From patchwork Tue Jan 31 06:39:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Donnellan X-Patchwork-Id: 50634 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2593019wrn; Mon, 30 Jan 2023 22:41:42 -0800 (PST) X-Google-Smtp-Source: AK7set/Izu+tU7gvjRseRZiBf5j1WnYfypgaBQTh8bQ3FM8rbaCzEYteG/xRa5G6DFnPkKRW7iXs X-Received: by 2002:a05:6a20:8e1a:b0:bc:a96b:c7f7 with SMTP id y26-20020a056a208e1a00b000bca96bc7f7mr12741809pzj.9.1675147302128; Mon, 30 Jan 2023 22:41:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1675147302; cv=none; d=google.com; s=arc-20160816; b=E22RqDvK0kWzJdLmUjvpn0t1IntZdNhFiyCnUlg+gt/aOlvBvCov9/PYuvqzFLHY9Q B0ZXPL//7vobS6Nowcrjls3H4pND/3D7G3JqDDci33/PfXghRu1b0+gpx906LISsO8xZ 6GU0NZAPJh3t/6Q5pwYIJRe+TRrhhmbpE0d4tla45q5qEYBXa/xs40DBqWTHdqZNzmI1 x1EClHlkUOhJuhnmAXeHP4eqZZ7x1gZTMUuPPV4eQZcb+4OMUJ+xZh/tsiyphQxXTsDe sS2hMavw1r01NeNfmfDPrKkL6diC1mNwv4mByOirBWswmIglL+R4Xnse5M0EXADZ+CtP odSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=n6+EpYurlDSJF9uQ8AOPjqaREtyx5u5vW36NTargbZE=; b=uxc1+xAAT2kHKJAj0XGqk7byBnVzV7sE4UOk10dZLxyJNy/Y835T9C+AYVVXsp7mr3 InIo0LRuSXfDNWuMygdwPkBH/QaIbgSg8jFE4KkEx0ZlvHQyLEYWzqMFCnR9d5YfhXdO siUuY3q5DCNUx3sI/HyL38sIelEQZRUUfkDAdqPgnEEQq4q7a+kIdPhM+rt6WM6oCTD4 PTu+ok4jMcXjvpyOr3SJK2p7Xqh13gxN8Ayxtnb2zasShCCXasNE6w6jU6W3tybwCdFt zar00YNINm/Ax2Zv/G48BFsJdIy3m/4IsAn+uMAK/xjRcHvFaAuUhjWHfKPr1NQ0T/aF DTrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Dq0z19nz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w1-20020a63a741000000b004dc3a90b3b7si14415377pgo.756.2023.01.30.22.41.29; Mon, 30 Jan 2023 22:41:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Dq0z19nz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230110AbjAaGkv (ORCPT + 99 others); Tue, 31 Jan 2023 01:40:51 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35802 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230241AbjAaGkZ (ORCPT ); Tue, 31 Jan 2023 01:40:25 -0500 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42B3F3CE2F; Mon, 30 Jan 2023 22:40:24 -0800 (PST) Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 30V5PW6k028985; Tue, 31 Jan 2023 06:40:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=n6+EpYurlDSJF9uQ8AOPjqaREtyx5u5vW36NTargbZE=; b=Dq0z19nz16n+/+QCFm73jl3/Dnx8juVjgcHWpiE55H9Nd88UeN5EW1Bj/h5QK4sSgO73 v2Mo8SvECvKd63jX4dlq7cYhshqmAPfxRNvnH8kqQXJ2BygsAtPCpLc9FIxakC5bQox+ m9EDWcFOvvOiTgG3EZtdapZsnDjE4p0e8WIJIM0v0mYYkoRtdHMuj9I9wL1bl9Ghw2Fn IF999FDoQBzfYfAbVxgZgb2tqYUmBsqMBJL1/2W4QWq/XY7xdwZUP9eu78HBacbpjE56 4kUlaOCjTjx2VuFanKNoxuJBrVdvmhjmM/psyXaIFn8F0ouwHdBFBqJF+9Ju5viH7VsQ vA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3nevu21dkg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 31 Jan 2023 06:40:16 +0000 Received: from m0098396.ppops.net (m0098396.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 30V5vGUj005170; Tue, 31 Jan 2023 06:40:16 GMT Received: from ppma05fra.de.ibm.com (6c.4a.5195.ip4.static.sl-reverse.com [149.81.74.108]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3nevu21dj9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 31 Jan 2023 06:40:16 +0000 Received: from pps.filterd (ppma05fra.de.ibm.com [127.0.0.1]) by ppma05fra.de.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 30UCq597016468; Tue, 31 Jan 2023 06:40:13 GMT Received: from smtprelay04.fra02v.mail.ibm.com ([9.218.2.228]) by ppma05fra.de.ibm.com (PPS) with ESMTPS id 3ncvt7j7gq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 31 Jan 2023 06:40:13 +0000 Received: from smtpav05.fra02v.mail.ibm.com (smtpav05.fra02v.mail.ibm.com [10.20.54.104]) by smtprelay04.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 30V6eBeF26018348 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 31 Jan 2023 06:40:11 GMT Received: from smtpav05.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 51CD82004D; Tue, 31 Jan 2023 06:40:11 +0000 (GMT) Received: from smtpav05.