Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp532564ybe; Mon, 2 Sep 2019 05:36:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqyd+C2F3nTFCvy7Du3a5rKr3WYo9J/Cm6S/rVKZJn0Sg+fTBxhh+5bhns6q7Av9AEsfAl0e X-Received: by 2002:a65:64cf:: with SMTP id t15mr24517357pgv.88.1567427787688; Mon, 02 Sep 2019 05:36:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567427787; cv=none; d=google.com; s=arc-20160816; b=yCka4ve6lObg6zzu7MG3J5bOcyZWzN3iWy0jCapgpx2sLP+hPN87aA+xDu3i2UW44o U9VKK3og9WK7CWWr8/PpwBMm1CzEGCA9Xskn08cQaGo0PbD4gvH5h3HtFsibUDP08HCk RUPlvh6PQn0fUhmiSzytsa189Yxee/jCkbr0Kc3fMpzXPiDOHzMU1qU3Ms1s6SO6nooM rAcP6vniLfbqdrHCBUMBU+rl2007SeDx58XT90C6yfhi08ku0mNpGHmB+8EjxAnf1VOn ffALE1CTWyF1pG9g71pYkxxw09gCZUy8ePBAAWHW4E/m+5lEuZiEVeMauSUq7MvLAOpl clIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from; bh=GZ+p7z5UUkYpMULNz0/hgmEjyWRIXzzLXIWNvQXMt4Q=; b=Wv6mnSwueGnkFdVYUGK5XvtvWAFamgPi1n0xyAR/3SMryh/0N+PkGBq2fQUqdXS4UO xzucuxhc06dYRGxUM/KCEgC6ONjeTLfDqMi4i3rRwhreKNRAHxv1Zy2iktWLaQNphN6o S1SN+uKqhl5mw55oQauGTy520HkQDp8Urgfup7jhc8aTV0FI3P8RVfDGlpHLqtKdNDql 9EbP9NPw45yFSt2vKDONFSf0i+xL8/GjqCW7Kgn8TkI+8yuvzV9ywD5ARFD/9KJ8Rmlz 0dJe2sFjsqMunkTWmL+ZlmYMFxOUAqPKlj/xanRPz2f+Q3DdjvZxASEfEMcs+/PNJBfv YKDA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b1si11678549pgd.263.2019.09.02.05.36.12; Mon, 02 Sep 2019 05:36:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730432AbfIBLwl (ORCPT + 99 others); Mon, 2 Sep 2019 07:52:41 -0400 Received: from ozlabs.org ([203.11.71.1]:48367 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729850AbfIBLwl (ORCPT ); Mon, 2 Sep 2019 07:52:41 -0400 Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 46MT3T1Rzqz9s7T; Mon, 2 Sep 2019 21:52:37 +1000 (AEST) From: Michael Ellerman To: Nayna Jain , linuxppc-dev@ozlabs.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Paul Mackerras , Benjamin Herrenschmidt , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Claudio Carvalho , Elaine Palmer , George Wilson , Eric Ricther , Nayna Jain Subject: Re: [PATCH v5 1/2] powerpc: detect the secure boot mode of the system In-Reply-To: <1566218108-12705-2-git-send-email-nayna@linux.ibm.com> References: <1566218108-12705-1-git-send-email-nayna@linux.ibm.com> <1566218108-12705-2-git-send-email-nayna@linux.ibm.com> Date: Mon, 02 Sep 2019 21:52:36 +1000 Message-ID: <87tv9usynv.fsf@mpe.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Nayna, Sorry I've taken so long to get to this series, there's just too many patches that need reviewing :/ Nayna Jain writes: > Secure boot on POWER defines different IMA policies based on the secure > boot state of the system. The terminology throughout is a bit vague, we have POWER, PowerPC, Linux on POWER etc. What this patch is talking about is a particular implemention of secure boot on some OpenPOWER machines running bare metal - am I right? So saying "Secure boot on POWER defines different IMA policies" is a bit broad I think. Really we've just decided that a way to implement secure boot is to use IMA policies. > This patch defines a function to detect the secure boot state of the > system. > > The PPC_SECURE_BOOT config represents the base enablement of secureboot > on POWER. > > Signed-off-by: Nayna Jain > --- > arch/powerpc/Kconfig | 11 +++++ > arch/powerpc/include/asm/secboot.h | 27 ++++++++++++ > arch/powerpc/kernel/Makefile | 2 + > arch/powerpc/kernel/secboot.c | 71 ++++++++++++++++++++++++++++++ > 4 files changed, 111 insertions(+) > create mode 100644 arch/powerpc/include/asm/secboot.h > create mode 100644 arch/powerpc/kernel/secboot.c > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index 77f6ebf97113..c902a39124dc 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -912,6 +912,17 @@ config PPC_MEM_KEYS > > If unsure, say y. > > +config PPC_SECURE_BOOT > + prompt "Enable PowerPC Secure Boot" How about "Enable secure boot support" > + bool > + default n The default is 'n', so you don't need that default line. > + depends on PPC64 Should it just depend on POWERNV for now? AFAIK there's nothing in here that's necessarily going to be shared with the guest secure boot code is there? > + help > + Linux on POWER with firmware secure boot enabled needs to define > + security policies to extend secure boot to the OS.This config > + allows user to enable OS Secure Boot on PowerPC systems that > + have firmware secure boot support. Again POWER vs PowerPC. I think something like: "Enable support for secure boot on some systems that have firmware support