The PLPKS enabled Power LPAR sysfs exposes all of the secure boot secure
variables irrespective of the key management mode. There is support for
both static and dynamic key management and the key management mode can
be updated using the management console. The user can modify the secure
boot secvars db, dbx, grubdb, grubdbx, and sbat only in the dynamic key
mode. But the sysfs interface exposes these secvars even in static key
mode. This could lead to errors when reading them or writing to them in
the static key mode.
Update the secvar format property based on the key management mode and
expose only the secure variables relevant to the key management mode.
Enable loading of signed third-party kernel modules in the static key
mode when the platform keystore is enabled.
Srish Srinivasan (3):
powerpc/pseries: Correct secvar format representation for static key
management
powerpc/secvar: Expose secvars relevant to the key management mode
integrity/platform_certs: Allow loading of keys in static key
management mode
Documentation/ABI/testing/sysfs-secvar | 9 +-
arch/powerpc/platforms/pseries/plpks-secvar.c | 98 ++++++++++++-------
.../integrity/platform_certs/load_powerpc.c | 5 +-
3 files changed, 73 insertions(+), 39 deletions(-)
--
2.47.1
