Linux 5.5 Begins Plumbing Secure Boot Infrastructure For POWER9

Written by Michael Larabel in Hardware on 4 December 2019 at 04:42 AM EST. 7 Comments
HARDWARE
With the PowerPC changes for the Linux 5.5 kernel comes the initial infrastructure work on preparing to be able to handle a Secure Boot implementation for POWER9 hardware.

With Linux 5.5 the initial groundwork is laid for supporting POWER9 Secure Boot but the actual IBM POWER9 firmware support for offering this functionality isn't yet released. As such, moving to Linux 5.5 alone won't impose any potential Secure Boot restrictions on existing users.

From the patch-set bringing up the POWER9 Secure Boot bits:
PowerNV system uses a Linux-based bootloader to kexec the OS. The bootloader kernel relies on IMA for signature verification of the OS kernel before doing the kexec. This patchset adds support for powerpc arch-specific IMA policies that are conditionally defined based on a system's secure boot and trusted boot states. The OS secure boot and trusted boot states are determined via device-tree properties.

The verification needs to be performed only for binaries that are not blacklisted. The kernel currently only checks against the blacklist of keys. However, doing so results in blacklisting all the binaries that are signed by the same key. In order to prevent just one particular binary from being loaded, it must be checked against a blacklist of binary hashes. This patchset also adds support to IMA for checking against a hash blacklist for files.

The updates for Linux 5.5 also include other security improvements, support for kernel address space layout randomization (KASLR) for old 32-bit BookE hardware, a rework to the Cooperative Memory Management driver, and other updates.
7 Comments
Related News
Linux 6.14 To Add Sensor Monitoring For A ~$180 ASRock AM5 Motherboard
Qualcomm Preps Cloud AI 200 "AIC200" Accelerator Support
Updated Dasharo Firmware Pulls In Raptor Lake Instability Fix, Other Enhancements
IBM Deprecating Linux Drivers For CXL Coherent Accelerators & CAPI Flash
Linux Preps For Kunpeng ARM Server SoC With High Bandwidth Memory
Improved USB4 Debugging Support With Linux 6.13
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries