Linux 5.5 Begins Plumbing Secure Boot Infrastructure For POWER9

Written by Michael Larabel in Hardware on 4 December 2019 at 04:42 AM EST. 7 Comments
With the PowerPC changes for the Linux 5.5 kernel comes the initial infrastructure work on preparing to be able to handle a Secure Boot implementation for POWER9 hardware.

With Linux 5.5 the initial groundwork is laid for supporting POWER9 Secure Boot but the actual IBM POWER9 firmware support for offering this functionality isn't yet released. As such, moving to Linux 5.5 alone won't impose any potential Secure Boot restrictions on existing users.

From the patch-set bringing up the POWER9 Secure Boot bits:
PowerNV system uses a Linux-based bootloader to kexec the OS. The bootloader kernel relies on IMA for signature verification of the OS kernel before doing the kexec. This patchset adds support for powerpc arch-specific IMA policies that are conditionally defined based on a system's secure boot and trusted boot states. The OS secure boot and trusted boot states are determined via device-tree properties.

The verification needs to be performed only for binaries that are not blacklisted. The kernel currently only checks against the blacklist of keys. However, doing so results in blacklisting all the binaries that are signed by the same key. In order to prevent just one particular binary from being loaded, it must be checked against a blacklist of binary hashes. This patchset also adds support to IMA for checking against a hash blacklist for files.

The updates for Linux 5.5 also include other security improvements, support for kernel address space layout randomization (KASLR) for old 32-bit BookE hardware, a rework to the Cooperative Memory Management driver, and other updates.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week