| Message ID | 20230210080401.345462-27-ajd@linux.ibm.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp821268wrn;
Fri, 10 Feb 2023 00:07:38 -0800 (PST)
X-Google-Smtp-Source:
AK7set/ccuQk/JfKbMAhqQe7G61N1fA05xLxiKelYm7jIZUahhlshjQEbjbZAXkMzKDyAbXsQY6m
X-Received: by 2002:a17:906:dc9:b0:888:33a:e359 with SMTP id
p9-20020a1709060dc900b00888033ae359mr14733163eji.38.1676016458648;
Fri, 10 Feb 2023 00:07:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1676016458; cv=none;
d=google.com; s=arc-20160816;
b=solkvAqwqfeXzlckuKq5tSe4JIcTLnuuiFbiDjiJEu7WakKFkehFw42tVfh1sULcf4
7jca+CaXmtdZnb+jZ6D6b835PfJivKDe3Haet4avHFcC7yJmtoBbrc4NJmsZ5/MkoRVt
nYhn2dkYlNyJrd/g0iCA1GVs29Mxd8Lk++fidmsh8XzZV/enFnWnVlPZ3BvcT1SIXlBB
cI/NxiEPsszjMlfCZdvbOZFawZn6XWPqTskLHV+iMSV0yYPTP4SyG3HT7gO8+84T35me
H3epRgzMnz0Cv8CPyRGZBh7lViWzvwJxhDdQwQQDqxgbz9B+3MXEZTeusJTbCbgdMuGC
OISQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=rrTNg83lJ7wakaXXcijVCkkIStFN8UYyTvaL1kZX0qY=;
b=acWgF6+H6yHyxkneYJaH3QdBYQsGSwUojs1fZ5f1bVI6HNJH2Ul43+0XTGK2oEmH5B
UDumw9VROymtI3ZlUCl4vGKtdQowFMUj3z4G6SHoFHThpO/+3jVzWzdcnGMZAsI5VuWr
SvVNmUMV3A/98T9I2RK1bIXiZWaF+UY3NQ/nY+8ij/Ok98dVB1croJbOfnVuqEpOv9g+
tkH5fUEF9SEoMQXtfkrvN2q9D2p/FWgRMyChmhL904yIihhrM7hNXZeTYtIniNpsqSaw
Lj2l7EuKYirDAYs4oO1hEXawqZqF/eBbXgSEtIVdDi0eNxoQy3Go5PhOiGg9spIJjq+J
di2Q==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@ibm.com header.s=pp1 header.b="LGpHkk/u";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
mx11-20020a1709065a0b00b008776a3205ffsi3686434ejc.38.2023.02.10.00.07.15;
Fri, 10 Feb 2023 00:07:38 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@ibm.com header.s=pp1 header.b="LGpHkk/u";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231683AbjBJIGC (ORCPT <rfc822;ybw1215001957@gmail.com>
+ 99 others); Fri, 10 Feb 2023 03:06:02 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46748 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231622AbjBJIFO (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 10 Feb 2023 03:05:14 -0500
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
[148.163.156.1])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CDA7481854;
Fri, 10 Feb 2023 00:04:37 -0800 (PST)
Received: from pps.filterd (m0098396.ppops.net [127.0.0.1])
by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
31A7wePn014028;
Fri, 10 Feb 2023 08:04:29 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com;
h=from : to : cc : subject
: date : message-id : in-reply-to : references : mime-version :
content-transfer-encoding; s=pp1;
bh=rrTNg83lJ7wakaXXcijVCkkIStFN8UYyTvaL1kZX0qY=;
b=LGpHkk/utfES1QgbsXjjnYp/1mus9L6gXLNOHl9rBaX1CqocrDQ88csmf6MTYO2UGkX9
ugFzvc78u0V6QbZEfly7BkTq5/QMwl3Js3FJir8x0LsLHuajTRE3Ma+7QEDiohy6Xrbu
Vyec0PhkmCV7Sef+vIBysvSIG0VtyhgaAHWem705PYCTbYM3OQVfOL8HQZTblLW4+Ibr
aRKSorh0L78FihdxBJzejmUADl7vmNExBH0/HP8MBjSQ6htIvpgQixCdkOcJEs1x3NhU
LPGfcI/7nCeku1ZJ6tmA1khjK/uHSc+IBbsxy2z00QxvP9/+Glgke1Bk7LXduwp98JFO gg==
Received: from pps.reinject (localhost [127.0.0.1])
by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3nnj0sr5g3-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Fri, 10 Feb 2023 08:04:29 +0000
Received: from m0098396.ppops.net (m0098396.ppops.net [127.0.0.1])
by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 31A80uZq020556;
Fri, 10 Feb 2023 08:04:28 GMT
Received: from ppma03fra.de.ibm.com (6b.4a.5195.ip4.static.sl-reverse.com
[149.81.74.107])
by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3nnj0sr5es-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Fri, 10 Feb 2023 08:04:28 +0000
Received: from pps.filterd (ppma03fra.de.ibm.com [127.0.0.1])
by ppma03fra.de.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id
319Bdsn3000395;
Fri, 10 Feb 2023 08:04:26 GMT
Received: from smtprelay07.fra02v.mail.ibm.com ([9.218.2.229])
by ppma03fra.de.ibm.com (PPS) with ESMTPS id 3nhf06n3uu-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Fri, 10 Feb 2023 08:04:26 +0000
Received: from smtpav02.fra02v.mail.ibm.com (smtpav02.fra02v.mail.ibm.com
[10.20.54.101])
by smtprelay07.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with
ESMTP id 31A84NtX29688152
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Fri, 10 Feb 2023 08:04:23 GMT
Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1])
by IMSVA (Postfix) with ESMTP id 34E722004B;
Fri, 10 Feb 2023 08:04:23 +0000 (GMT)
Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1])
by IMSVA (Postfix) with ESMTP id 2C9E32004F;
Fri, 10 Feb 2023 08:04:22 +0000 (GMT)
Received: from ozlabs.au.ibm.com (unknown [9.192.253.14])
