Linux 5.5 Begins Plumbing Secure Boot Infrastructure For POWER9

Written by Michael Larabel in Hardware on 4 December 2019 at 04:42 AM EST. 7 Comments
HARDWARE
With the PowerPC changes for the Linux 5.5 kernel comes the initial infrastructure work on preparing to be able to handle a Secure Boot implementation for POWER9 hardware.

With Linux 5.5 the initial groundwork is laid for supporting POWER9 Secure Boot but the actual IBM POWER9 firmware support for offering this functionality isn't yet released. As such, moving to Linux 5.5 alone won't impose any potential Secure Boot restrictions on existing users.

From the patch-set bringing up the POWER9 Secure Boot bits:
PowerNV system uses a Linux-based bootloader to kexec the OS. The bootloader kernel relies on IMA for signature verification of the OS kernel before doing the kexec. This patchset adds support for powerpc arch-specific IMA policies that are conditionally defined based on a system's secure boot and trusted boot states. The OS secure boot and trusted boot states are determined via device-tree properties.

The verification needs to be performed only for binaries that are not blacklisted. The kernel currently only checks against the blacklist of keys. However, doing so results in blacklisting all the binaries that are signed by the same key. In order to prevent just one particular binary from being loaded, it must be checked against a blacklist of binary hashes. This patchset also adds support to IMA for checking against a hash blacklist for files.

The updates for Linux 5.5 also include other security improvements, support for kernel address space layout randomization (KASLR) for old 32-bit BookE hardware, a rework to the Cooperative Memory Management driver, and other updates.
7 Comments
Related News
Rockchip NPU Open-Source Driver Taking Shape, Will Aim For Upstream Accel Driver
TUXEDO Computers Launches First Linux Laptop With AMD Ryzen 7 8845HS
Microsoft Rolls Out Azure Linux 2.0.20240403 With Security Fixes & Other Patches
Intel HID Driver Ready For Arrow Lake & Lunar Lake Laptops With Linux 6.9
UPower 1.90.4 Fixes Excessive Disk Writes & High CPU Usage
OpenSSL 3.3 Released With Many Additions For QUIC, CPU Performance Optimizations
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Linux 6.10 To Merge NTSYNC Driver For Emulating Windows NT Synchronization Primitives
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora 41 Looks To "-O3" Optimizations For Its Python Build
APT 2.9 Released: Debian's APT 3.0 To Have A New UI With Colors, Columnar Display & More
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Open-Source Radeon Driver Enables Support For Vulkan Video H.264/H.265 Encode
Ubuntu 24.04 Beta Now Available For Testing