------- Comment From <email address hidden> 2017-08-01 19:06 EDT-------
(In reply to comment #15)
> One open technical question from the Canonical side: can you confirm that
> the POWER firmware implementation will support embedded certificate chains
> as part of the vmlinux signature data? Our existing SecureBoot signing
> regime uses an on-line signing key which is chained to a our CA certificate,
> and it is the latter that we would normally provide for db.
>
> It appears that the kmodsign tools support embedded certificates in the
> signature data, but we would like to confirm that the firmware
> implementation is also compatible with this.
It seems that the Canonical CA should be added to the KEK and the "on-line signing key" should be added to the DB.
In our current SecureBoot design, the vmlinux embedded signature will be verified only against the DB certificate list. However, in order to add a certificate to DB, the certificate should be signed by any of the KEK entries. The PK will be used to authorize updates to the KEK certificate list.
------- Comment From <email address hidden> 2017-08-01 19:06 EDT-------
(In reply to comment #15)
> One open technical question from the Canonical side: can you confirm that
> the POWER firmware implementation will support embedded certificate chains
> as part of the vmlinux signature data? Our existing SecureBoot signing
> regime uses an on-line signing key which is chained to a our CA certificate,
> and it is the latter that we would normally provide for db.
>
> It appears that the kmodsign tools support embedded certificates in the
> signature data, but we would like to confirm that the firmware
> implementation is also compatible with this.
It seems that the Canonical CA should be added to the KEK and the "on-line signing key" should be added to the DB.
In our current SecureBoot design, the vmlinux embedded signature will be verified only against the DB certificate list. However, in order to add a certificate to DB, the certificate should be signed by any of the KEK entries. The PK will be used to authorize updates to the KEK certificate list.