From patchwork Wed Dec 28 07:29:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Russell Currey X-Patchwork-Id: 3358 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp1763295wrt; Tue, 27 Dec 2022 23:32:20 -0800 (PST) X-Google-Smtp-Source: AMrXdXv6O+l/veHuvFX57bJkWhpN0y0Dn3lAv71SBQSDSA4m3cMciTtogFcvl28WLILS4SAdMOJu X-Received: by 2002:a17:90b:3c42:b0:225:c117:5801 with SMTP id pm2-20020a17090b3c4200b00225c1175801mr20611566pjb.5.1672212740317; Tue, 27 Dec 2022 23:32:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672212740; cv=none; d=google.com; s=arc-20160816; b=vcjHfGo01PapElNznUvFZ+xXmEGz2Cav4OKrwJhsb5nWokjFCur9aXUxyc2CchIzpf b/tuPkgNM612jUeeS6bFacqA00KI4yzesYLDzAv3wrD/crafy5KUVOmySuUwBn6ufIvn o7OtomXy2jKFxNvvI0oIgc1tetsR8JqL/mKACrevtZvHJgxsOmroVgpZWfd4m0uio72t EHrA4zkok9kDMeo6+JjxfHpslndt8qj2i9kzBif0mtzFwE+8/T02t+zHEf3+ZnnJ86HM 3Vqq8BCSgL0hXmTOkY3qDKFatd2Af4NYAoGkMY6khLrXSwInDqWkSGILgYMkP3OUuf6d Yt0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:feedback-id:dkim-signature :dkim-signature; bh=kg/f9U9Ol4UD+1uc3IGmsV2ddQbQ6QRH+cPwJ6R0wEk=; b=yD/OS6pMZ2ogTwrx3oKWqQDaGB0sFYgoR7NQ2rBVSt2Dnhume2UkZGJosrbl3CYxEy 95O5yk2tixFvUzegp4kuBGOe95WNLSbesHEms4PDF4Ks7JDqRUFZaQDYZIMxUEXnmXOH wXGD5U/QbQAcTtnh8jfGlAJrjq+bbVF2YbldlWVK8vxVkXJLaPfDtWYT8rHV6h2l1X1i Nfjk3bzDmDyk35lqu3AgolAfJ+M6i71aETmS/MKOx1bangwSYT/bNXmo+nEJ4zmAA4AB cPcD/ZAG8aE+DEH5QlU7UPIg9qR9gqXgNfAb2D1fR9vFKkl1njknVgNRP0GHeKjVfH7b jd1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@russell.cc header.s=fm3 header.b=GQcC6LqX; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=q4FIVeqB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o5-20020a17090ac70500b00213997a5fe6si15922148pjt.113.2022.12.27.23.32.07; Tue, 27 Dec 2022 23:32:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@russell.cc header.s=fm3 header.b=GQcC6LqX; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=q4FIVeqB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232418AbiL1Haj (ORCPT + 99 others); Wed, 28 Dec 2022 02:30:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58320 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232617AbiL1HaZ (ORCPT ); Wed, 28 Dec 2022 02:30:25 -0500 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD999EA6 for ; Tue, 27 Dec 2022 23:30:24 -0800 (PST) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id CDE2C3200904; Wed, 28 Dec 2022 02:30:20 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Wed, 28 Dec 2022 02:30:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=russell.cc; h=cc :cc:content-transfer-encoding:date:date:from:from:in-reply-to :message-id:mime-version:reply-to:sender:subject:subject:to:to; s=fm3; t=1672212620; x=1672299020; bh=kg/f9U9Ol4UD+1uc3IGmsV2dd QbQ6QRH+cPwJ6R0wEk=; b=GQcC6LqX9bOe7C6/VfGcwdWWCcYYpKAcVwi5Sl1Nq 1eNL1f0lK5vgpC4d2a3aoXePQqOvivn1QRgzt5rEKKzol9gSVIfY0x5LFMmQWOBJ SHCFBMnHeRcrWDwtWRYSkeZ31F6tZc/5G4JQjIjx9kEaFHcviMd1AOhbUKsHJ9Fo 5giFMOggshB8VZQdTTlNauoHokceLN8nkzMVbYn7R7ZtFKlryXepeNTSrOePwzPF idDy0w9V1E4jVANL3AAzylifu/svtWMi5Z0tqsZY2QR/BrS5bmaXDxNQhsyxxaew GXEsSrIJenlKS+1N6CR/xZMNCjRteYVzJOA4Ib+R/NgDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1672212620; x=1672299020; bh=kg/f9U9Ol4UD+1uc3IGmsV2ddQbQ6QRH+cP wJ6R0wEk=; b=q4FIVeqBvszFlxGwGJzkQvrKHGMqfSK3LjpxiTehFWF81Vzzfax ur86BYxhRyHMAnQ91pc3I7kwQIThGyTEZi9pjtJnDAT0nCpXNg0BEhOU+MWaI0a8 LWb7F8tb6G8xOwJDTTDw8HM5A56ZnykhZQHDFAXuG+sZFfdYa/fp6TW66KgCy8dH N3FIr3KMOXuC7bnjCWskiy1kN14x8XizHalwMApvWRPgPFNX11ySWfQXQA5XrWON OJrEmCycM8QjxELYO8S15lY+InBl7xvWvyjp7tiNQDJp0Myaq4j7vouUGhz6xNd5 