modules when the key management mode is static. This
> is because keys from secure boot secvars are only loaded when the key
> management mode is dynamic.
>
> Allow loading of the trustedcadb and moduledb keys even in the static
> key management mode, where the secvar format string takes the form
> "ibm,plpks-sb-v0".

Reviewed-by: Nayna Jain <nayna@linux.ibm.com>

Thanks & Regards,
    - Nayna

>
> Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>   security/integrity/platform_certs/load_powerpc.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
> index c85febca3343..714c961a00f5 100644
> --- a/security/integrity/platform_certs/load_powerpc.c
> +++ b/security/integrity/platform_certs/load_powerpc.c
> @@ -75,12 +75,13 @@ static int __init load_powerpc_certs(void)
>   		return -ENODEV;
>   
>   	// Check for known secure boot implementations from OPAL or PLPKS
> -	if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf)) {
> +	if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf) &&
> +	    strcmp("ibm,plpks-sb-v0", buf)) {
>   		pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf);
>   		return -ENODEV;
>   	}
>   
> -	if (strcmp("ibm,plpks-sb-v1", buf) == 0)
> +	if (strcmp("ibm,plpks-sb-v1", buf) == 0 || strcmp("ibm,plpks-sb-v0", buf) == 0)
>   		/* PLPKS authenticated variables ESL data is prefixed with 8 bytes of timestamp */
>   		offset = 8;
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.