[v6,00/26] pSeries dynamic secure boot secvar interface + platform keyring loading

Message ID 20230210080401.345462-1-ajd@linux.ibm.com
Headers
Series pSeries dynamic secure boot secvar interface + platform keyring loading |

Message

Andrew Donnellan Feb. 10, 2023, 8:03 a.m. UTC
  This series exposes an interface to userspace for reading and writing
secure variables contained within the PowerVM LPAR Platform KeyStore
(PLPKS) for the purpose of configuring dynamic secure boot, and adds
the glue required to load keys from the PLPKS into the platform keyring.

This series builds on past work by Nayna Jain[0] in exposing PLPKS
variables to userspace.  Rather than being a generic interface for
interacting with the keystore, however, we use the existing powerpc
secvar infrastructure to only expose objects in the keystore used
for dynamic secure boot.  This has the benefit of leveraging an
existing interface and making the implementation relatively minimal.

This series integrates a previous series to fix some bugs in PLPKS
and implement support for signed updates[1], and a cleanup patch from
Michael Ellerman[2].

There are a few relevant details to note about the implementation:

 * New additions to the secvar API: format(), max_size(), config_attrs,
   var_names

 * New optional sysfs directory "config/" for arbitrary ASCII variables

 * Some OPAL-specific code has been relocated from secvar-sysfs.c to
   powernv platform code.  Would appreciate any powernv testing!

 * Variable names are fixed and only those used for secure boot are
   exposed.  This is not a generic PLPKS interface, but also doesn't
   preclude one being added in future.

With this series, both powernv and pseries platforms support dynamic
secure boot through the same interface.

Many thanks to Nayna Jain, Ben Gray, Sudhakar Kuppusamy, Shubham Pandey,
Mimi Zohar, George Wilson and the others at IBM who have helped us with
developing this series, and to everyone who has provided review comments
and feedback.

[0]: https://lore.kernel.org/linuxppc-dev/20221106210744.603240-1-nayna@linux.ibm.com/
[1]: https://lore.kernel.org/linuxppc-dev/20221220071626.1426786-1-ajd@linux.ibm.com/
[2]: https://lore.kernel.org/linuxppc-dev/20230112023819.1692452-1-mpe@ellerman.id.au/

v1: https://lore.kernel.org/linuxppc-dev/20221228072943.429266-1-ruscur@russell.cc/
v2: https://lore.kernel.org/linuxppc-dev/20221230042014.154483-1-ruscur@russell.cc/
v3: https://lore.kernel.org/linuxppc-dev/20230118061049.1006141-1-ajd@linux.ibm.com/
v4: https://lore.kernel.org/linuxppc-dev/20230120074306.1326298-1-ajd@linux.ibm.com/
v5: https://lore.kernel.org/linuxppc-dev/20230131063928.388035-1-ajd@linux.ibm.com/

=================

Changes in v6:

    Minor code style + commit message fixes (stefanb)

    Get rid of an unneeded kzalloc (npiggin)

    Don't allocate extra space in the FDT on kexec (ruscur)

    Clarify the warning message in cases where password is already set (ajd)

Changes in v5:

    New patch to fix incorrect return value in secvar_sysfs_load() (ruscur)

    Better explanation of power of 2 kmalloc rounding (mpe)

    Add null component check on signed updates (npiggin)

    Don't export plpks_signed_update_var() (npiggin)

    Fix all the feedback we got on kexec handling, including removing the
    password from the FDT (npiggin, mpe)

    Enable plpks-secvar.c using CONFIG_PPC_SECURE_BOOT rather than
    CONFIG_PPC_SECVAR_SYSFS (ajd)

    Clarify handling of ibm,secvar-backend vs ibm,edk2-compat-v1
    compatible string (zohar)

    Lots of miscellaneous improvements (npiggin)

Changes in v4:

    Fix the build when CONFIG_PSERIES_PLPKS=n (snowpatch)

    Shuffled fixes to the front the series (npiggin)