tJKxrSaqFZ73czFcumbBu1WTn5z/6X30Z+A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedriedugdduuddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgfrhhlucfvnfffucdludehmdenucfjughrpefhvf evufffkffoggfgsedtkeertdertddtnecuhfhrohhmpeftuhhsshgvlhhlucevuhhrrhgv hicuoehruhhstghurhesrhhushhsvghllhdrtggtqeenucggtffrrghtthgvrhhnpeejte dvtdegvdeuveegudelgffgjeelteevteffieevjedvvefhueekkeelhfehleenucffohhm rghinhepkhgvrhhnvghlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg hmpehmrghilhhfrhhomheprhhushgtuhhrsehruhhsshgvlhhlrdgttg X-ME-Proxy: Feedback-ID: i4421424f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 28 Dec 2022 02:30:16 -0500 (EST) From: Russell Currey To: linuxppc-dev@lists.ozlabs.org Cc: gregkh@linuxfoundation.org, gcwilson@linux.ibm.com, linux-kernel@vger.kernel.org, nayna@linux.ibm.com, ajd@linux.ibm.com, zohar@linux.ibm.com, mpe@ellerman.id.au, Russell Currey Subject: [PATCH 0/6] pseries dynamic secure boot interface using secvar Date: Wed, 28 Dec 2022 18:29:37 +1100 Message-Id: <20221228072943.429266-1-ruscur@russell.cc> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1753442146263973708?= X-GMAIL-MSGID: =?utf-8?q?1753442146263973708?= This series exposes an interface to userspace for reading and writing secure variables contained within the PowerVM LPAR Platform KeyStore (PLPKS) for the purpose of configuring dynamic secure boot. This series builds on past work by Nayna Jain[0] in exposing PLPKS variables to userspace. Rather than being a generic interface for interacting with the keystore, however, we use the existing powerpc secvar infrastructure to only expose objects in the keystore used for dynamic secure boot. This has the benefit of leveraging an existing interface and making the implementation relatively minimal. This series needs to be applied on top of Andrew's recent bugfix series[1]. There are a few relevant details to note about the implementation: * New additions to the secvar API, format() and max_size() * New optional sysfs directory "config/" for arbitrary ASCII variables * Some OPAL-specific code has been relocated from secvar-sysfs.c to powernv platform code. Would appreciate any powernv testing! * Variable names are fixed and only those used for secure boot are exposed. This is not a generic PLPKS interface, but also doesn't preclude one being added in future. With this series, both powernv and pseries platforms support dynamic secure boot through the same interface. [0]: https://lore.kernel.org/linuxppc-dev/20221106210744.603240-1-nayna@linux.ibm.com/ [1]: https://lore.kernel.org/linuxppc-dev/20221220071626.1426786-1-ajd@linux.ibm.com/ Russell Currey (6): powerpc/pseries: Log hcall return codes for PLPKS debug powerpc/secvar: WARN_ON_ONCE() if multiple secvar ops are set powerpc/secvar: Handle format string in the consumer powerpc/secvar: Handle max object size in the consumer powerpc/secvar: Extend sysfs to include config vars powerpc/pseries: Implement secvars for dynamic secure boot Documentation/ABI/testing/sysfs-secvar | 8 + arch/powerpc/include/asm/secvar.h | 5 + arch/powerpc/kernel/secvar-ops.c | 4 +- arch/powerpc/kernel/secvar-sysfs.c | 76 +++--- arch/powerpc/platforms/powernv/opal-secvar.c | 44 +++ arch/powerpc/platforms/pseries/Kconfig | 13 + arch/powerpc/platforms/pseries/Makefile | 4 +- arch/powerpc/platforms/pseries/plpks-secvar.c | 250 ++++++++++++++++++ arch/powerpc/platforms/pseries/plpks.c | 2 + 9 files changed, 365 insertions(+), 41 deletions(-) create mode 100644 arch/powerpc/platforms/pseries/plpks-secvar.c