for it. If in doubt say N." > diff --git a/arch/powerpc/include/asm/secboot.h b/arch/powerpc/include/asm/secboot.h secure_boot.h would be fine. > new file mode 100644 > index 000000000000..e726261bb00b > --- /dev/null > +++ b/arch/powerpc/include/asm/secboot.h > @@ -0,0 +1,27 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* > + * PowerPC secure boot definitions > + * > + * Copyright (C) 2019 IBM Corporation > + * Author: Nayna Jain I prefer to not have email addresses in copyright headers, as they just bit rot. Your email is in the git log. > + * > + */ > +#ifndef POWERPC_SECBOOT_H > +#define POWERPC_SECBOOT_H We usually do _ASM_POWERPC_SECBOOT_H (or _ASM_POWERPC_SECURE_BOOT_H). > +#ifdef CONFIG_PPC_SECURE_BOOT > +extern struct device_node *is_powerpc_secvar_supported(void); > +extern bool get_powerpc_secureboot(void); You don't need 'extern' for functions in headers. > +#else > +static inline struct device_node *is_powerpc_secvar_supported(void) > +{ > + return NULL; > +} > + > +static inline bool get_powerpc_secureboot(void) > +{ > + return false; > +} > + > +#endif > +#endif > diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile > index ea0c69236789..d310ebb4e526 100644 > --- a/arch/powerpc/kernel/Makefile > +++ b/arch/powerpc/kernel/Makefile > @@ -157,6 +157,8 @@ endif > obj-$(CONFIG_EPAPR_PARAVIRT) += epapr_paravirt.o epapr_hcalls.o > obj-$(CONFIG_KVM_GUEST) += kvm.o kvm_emul.o > > +obj-$(CONFIG_PPC_SECURE_BOOT) += secboot.o > + > # Disable GCOV, KCOV & sanitizers in odd or sensitive code > GCOV_PROFILE_prom_init.o := n > KCOV_INSTRUMENT_prom_init.o := n > diff --git a/arch/powerpc/kernel/secboot.c b/arch/powerpc/kernel/secboot.c > new file mode 100644 > index 000000000000..5ea0d52d64ef > --- /dev/null > +++ b/arch/powerpc/kernel/secboot.c > @@ -0,0 +1,71 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Copyright (C) 2019 IBM Corporation > + * Author: Nayna Jain > + * > + * secboot.c > + * - util function to get powerpc secboot state That's not really necessary. > + */ > +#include > +#include > +#include > + > +struct device_node *is_powerpc_secvar_supported(void) This is a pretty weird signature. The "is_" implies it will return a bool, but then it actually returns a device node *. > +{ > + struct device_node *np; > + int status; > + > + np = of_find_node_by_name(NULL, "ibm,secureboot"); > + if (!np) { > + pr_info("secureboot node is not found\n"); > + return NULL; > + } There's no good reason to search by name. You should just search by compatible. eg. of_find_compatible_node() > + status = of_device_is_compatible(np, "ibm,secureboot-v3"); > + if (!status) { > + pr_info("Secure variables are not supported by this firmware\n"); > + return NULL; > + } > + > + return np; > +} > + > +bool get_powerpc_secureboot(void) > +{ > + struct device_node *np; > + struct device_node *secvar_np; > + const u64 *psecboot; > + u64 secboot = 0; > + > + np = is_powerpc_secvar_supported(); > + if (!np) > + goto disabled; > + > + /* Fail-safe for any failure related to secvar */ > + secvar_np = of_get_child_by_name(np, "secvar"); Finding a child by name is not ideal, it encodes the structure of the tree in the API. It's better to just search by compatible. eg. of_find_compatible_node("ibm,secvar-v1") You should also define what that means, ie. write a little snippet of doc to define what the expected properties are and their meaning and so on. > + if (!secvar_np) { > + pr_err("Expected secure variables support, fail-safe\n"); I'm a bit confused by this. This is the exact opposite of what I understand fail-safe to mean. We shouldn't tell the user the system is securely booted unless we're 100% sure it is. Right? > + goto enabled; > + } > + > + if (!of_device_is_available(secvar_np)) { > + pr_err("Secure variables support is in error state, fail-safe\n"); > + goto enabled; > + } It seems a little weird to use the status property to indicate ok/error and then also have a "secure-mode" property. Wouldn't just "secure-mode" be sufficient with several states to represent what we need? > + psecboot = of_get_property(secvar_np, "secure-mode", NULL); > + if (!psecboot) > + goto enabled; Please use of_read_property_u64() or similar. > + secboot = be64_to_cpup((__be64 *)psecboot); > + if (!(secboot & (~0x0))) I'm not sure what that's trying to do. > + goto disabled; > + > +enabled: > + pr_info("secureboot mode enabled\n"); > + return true; > + > +disabled: > + pr_info("secureboot mode disabled\n"); > + return false; > +} cheers