Comment 11 for bug 1866909

------- Comment From <email address hidden> 2020-04-01 18:31 EDT-------
Thank you for spinning that so quickly. We neglected to request these config options get turned on:
CONFIG_PPC_SECURE_BOOT=y
CONFIG_PPC_SECVAR_SYSFS=y
CONFIG_LOAD_PPC_KEYS=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_ARCH_POLICY=y

We did enable those and rebuilt the kernel and that seems to allow the basics to work (ie, policies are there). We'll do some more testing on it.

The signing key - our systems don't have same chain of trust and the key needs to be added to the firmware. Can you direct us to that, please?