by smtpav02.fra02v.mail.ibm.com (Postfix) with ESMTP;
Fri, 10 Feb 2023 08:04:22 +0000 (GMT)
Received: from jarvis-ozlabs-ibm-com.ozlabs.ibm.com (haven.au.ibm.com
[9.192.254.114])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ozlabs.au.ibm.com (Postfix) with ESMTPSA id 22453609C6;
Fri, 10 Feb 2023 19:04:16 +1100 (AEDT)
From: Andrew Donnellan <ajd@linux.ibm.com>
To: linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org
Cc: ruscur@russell.cc, bgray@linux.ibm.com, nayna@linux.ibm.com,
gcwilson@linux.ibm.com, gjoyce@linux.ibm.com, brking@linux.ibm.com,
stefanb@linux.ibm.com, sudhakar@linux.ibm.com,
erichte@linux.ibm.com, gregkh@linuxfoundation.org,
linux-kernel@vger.kernel.org, zohar@linux.ibm.com, joel@jms.id.au,
npiggin@gmail.com
Subject: [PATCH v6 26/26] integrity/powerpc: Support loading keys from PLPKS
Date: Fri, 10 Feb 2023 19:04:01 +1100
Message-Id: <20230210080401.345462-27-ajd@linux.ibm.com>
X-Mailer: git-send-email 2.39.1
In-Reply-To: <20230210080401.345462-1-ajd@linux.ibm.com>
References: <20230210080401.345462-1-ajd@linux.ibm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
X-Proofpoint-ORIG-GUID: mhrrDLiXlOoUagyQDR59ONps7h0XfGmn
X-Proofpoint-GUID: x-myQ4hbvBCWzWHMna7FIh51ivzA-EI2
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.170.22
definitions=2023-02-10_03,2023-02-09_03,2023-02-09_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
adultscore=0
priorityscore=1501 phishscore=0 impostorscore=0 malwarescore=0
mlxlogscore=999 spamscore=0 mlxscore=0 suspectscore=0 clxscore=1015
bulkscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx
scancount=1 engine=8.12.0-2212070000 definitions=main-2302100070
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1757430634080969538?=
X-GMAIL-MSGID: =?utf-8?q?1757430634080969538?=
|
| Series |
pSeries dynamic secure boot secvar interface + platform keyring loading
|
|
Commit Message
Andrew Donnellan
Feb. 10, 2023, 8:04 a.m. UTC
From: Russell Currey <ruscur@russell.cc> Add support for loading keys from the PLPKS on pseries machines, with the "ibm,plpks-sb-v1" format. The object format is expected to be the same, so there shouldn't be any functional differences between objects retrieved on powernv or pseries. Unlike on powernv, on pseries the format string isn't contained in the device tree. Use secvar_ops->format() to fetch the format string in a generic manner, rather than searching the device tree ourselves. (The current code searches the device tree for a node compatible with "ibm,edk2-compat-v1". This patch switches to calling secvar_ops->format(), which in the case of OPAL/powernv means opal_secvar_format(), which searches the device tree for a node compatible with "ibm,secvar-backend" and checks its "format" property. These are equivalent, as skiboot creates a node with both "ibm,edk2-compat-v1" and "ibm,secvar-backend" as compatible strings.) Signed-off-by: Russell Currey <ruscur@russell.cc> Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> --- v3: New patch v4: Pass format buffer size (stefanb, npiggin) v5: Use sizeof(buf) rather than stating the size twice (npiggin) Clarify change to DT compatible strings in commit message (zohar) Reword commit message a bit (ajd) --- .../integrity/platform_certs/load_powerpc.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index dee51606d5f4..b9de70b90826 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -10,7 +10,6 @@ #include <linux/cred.h> #include <linux/err.h> #include <linux/slab.h> -#include <linux/of.h> #include <asm/secure_boot.h> #include <asm/secvar.h> #include "keyring_handler.h" @@ -59,16 +58,22 @@ static int __init load_powerpc_certs(void) void *db = NULL, *dbx = NULL; u64 dbsize = 0, dbxsize = 0; int rc = 0; - struct device_node *node; + ssize_t len; + char buf[32]; if (!secvar_ops) return -ENODEV; - /* The following only applies for the edk2-compat backend. */ - node = of_find_compatible_node(NULL, NULL, "ibm,edk2-compat-v1"); - if (!node) + len = secvar_ops->format(buf, sizeof(buf)); + if (len <= 0) return -ENODEV; + // Check for known secure boot implementations from OPAL or PLPKS + if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf)) { + pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf); + return -ENODEV; + } + /* * Get db, and dbx. They might not exist, so it isn't an error if we * can't get them. @@ -103,8 +108,6 @@ static int __init load_powerpc_certs(void) kfree(dbx); } - of_node_put(node); - return rc; } late_initcall(load_powerpc_certs);