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C716F2004E; Tue, 31 Jan 2023 06:40:10 +0000 (GMT) Received: from ozlabs.au.ibm.com (unknown [9.192.253.14]) by smtpav05.fra02v.mail.ibm.com (Postfix) with ESMTP; Tue, 31 Jan 2023 06:40:10 +0000 (GMT) Received: from jarvis-ozlabs-ibm-com.au.ibm.com (unknown [9.192.255.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.au.ibm.com (Postfix) with ESMTPSA id 26136609BD; Tue, 31 Jan 2023 17:40:05 +1100 (AEDT) From: Andrew Donnellan To: linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org Cc: ruscur@russell.cc, bgray@linux.ibm.com, nayna@linux.ibm.com, gcwilson@linux.ibm.com, gjoyce@linux.ibm.com, brking@linux.ibm.com, stefanb@linux.ibm.com, sudhakar@linux.ibm.com, erichte@linux.ibm.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, joel@jms.id.au, npiggin@gmail.com Subject: [PATCH v5 20/25] powerpc/pseries: Turn PSERIES_PLPKS into a hidden option Date: Tue, 31 Jan 2023 17:39:23 +1100 Message-Id: <20230131063928.388035-21-ajd@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230131063928.388035-1-ajd@linux.ibm.com> References: <20230131063928.388035-1-ajd@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 9D2_oZAgKWCQvctXCMF7XAhsi4At3DKY X-Proofpoint-GUID: EJbiktnVvxjhwj_RVlHXEfNVp6F1zaDJ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-01-31_02,2023-01-30_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxscore=0 phishscore=0 priorityscore=1501 adultscore=0 suspectscore=0 impostorscore=0 mlxlogscore=929 bulkscore=0 malwarescore=0 spamscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2301310059 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1756519257486967947?= X-GMAIL-MSGID: =?utf-8?q?1756519257486967947?= It seems a bit unnecessary for the PLPKS code to have a user-visible config option when it doesn't do anything on its own, and there's existing options for enabling Secure Boot-related features. It should be enabled by PPC_SECURE_BOOT, which will eventually be what uses PLPKS to populate keyrings. However, we can't get of the separate option completely, because it will also be used for SED Opal purposes. Change PSERIES_PLPKS into a hidden option, which is selected by PPC_SECURE_BOOT. Signed-off-by: Andrew Donnellan Signed-off-by: Russell Currey Reviewed-by: Stefan Berger --- v3: New patch v5: Change the previous description into a comment (npiggin) --- arch/powerpc/Kconfig | 1 + arch/powerpc/platforms/pseries/Kconfig | 19 +++++++++---------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index b8c4ac56bddc..d4ed46101bec 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -1029,6 +1029,7 @@ config PPC_SECURE_BOOT depends on PPC_POWERNV || PPC_PSERIES depends on IMA_ARCH_POLICY imply IMA_SECURE_AND_OR_TRUSTED_BOOT + select PSERIES_PLPKS if PPC_PSERIES help Systems with firmware secure boot enabled need to define security policies to extend secure boot to the OS. This config allows a user diff --git a/arch/powerpc/platforms/pseries/Kconfig b/arch/powerpc/platforms/pseries/Kconfig index a3b4d99567cb..e51d65969318 100644 --- a/arch/powerpc/platforms/pseries/Kconfig +++ b/arch/powerpc/platforms/pseries/Kconfig @@ -151,16 +151,15 @@ config IBMEBUS config PSERIES_PLPKS depends on PPC_PSERIES - bool "Support for the Platform Key Storage" - help - PowerVM provides an isolated Platform Keystore(PKS) storage - allocation for each LPAR with individually managed access - controls to store sensitive information securely. It can be - used to store asymmetric public keys or secrets as required - by different usecases. Select this config to enable - operating system interface to hypervisor to access this space. - - If unsure, select N. + bool + # PowerVM provides an isolated Platform Keystore (PKS) storage + # allocation for each LPAR with individually managed access + # controls to store sensitive information securely. It can be + # used to store asymmetric public keys or secrets as required + # by different usecases. + # + # This option is selected by in-kernel consumers that require + # access to the PKS. config PAPR_SCM depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM