Extending OpenPOWER Boot Security to Guests

Explore a conference talk that delves into extending OpenPOWER boot security to guest environments in KVM and PowerVM. Learn about the challenges of adapting the OpenPOWER host secure boot solution to guest systems, considering their shorter boot sequences, simpler firmware components, and replaced bootloaders. Discover potential design alternatives that leverage existing open source elements to enhance OS boot security for KVM on OpenPOWER and PowerVM guests. Gain insights into firmware signing, key management, and verification processes. Understand the differences between x86 guest secure boot with OVMF and the proposed PowerVM Linux guest secure boot scheme. Presented by George Wilson, an IBM security architect and development team lead, this talk builds upon previous discussions on OpenPOWER host secure boot and offers valuable perspectives on improving guest OS boot security in OpenPOWER environments.

LINUX SECURITY SUMMIT
Background
PowerVM Guest Boot
Proposed PowerVM Secure Boot Scheme
Firmware Signing
Why not port the OpenPOWER host secure boot solution?
X86 Guest Secure Boot with OVMF Emulates host solution
PowerVM Linux Guest Secure Boot?
OpenPOWER Guest Secure Book?
Key Management
How to Verify the Firmware
Summary