    Pass buffer size in secvar_operations->format() (stefanb, npiggin)

    Return an error when set_secvar_ops() fails (npiggin)

    Add some extra null checks (stefanb, gjoyce)

    Add commit message comment elaborating on PAGE_SIZE issues (joel)

    Fix error handling in the kexec code (ruscur)

    Fix hvcall.h MAX_HCALL_OPCODE rebasing issue (npiggin)

Changes in v3:

    Integrate Andrew's PLPKS bugfixes and enhancements series and Michael
    Ellerman's u64 cleanup patch into this series (and update the other
    patches to use u64)

    New patches to load keys from the PLPKS into the kernel's platform
    keyring (ruscur)

    New patches to pass PLPKS password to new kernels when kexecing
    (ruscur)

    Improve handling of format strings (ruscur)

    Clean up secvar error messages (ajd)

    Merge config attributes into secvar_operations (mpe)

    Add a new static variable names API rather than (ab)using get_next()
    (ajd/mpe)

    Warning message when PAGE_SIZE is smaller than the max object size
    (ajd)

    Move plpks.h to the include directory, and move a bunch of constants
    in there with a consistent naming scheme

    Refresh PLPKS config values whenever plpks_get_usedspace() is called
    (ajd)

    Extra validation on PLPKS config values (ruscur)

    Return maxobjlabelsize to userspace as is without subtracting overhead (ruscur)

    Fix error code handling in plpks_confirm_object_flushed() (ruscur)

    Pass plpks_var struct to plpks_signed_update_var() by reference (mpe)

    Make the data buffer in plpks_read_var() caller-allocated to reduce
    number of allocations/copies (mpe)

    Rework the Kconfig options so that PSERIES_PLPKS is a hidden option,
    turned on by enabling PPC_SECURE_BOOT, and the PLPKS secvar code is
    activated by PPC_SECVAR_SYSFS to match powernv (ajd)

    Use machine_arch_initcall() rather than device_initcall() so we don't
    break powernv (mpe)

    Improve ABI documentation (mpe)

    Return -EIO on most read errors (mpe)

    Add "grubdbx" variable (Sudhakar)

    Use utf8s_to_utf16s() rather than our own "UCS-2" conversion code (mpe)

    Fix SB_VERSION data length (ruscur)

    Stop prepending policy data on read (ruscur)

    Don't print errors to the kernel log when reading non-existent
    variables (Sudhakar)

    Miscellaneous code style, checkpatch cleanups

Changes in v2:

    Remove unnecessary config vars from sysfs and document the others,
    thanks to review from Greg.  If we end up needing to expose more, we
    can add them later and update the docs.

    Use sysfs_emit() instead of sprintf() for all sysfs strings

    Change the size of the sysfs binary attributes to include the 8-byte
    flags header, preventing truncation of large writes.

Andrew Donnellan (9):
  powerpc/pseries: Fix handling of PLPKS object flushing timeout
  powerpc/pseries: Fix alignment of PLPKS structures and buffers
  powerpc/secvar: Clean up init error messages
  powerpc/secvar: Allow backend to populate static list of variable
    names
  powerpc/secvar: Warn when PAGE_SIZE is smaller than max object size
  powerpc/secvar: Don't print error on ENOENT when reading variables
  powerpc/pseries: Make caller pass buffer to plpks_read_var()
  powerpc/pseries: Turn PSERIES_PLPKS into a hidden option
  powerpc/pseries: Clarify warning when PLPKS password already set

Michael Ellerman (1):
  powerpc/secvar: Use u64 in secvar_operations

Nayna Jain (2):
  powerpc/pseries: Expose PLPKS config values, support additional fields
  powerpc/pseries: Implement signed update for PLPKS objects

