Online / 6 & 7 February 2021


Secure boot without UEFI: booting VMs on Power(PC)

Much of the Secure and Trusted Boot ecosystem is built around UEFI. However, not all platforms implement UEFI, including IBM's Power machines.

In this talk, I will talk about my team's ongoing work on secure boot of virtual machines on Power. This is an important use case, as many Power machines ship with a firmware hypervisor, and all user workloads run as virtual machines or "Logical Partitions" (LPARs).

Linux Virtual Machines on Power boot via an OpenFirmware (IEEE1275) implementation which is loaded by the hypervisor. The OpenFirmware implementation then loads grub from disk, and grub then loads Linux. To secure this, we propose to:

  • Teach grub how to verify Linux-module-style "appended signatures". Distro kernels for Power are already signed with these signatures for use with the OpenPower 'host' secure boot scheme.

  • Sign grub itself with an appended signature, allowing firmware to verify grub.


Photo of Daniel Axtens Daniel Axtens
Photo of Cezary Sobczak Cezary Sobczak