[Bug 2064319] Comment bridged from LTC Bugzilla

bugproxy 2064319 at bugs.launchpad.net
Mon May 19 03:29:31 UTC 2025 

------- Comment From naynjain at ibm.com 2025-05-18 23:27 EDT-------
Hi Mate,

Firmware couldn't load the signed grub and Sudhakar identified the issue
that it is still using the older format for SBAT. It has been updated in
the final version of the upstream patch.

Currently, it is using:
002287d0  00 14 2f 62 6f 6f 74 2f  67 72 75 62 00 00 00 00  |../boot/grub....|
002287e0  00 00 00 1f 00 00 00 e4  73 62 61 74 53 65 63 75  |........sbatSecu|
002287f0  72 65 2d 42 6f 6f 74 2d  41 64 76 61 6e 63 65 64  |re-Boot-Advanced|
00228800  2d 54 61 72 67 65 74 69  6e 67 00 00 73 62 61 74  |-Targeting..sbat|

This was changed in the final upstreamed version as mentioned below:

In order to store the SBAT data we create a new ELF note. The string
".sbat", zero-padded to 4 byte alignment, shall be entered in the name
field. The string "SBAT"'s ASCII values, 0x53424154, should be entered
in the type field.

Please pick SBAT patches from upstream. The commits are as below:

9a9082b50 grub-mkimage: Add SBAT metadata into ELF note for PowerPC targets
f97d4618a grub-mkimage: Create new ELF note for SBAT

Another thing that Sudhakar noticed is that the space allocation in ELF
note is larger than actual signature size. We wanted to understand if
there is any specific reason for large space allocation?

Thanks & Regards,
- Nayna

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2064319

Title:
  Power guest secure boot with key management: GRUB2 portion

Status in The Ubuntu-power-systems project:
  New
Status in grub2 package in Ubuntu:
  New

Bug description:
  Covering the GRUB2 portion:

  Feature:

  This feature comprises PowerVM LPAR guest OS kernel verification using
  static keys to extend the chain of trust from partition firmware to
  the OS kernel.  GRUB and the host OS kernel are signed with 2 separate
  public key pairs.  Partition firmware includes the the public
  verification key for GRUB in its build and uses it to verify GRUB.
  GRUB includes the public verification key for the OS kernel in its
  build and uses it to verify the OS kernel image

  Test case:

  If secure boot is switched off, any GRUB and kernel boots.
  If secure boot is switched on:
    - Properly signed GRUB boots.
    - Improperly signed GRUB does not boot.
    - Tampered signed GRUB does not boot.
    - Properly signed kernels boot.
    - Improperly signed kernels do not boot.
    - Tampered signed kernels do not boot.
  TPM PCRs are extended roughly following the TCG PC Client and UEFI specs as they apply to POWER.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/2064319/+subscriptions

More information about the foundations-bugs mailing list