Commit d34a5709 authored by Michael Ellerman's avatar Michael Ellerman
Browse files

Merge branch 'topic/secureboot' into next 

Merge the secureboot support, as well as the IMA changes needed to
support it.

From Nayna's cover letter:
  In order to verify the OS kernel on PowerNV systems, secure boot
  requires X.509 certificates trusted by the platform. These are
  stored in secure variables controlled by OPAL, called OPAL secure
  variables. In order to enable users to manage the keys, the secure
  variables need to be exposed to userspace.

  OPAL provides the runtime services for the kernel to be able to
  access the secure variables. This patchset defines the kernel
  interface for the OPAL APIs. These APIs are used by the hooks, which
  load these variables to the keyring and expose them to the userspace
  for reading/writing.

  Overall, this patchset adds the following support:
    * expose secure variables to the kernel via OPAL Runtime API interface
    * expose secure variables to the userspace via kernel sysfs interface
    * load kernel verification and revocation keys to .platform and
      .blacklist keyring respectively.

  The secure variables can be read/written using simple linux
  utilities cat/hexdump.

  For example:
  Path to the secure variables is: /sys/firmware/secvar/vars

    Each secure variable is listed as directory.
    $ ls -l
    total 0
    drwxr-xr-x. 2 root root 0 Aug 20 21:20 db
    drwxr-xr-x. 2 root root 0 Aug 20 21:20 KEK
    drwxr-xr-x. 2 root root 0 Aug 20 21:20 PK

  The attributes of each of the secure variables are (for example: PK):
    $ ls -l
    total 0
    -r--r--r--. 1 root root  4096 Oct  1 15:10 data
    -r--r--r--. 1 root root 65536 Oct  1 15:10 size
    --w-------. 1 root root  4096 Oct  1 15:12 update

  The "data" is used to read the existing variable value using
  hexdump. The data is stored in ESL format. The "update" is used to
  write a new value using cat. The update is to be submitted as AUTH
  file.
parents ea458eff 8220e22d

Documentation/ABI/testing/ima_policy

+4 −0
Original line number Diff line number Diff line
@@ -25,6 +25,7 @@ Description: 
			lsm:	[[subj_user=] [subj_role=] [subj_type=]

				 [obj_user=] [obj_role=] [obj_type=]]

			option:	[[appraise_type=]] [template=] [permit_directio]

				[appraise_flag=]

		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]

				[FIRMWARE_CHECK]

				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
@@ -38,6 +39,9 @@ Description: 
			fowner:= decimal value

		lsm:  	are LSM specific

		option:	appraise_type:= [imasig] [imasig|modsig]

			appraise_flag:= [check_blacklist]

			Currently, blacklist check is only for files signed with appended

			signature.

			template:= name of a defined IMA template type

			(eg, ima-ng). Only valid when action is "measure".

			pcr:= decimal value

Documentation/ABI/testing/sysfs-secvar

0 → 100644
+46 −0
Original line number Diff line number Diff line 
What:		/sys/firmware/secvar

Date:		August 2019

Contact:	Nayna Jain <nayna@linux.ibm.com>

Description:	This directory is created if the POWER firmware supports OS

		secureboot, thereby secure variables. It exposes interface

		for reading/writing the secure variables



What:		/sys/firmware/secvar/vars

Date:		August 2019

Contact:	Nayna Jain <nayna@linux.ibm.com>

Description:	This directory lists all the secure variables that are supported

		by the firmware.



What:		/sys/firmware/secvar/format

Date:		August 2019

Contact:	Nayna Jain <nayna@linux.ibm.com>

Description:	A string indicating which backend is in use by the firmware.

		This determines the format of the variable and the accepted

		format of variable updates.



What:		/sys/firmware/secvar/vars/<variable name>

Date:		August 2019

Contact:	Nayna Jain <nayna@linux.ibm.com>

Description:	Each secure variable is represented as a directory named as

		<variable_name>. The variable name is unique and is in ASCII

		representation. The data and size can be determined by reading

		their respective attribute files.



What:		/sys/firmware/secvar/vars/<variable_name>/size

Date:		August 2019

Contact:	Nayna Jain <nayna@linux.ibm.com>

Description:	An integer representation of the size of the content of the

		variable. In other words, it represents the size of the data.



What:		/sys/firmware/secvar/vars/<variable_name>/data

Date:		August 2019

Contact:	Nayna Jain h<nayna@linux.ibm.com>

Description:	A read-only file containing the value of the variable. The size

		of the file represents the maximum size of the variable data.



What:		/sys/firmware/secvar/vars/<variable_name>/update

Date:		August 2019

Contact:	Nayna Jain <nayna@linux.ibm.com>

Description:	A write-only file that is used to submit the new value for the

		variable. The size of the file represents the maximum size of

		the variable data that can be written.

arch/powerpc/Kconfig

+22 −0
Original line number Diff line number Diff line
@@ -952,6 +952,28 @@ config PPC_MEM_KEYS 


	  If unsure, say y.



config PPC_SECURE_BOOT

	prompt "Enable secure boot support"

	bool

	depends on PPC_POWERNV

	depends on IMA_ARCH_POLICY

	help

	  Systems with firmware secure boot enabled need to define security

	  policies to extend secure boot to the OS. This config allows a user

	  to enable OS secure boot on systems that have firmware support for

	  it. If in doubt say N.



config PPC_SECVAR_SYSFS

	bool "Enable sysfs interface for POWER secure variables"

	default y

	depends on PPC_SECURE_BOOT

	depends on SYSFS

	help

	  POWER secure variables are managed and controlled by firmware.

	  These variables are exposed to userspace via sysfs to enable

	  read/write operations on these variables. Say Y if you have

	  secure boot enabled and want to expose variables to userspace.



endmenu



config ISA_DMA_API

arch/powerpc/include/asm/opal-api.h

+4 −1
Original line number Diff line number Diff line
@@ -211,7 +211,10 @@ 
#define OPAL_MPIPL_UPDATE			173

#define OPAL_MPIPL_REGISTER_TAG			174

#define OPAL_MPIPL_QUERY_TAG			175

#define OPAL_LAST				175

#define OPAL_SECVAR_GET				176

#define OPAL_SECVAR_GET_NEXT			177

#define OPAL_SECVAR_ENQUEUE_UPDATE		178

#define OPAL_LAST				178



#define QUIESCE_HOLD			1 /* Spin all calls at entry */

#define QUIESCE_REJECT			2 /* Fail all calls with OPAL_BUSY */

arch/powerpc/include/asm/opal.h

+7 −0
Original line number Diff line number Diff line
@@ -298,6 +298,13 @@ int opal_sensor_group_clear(u32 group_hndl, int token); 
int opal_sensor_group_enable(u32 group_hndl, int token, bool enable);

int opal_nx_coproc_init(uint32_t chip_id, uint32_t ct);



int opal_secvar_get(const char *key, uint64_t key_len, u8 *data,

		    uint64_t *data_size);

int opal_secvar_get_next(const char *key, uint64_t *key_len,

			 uint64_t key_buf_size);

int opal_secvar_enqueue_update(const char *key, uint64_t key_len, u8 *data,

			       uint64_t data_size);



s64 opal_mpipl_update(enum opal_mpipl_ops op, u64 src, u64 dest, u64 size);

s64 opal_mpipl_register_tag(enum opal_mpipl_tags tag, u64 addr);

s64 opal_mpipl_query_tag(enum opal_mpipl_tags tag, u64 *addr);

CRA Git | Maintained and supported by SUSTech CRA and CCSE