powerpc: Load firmware trusted keys/hashes into kernel keyring
authorNayna Jain <nayna@linux.ibm.com>
Mon, 11 Nov 2019 03:10:36 +0000 (21:10 -0600)
committerMichael Ellerman <mpe@ellerman.id.au>
Tue, 12 Nov 2019 13:33:23 +0000 (00:33 +1100)
commit8220e22d11a05049aab9693839ab82e5e177ccde
tree565ae2c0ff755e7454f137a03bfc3e63870d8060
parentad723674d6758478829ee766e3f1a2a24d56236f
powerpc: Load firmware trusted keys/hashes into kernel keyring

The keys used to verify the Host OS kernel are managed by firmware as
secure variables. This patch loads the verification keys into the
.platform keyring and revocation hashes into .blacklist keyring. This
enables verification and loading of the kernels signed by the boot
time keys which are trusted by firmware.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
[mpe: Search by compatible in load_powerpc_certs(), not using format]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/1573441836-3632-5-git-send-email-nayna@linux.ibm.com
security/integrity/Kconfig
security/integrity/Makefile
security/integrity/platform_certs/load_powerpc.c [new file with mode: 0644]