[Bug 2064319] Comment bridged from LTC Bugzilla

bugproxy 2064319 at bugs.launchpad.net
Thu Apr 3 08:40:24 UTC 2025 

------- Comment From naynjain at ibm.com 2025-04-03 04:36 EDT-------
Hi,

I have one question, are these test keys or production keys?

To give some background, by default an LPAR comes with static secure
boot.  As user makes switch from static key management mode, to dynamic
key management, hypervisor creates the variables grubdb, grubdbx, sbat.
These variables are updated with keys embedded in the host firmware
images as default keys. This allows the LPAR to boot to OS in secure
boot enabled mode directly and doesn't require the user to first update
the keys.

For this reason, we would need Ubuntu production keys to be embedded in
the firmware image.

So, could you please confirm if these are the production keys, if not
could you please share with us the production keys?

Thanks & Regards,
- Nayna

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2064319

Title:
  Power guest secure boot with key management: GRUB2 portion

Status in The Ubuntu-power-systems project:
  New
Status in grub2 package in Ubuntu:
  New

Bug description:
  Covering the GRUB2 portion:

  Feature:

  This feature comprises PowerVM LPAR guest OS kernel verification using
  static keys to extend the chain of trust from partition firmware to
  the OS kernel.  GRUB and the host OS kernel are signed with 2 separate
  public key pairs.  Partition firmware includes the the public
  verification key for GRUB in its build and uses it to verify GRUB.
  GRUB includes the public verification key for the OS kernel in its
  build and uses it to verify the OS kernel image

  Test case:

  If secure boot is switched off, any GRUB and kernel boots.
  If secure boot is switched on:
    - Properly signed GRUB boots.
    - Improperly signed GRUB does not boot.
    - Tampered signed GRUB does not boot.
    - Properly signed kernels boot.
    - Improperly signed kernels do not boot.
    - Tampered signed kernels do not boot.
  TPM PCRs are extended roughly following the TCG PC Client and UEFI specs as they apply to POWER.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/2064319/+subscriptions

More information about the foundations-bugs mailing list