integrity/platform_certs: Allow loading of keys in the static key management mode

JIRA: https://issues.redhat.com/browse/RHEL-101962

commit bde5b1a
Author: Srish Srinivasan <ssrish@linux.ibm.com>
Date:   Wed Jun 11 02:49:07 2025 +0530

    integrity/platform_certs: Allow loading of keys in the static key management mode

    On PLPKS enabled PowerVM LPAR, there is no provision to load signed
    third-party kernel modules when the key management mode is static. This
    is because keys from secure boot secvars are only loaded when the key
    management mode is dynamic.

    Allow loading of the trustedcadb and moduledb keys even in the static
    key management mode, where the secvar format string takes the form
    "ibm,plpks-sb-v0".

    Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
    Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
    Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
    Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
    Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
    Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
    Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
    Link: https://patch.msgid.link/20250610211907.101384-4-ssrish@linux.ibm.com

Signed-off-by: Mamatha Inamdar <minamdar@redhat.com>

Author: Mamatha Inamdar

security/integrity/platform_certs/load_powerpc.c

@@ -75,12 +75,13 @@ static int __init load_powerpc_certs(void)
 		return -ENODEV;
 
 	// Check for known secure boot implementations from OPAL or PLPKS
-	if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf)) {
+	if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf) &&
+	    strcmp("ibm,plpks-sb-v0", buf)) {
 		pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf);
 		return -ENODEV;
 	}
 
-	if (strcmp("ibm,plpks-sb-v1", buf) == 0)
+	if (strcmp("ibm,plpks-sb-v1", buf) == 0 || strcmp("ibm,plpks-sb-v0", buf) == 0)
 		/* PLPKS authenticated variables ESL data is prefixed with 8 bytes of timestamp */
 		offset = 8;