On Fri, Jan 21, 2022 at 07:56:35PM -0500, Nayna Jain wrote: > PowerVM provides an isolated Platform Keystore(PKS) storage allocation > for each partition with individually managed access controls to store > sensitive information securely. Linux Kernel can access this storage by > interfacing with hypervisor using a new set of hypervisor calls. > > PowerVM guest secure boot intend to use Platform Keystore for the > purpose of storing public keys. Secure boot requires public keys to > be able to verify the grub and boot kernel. To allow authenticated > manipulation of keys, it supports variables to store key authorities > - PK/KEK and code signing keys - db. It also supports denied list to > disallow booting even if signed with valid key. This is done via > denied list database - dbx or sbat. These variables would be stored in > PKS, and are managed and controlled by firmware. > > The purpose of this patchset is to add support for users to > read/write/add/delete variables required for secure boot on PowerVM.
Ok, this is like the 3rd or 4th different platform-specific proposal for this type of functionality. I think we need to give up on platform-specific user/kernel apis on this (random sysfs/securityfs files scattered around the tree), and come up with a standard place for all of this. Please work with the other developers of the other drivers for this to make this unified so that userspace has a chance to use this in a sane manner. thanks, greg k-h
