Commit 9155e234 authored by Nayna Jain's avatar Nayna Jain Committed by Michael Ellerman
Browse files

powerpc/powernv: Add OPAL API interface to access secure variable 



The X.509 certificates trusted by the platform and required to secure
boot the OS kernel are wrapped in secure variables, which are
controlled by OPAL.

This patch adds firmware/kernel interface to read and write OPAL
secure variables based on the unique key.

This support can be enabled using CONFIG_OPAL_SECVAR.

Signed-off-by: default avatarClaudio Carvalho <cclaudio@linux.ibm.com>
Signed-off-by: default avatarNayna Jain <nayna@linux.ibm.com>
Signed-off-by: default avatarEric Richter <erichte@linux.ibm.com>
[mpe: Make secvar_ops __ro_after_init, only build opal-secvar.c if PPC_SECURE_BOOT=y]
Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/1573441836-3632-2-git-send-email-nayna@linux.ibm.com
parent 39a963b4

arch/powerpc/include/asm/opal-api.h

+4 −1
Original line number Diff line number Diff line
@@ -211,7 +211,10 @@ 
#define OPAL_MPIPL_UPDATE			173

#define OPAL_MPIPL_REGISTER_TAG			174

#define OPAL_MPIPL_QUERY_TAG			175

#define OPAL_LAST				175

#define OPAL_SECVAR_GET				176

#define OPAL_SECVAR_GET_NEXT			177

#define OPAL_SECVAR_ENQUEUE_UPDATE		178

#define OPAL_LAST				178



#define QUIESCE_HOLD			1 /* Spin all calls at entry */

#define QUIESCE_REJECT			2 /* Fail all calls with OPAL_BUSY */

arch/powerpc/include/asm/opal.h

+7 −0
Original line number Diff line number Diff line
@@ -298,6 +298,13 @@ int opal_sensor_group_clear(u32 group_hndl, int token); 
int opal_sensor_group_enable(u32 group_hndl, int token, bool enable);

int opal_nx_coproc_init(uint32_t chip_id, uint32_t ct);



int opal_secvar_get(const char *key, uint64_t key_len, u8 *data,

		    uint64_t *data_size);

int opal_secvar_get_next(const char *key, uint64_t *key_len,

			 uint64_t key_buf_size);

int opal_secvar_enqueue_update(const char *key, uint64_t key_len, u8 *data,

			       uint64_t data_size);



s64 opal_mpipl_update(enum opal_mpipl_ops op, u64 src, u64 dest, u64 size);

s64 opal_mpipl_register_tag(enum opal_mpipl_tags tag, u64 addr);

s64 opal_mpipl_query_tag(enum opal_mpipl_tags tag, u64 *addr);

arch/powerpc/include/asm/secvar.h

0 → 100644
+35 −0
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0 */

/*

 * Copyright (C) 2019 IBM Corporation

 * Author: Nayna Jain

 *

 * PowerPC secure variable operations.

 */

#ifndef SECVAR_OPS_H

#define SECVAR_OPS_H



#include <linux/types.h>

#include <linux/errno.h>



extern const struct secvar_operations *secvar_ops;



struct secvar_operations {

	int (*get)(const char *key, uint64_t key_len, u8 *data,

		   uint64_t *data_size);

	int (*get_next)(const char *key, uint64_t *key_len,

			uint64_t keybufsize);

	int (*set)(const char *key, uint64_t key_len, u8 *data,

		   uint64_t data_size);

};



#ifdef CONFIG_PPC_SECURE_BOOT



extern void set_secvar_ops(const struct secvar_operations *ops);



#else



static inline void set_secvar_ops(const struct secvar_operations *ops) { }



#endif



#endif

arch/powerpc/kernel/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -161,7 +161,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),) 
obj-y				+= ucall.o

endif



obj-$(CONFIG_PPC_SECURE_BOOT)	+= secure_boot.o ima_arch.o

obj-$(CONFIG_PPC_SECURE_BOOT)	+= secure_boot.o ima_arch.o secvar-ops.o



# Disable GCOV, KCOV & sanitizers in odd or sensitive code

GCOV_PROFILE_prom_init.o := n

arch/powerpc/kernel/secvar-ops.c

0 → 100644
+17 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0

/*

 * Copyright (C) 2019 IBM Corporation

 * Author: Nayna Jain

 *

 * This file initializes secvar operations for PowerPC Secureboot

 */



#include <linux/cache.h>

#include <asm/secvar.h>



const struct secvar_operations *secvar_ops __ro_after_init;



void set_secvar_ops(const struct secvar_operations *ops)

{

	secvar_ops = ops;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE