Explore a conference talk that delves into extending OpenPOWER boot security to guest environments in KVM and PowerVM. Learn about the challenges of adapting the OpenPOWER host secure boot solution to guest systems, considering their shorter boot sequences, simpler firmware components, and replaced bootloaders. Discover potential design alternatives that leverage existing open source elements to enhance OS boot security for KVM on OpenPOWER and PowerVM guests. Gain insights into firmware signing, key management, and verification processes. Understand the differences between x86 guest secure boot with OVMF and the proposed PowerVM Linux guest secure boot scheme. Presented by George Wilson, an IBM security architect and development team lead, this talk builds upon previous discussions on OpenPOWER host secure boot and offers valuable perspectives on improving guest OS boot security in OpenPOWER environments.
Extending OpenPOWER Boot Security to Guests
Overview
Syllabus
LINUX SECURITY SUMMIT
Background
PowerVM Guest Boot
Proposed PowerVM Secure Boot Scheme
Firmware Signing
Why not port the OpenPOWER host secure boot solution?
X86 Guest Secure Boot with OVMF Emulates host solution
PowerVM Linux Guest Secure Boot?
OpenPOWER Guest Secure Book?
Key Management
How to Verify the Firmware
Summary
Taught by
Linux Foundation
Tags
Related Courses
-
OpenPOWER Host OS Secure Boot Key Management
-
Using the TPM NVRAM to Protect Secure Boot Keys in POWER9 OpenPOWER Systems
-
Using Linux as a Secure Boot Loader for OpenPOWER Servers
-
Protected Execution Facility for Secure Virtual Machines
-
Protected Execution Facility: Enhancing Security for Virtual Machines
-
PowerVM Platform Keystore - Securing Linux Credentials Locally