Russell Currey (14):
  powerpc/secvar: Fix incorrect return in secvar_sysfs_load()
  powerpc/secvar: Warn and error if multiple secvar ops are set
  powerpc/secvar: Use sysfs_emit() instead of sprintf()
  powerpc/secvar: Handle format string in the consumer
  powerpc/secvar: Handle max object size in the consumer
  powerpc/secvar: Extend sysfs to include config vars
  powerpc/pseries: Move plpks.h to include directory
  powerpc/pseries: Move PLPKS constants to header file
  powerpc/pseries: Log hcall return codes for PLPKS debug
  powerpc/pseries: Add helper to get PLPKS password length
  powerpc/pseries: Pass PLPKS password on kexec
  powerpc/pseries: Implement secvars for dynamic secure boot
  integrity/powerpc: Improve error handling & reporting when loading
    certs
  integrity/powerpc: Support loading keys from PLPKS

 Documentation/ABI/testing/sysfs-secvar        |  75 +++-
 arch/powerpc/Kconfig                          |   1 +
 arch/powerpc/include/asm/hvcall.h             |   1 +
 arch/powerpc/include/asm/plpks.h              | 195 +++++++++
 arch/powerpc/include/asm/secvar.h             |  21 +-
 arch/powerpc/kernel/prom.c                    |   4 +
 arch/powerpc/kernel/secvar-ops.c              |  10 +-
 arch/powerpc/kernel/secvar-sysfs.c            | 178 ++++----
 arch/powerpc/kexec/file_load_64.c             |  18 +-
 arch/powerpc/platforms/powernv/opal-secvar.c  |  60 ++-
 arch/powerpc/platforms/pseries/Kconfig        |  19 +-
 arch/powerpc/platforms/pseries/Makefile       |   4 +-
 arch/powerpc/platforms/pseries/plpks-secvar.c | 218 ++++++++++
 arch/powerpc/platforms/pseries/plpks.c        | 381 +++++++++++++++---
 arch/powerpc/platforms/pseries/plpks.h        |  71 ----
 .../integrity/platform_certs/load_powerpc.c   |  47 ++-
 16 files changed, 1046 insertions(+), 257 deletions(-)
 create mode 100644 arch/powerpc/include/asm/plpks.h
 create mode 100644 arch/powerpc/platforms/pseries/plpks-secvar.c
 delete mode 100644 arch/powerpc/platforms/pseries/plpks.h
  

Comments

Michael Ellerman Feb. 15, 2023, 12:41 p.m. UTC | #1
On Fri, 10 Feb 2023 19:03:35 +1100, Andrew Donnellan wrote:
> This series exposes an interface to userspace for reading and writing
> secure variables contained within the PowerVM LPAR Platform KeyStore
> (PLPKS) for the purpose of configuring dynamic secure boot, and adds
> the glue required to load keys from the PLPKS into the platform keyring.
> 
> This series builds on past work by Nayna Jain[0] in exposing PLPKS
> variables to userspace.  Rather than being a generic interface for
> interacting with the keystore, however, we use the existing powerpc
> secvar infrastructure to only expose objects in the keystore used
> for dynamic secure boot.  This has the benefit of leveraging an
> existing interface and making the implementation relatively minimal.
> 
> [...]

Applied to powerpc/next.

