OpenPOWER Host OS Secure Boot Key Management

Explore the intricacies of OpenPOWER Host OS Secure Boot Key Management in this 33-minute conference talk by Nayna Jain from IBM. Dive into the open and flexible model for managing keys used by Linux-based bootloaders to verify and load the Host Operating System. Learn about the pluggable architecture supporting different key hierarchies and update mechanisms, as well as the options for vendors and sysadmins to manage OS installation in secure boot states. Discover the end-to-end solution spanning firmware, kernel, and userspace, including key ownership, authenticated updates, secure storage, blacklisting, and userspace tool compatibility. Gain insights into key management layers, internal processes, open-source key tools, flexible key authorities, and backend internals. Understand kernel verification flow, key destruction, rotation, error logs, and recovery procedures. Compare OpenPOWER's approach with existing secure boot key management mechanisms and explore its key takeaways for implementing robust security measures in Linux-based systems.

Intro
Acknowledgments
Open POWER Secure Boot
What is Key Management
Existing Mechanisms for Secure Boot Key Management
Key Management Layers
Key Management Intemals
Open Source Key Tools
Authorities over Key Management and Usage
Flexible Key Authorities
Backend Internals (Eric Richter)
Key Updates Processing
Protection of the Key Database - Storage & TSS
Kemel Verification
Kernel Verification Flow
Key Destruction
Key Rotation
Error Logs and Recovery
OpenPOWER Key Management - Key Takeaways
Revisiting Mechanisms for Secure Boot Key Management
References