[01/26] powerpc/pseries: Fix handling of PLPKS object flushing timeout
        https://git.kernel.org/powerpc/c/f74dcbfd27c647af9b7b83f3711c63712c677abd
[02/26] powerpc/pseries: Fix alignment of PLPKS structures and buffers
        https://git.kernel.org/powerpc/c/fcf63d6b8ab9b12c2ce1b4bde12a3c391029c998
[03/26] powerpc/secvar: Fix incorrect return in secvar_sysfs_load()
        https://git.kernel.org/powerpc/c/c9fd2952754a03b2c14433c0318f4b46e9c0f2ef
[04/26] powerpc/secvar: Use u64 in secvar_operations
        https://git.kernel.org/powerpc/c/53cea34b0a0a03568e189f8dfe2eb06f938986c8
[05/26] powerpc/secvar: Warn and error if multiple secvar ops are set
        https://git.kernel.org/powerpc/c/26149b02021158248b13e323f06372d87f076883
[06/26] powerpc/secvar: Use sysfs_emit() instead of sprintf()
        https://git.kernel.org/powerpc/c/16943a2faf94ef671e60c7577511c0d119fbdfc8
[07/26] powerpc/secvar: Handle format string in the consumer
        https://git.kernel.org/powerpc/c/ec2f40bd004b4b9142469282d4a6ce9afa22f9c0
[08/26] powerpc/secvar: Handle max object size in the consumer
        https://git.kernel.org/powerpc/c/e02407944052554c1685e11e56175147d1ac56b6
[09/26] powerpc/secvar: Clean up init error messages
        https://git.kernel.org/powerpc/c/caefd3b77450e330845755ea57add2315fd5e4d9
[10/26] powerpc/secvar: Extend sysfs to include config vars
        https://git.kernel.org/powerpc/c/86b6c0ae2caee9cadee1256d31b204ea54cb55c0
[11/26] powerpc/secvar: Allow backend to populate static list of variable names
        https://git.kernel.org/powerpc/c/50a466bf3e6f6f177dc0aeefa46a2f8927075a1d
[12/26] powerpc/secvar: Warn when PAGE_SIZE is smaller than max object size
        https://git.kernel.org/powerpc/c/6d64c497a31bd888110785def44529ebb96bce49
[13/26] powerpc/secvar: Don't print error on ENOENT when reading variables
        https://git.kernel.org/powerpc/c/c96db155ebc6be868d5dde1b5caf6879c181cda4
[14/26] powerpc/pseries: Move plpks.h to include directory
        https://git.kernel.org/powerpc/c/90b74e305d6b5a444b1283dd7ad1caf6acaa0340
[15/26] powerpc/pseries: Move PLPKS constants to header file
        https://git.kernel.org/powerpc/c/3def7a3e7c2ce2ab5e5c54561da7125206851be4
[16/26] powerpc/pseries: Expose PLPKS config values, support additional fields
        https://git.kernel.org/powerpc/c/119da30d037dced29118fb90afe683ff50313386
[17/26] powerpc/pseries: Implement signed update for PLPKS objects
        https://git.kernel.org/powerpc/c/899d9b8fee66da820eadc60b2a70090eb83db761
[18/26] powerpc/pseries: Log hcall return codes for PLPKS debug
        https://git.kernel.org/powerpc/c/ebdcd42347157647ffe6c4d2808e4e5c146475d3
[19/26] powerpc/pseries: Make caller pass buffer to plpks_read_var()
        https://git.kernel.org/powerpc/c/0cf2cc1fe4e2e7a37da077cdd3fba5cfd9a6a36c
[20/26] powerpc/pseries: Turn PSERIES_PLPKS into a hidden option
        https://git.kernel.org/powerpc/c/46b2cbebac1e862e4c8317aa26e7d7d632242c2f
[21/26] powerpc/pseries: Clarify warning when PLPKS password already set
        https://git.kernel.org/powerpc/c/ca4f1d221c84fe364517b15af65f3f0e4ce9719a
[22/26] powerpc/pseries: Add helper to get PLPKS password length
        https://git.kernel.org/powerpc/c/9ee76bd5c7e39b622660cc14833ead1967f2038d
[23/26] powerpc/pseries: Pass PLPKS password on kexec
        https://git.kernel.org/powerpc/c/91361b5175d2b3704f7e436d0071893c839e1199
[24/26] powerpc/pseries: Implement secvars for dynamic secure boot
        https://git.kernel.org/powerpc/c/ccadf154cb00b9ee9618d209aa3efc54b35a34b4
[25/26] integrity/powerpc: Improve error handling & reporting when loading certs
        https://git.kernel.org/powerpc/c/3c8069b0c3832674abd80a5cf019c913e62de9a5
[26/26] integrity/powerpc: Support loading keys from PLPKS
        https://git.kernel.org/powerpc/c/4b3e71e9a34c48f370b6281e9477515d588e7b26

cheers