Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp5793154ybp; Tue, 15 Oct 2019 05:14:52 -0700 (PDT) X-Google-Smtp-Source: APXvYqwn2Xe8pwlg+FO4zbnj17QZsB4eUESLZdrzLats0jAXAaYZ8oMIhlKCo64b/pT7R+kG4zfj X-Received: by 2002:a17:906:670c:: with SMTP id a12mr26888570ejp.273.1571141692741; Tue, 15 Oct 2019 05:14:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571141692; cv=none; d=google.com; s=arc-20160816; b=xmCQOnQ3dhew42xGTCwrcC+UX73iwVljF6w4JsCKlKFALvu7efJAR1MnFw4zbVeaY4 IB5ZkE/fENM5k8O8PlESVpbDXiZ7sTSBRd9qpE2p9SjjNvKs4UI4XxDdi4X8rlOPwusR L3KfRxbp87AxsZex1YAkkYLONgR6EfDBMEfavzYULwWz3v+LB0lM6S44OUuVX8YLN11P FphBDzE6WZNgL7tMwLQm4KUsC/BFoKZ7QFAkbum7U4Iju1Nn8+IzpKuxj0mm38cEhWjn 5fI5fNau/oA98K3wJ9R70JCb6hYbO/dZK6RO7GKLXA+YcgwQezfv5hrzbTAAQ7G/6gcW Fo4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:dkim-signature; bh=mFmqwp4tR1zAo5aQt3D4qhtFVFg0/CPSB4sDYkWnUCM=; b=wO7TOX4kb/aimw7KoACKqYeGFHsWYmYHIsqu41EXal93QPYQ6IpkzBl6lhAVYnaUI1 UHCpktud6scbHCVMKME8ySOK5sQ20NORZkQKx88/Oh0gliAyGHPBKkaSR/RUm/v5M/yr rhxsb10inRZ3VTrhxUQKieCCL7OFYxtghiuKujv2QSuijn+1RWG+a/7aTzPG4bBlFB69 Vncbw0OQi1jfwRZmhV6KsnLiZjw+Z6UxdaAEzcAKN9kytwFNAL4b+bRkexbzPNvzEydX sZTB1b7CMrIBAteEjwlK9s0JzgrZ2N52W8Lq6tv+KoKqCJMaCdqSf7IDuVSXtH6jcpDk yUiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ellerman.id.au header.s=201909 header.b="J9Ac8/P2"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t26si12318456eju.238.2019.10.15.05.14.28; Tue, 15 Oct 2019 05:14:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ellerman.id.au header.s=201909 header.b="J9Ac8/P2"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727812AbfJOLa0 (ORCPT + 99 others); Tue, 15 Oct 2019 07:30:26 -0400 Received: from ozlabs.org ([203.11.71.1]:48749 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725820AbfJOLaZ (ORCPT ); Tue, 15 Oct 2019 07:30:25 -0400 Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 46stWy4V4Vz9sPT; Tue, 15 Oct 2019 22:30:22 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ellerman.id.au; s=201909; t=1571139022; bh=1eSJsIMBoWHeDq5KLb0eoFiVgpIn29MQJlQXUW5sRtk=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=J9Ac8/P25NMdHWeR5CUvbEmDgE8D1JV/Uc1TBzMwEDKYQ06wFxjnX31yZ+2aCm2KM hbGUfxPkAj5zRvjml6wUEU6BOvSKBzWD2zwIpC+j8Wttt20bnZ2ts6D36+ImCgFxVW nhfa8VrcQdboAUE+JHky85Oo5VmKOXcSTCg2Vx2UqYpy1RBtd/tJNywhckPewDWO6q ilB6LxjdOQRNhKmKJaYzb9JcJx4RrvoBC8Qy/qrFs71IjR4u07gspa1fswMp+clmOP L2jH/JHsWwJ/uQFKWpn7bsoOlPXc5Y0XcWTeylVLelj5ZM8bM5o2j77GkLJsq/6TUL 6mz/O/JHVz2lg== From: Michael Ellerman To: Nayna Jain , linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Benjamin Herrenschmidt , Paul Mackerras , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Greg Kroah-Hartman , Claudio Carvalho , George Wilson , Elaine Palmer , Eric Ricther , Oliver O'Halloran , Nayna Jain Subject: Re: [PATCH v7 1/8] powerpc: detect the secure boot mode of the system In-Reply-To: <1570497267-13672-2-git-send-email-nayna@linux.ibm.com> References: <1570497267-13672-1-git-send-email-nayna@linux.ibm.com> <1570497267-13672-2-git-send-email-nayna@linux.ibm.com> Date: Tue, 15 Oct 2019 22:30:21 +1100 Message-ID: <87zhi2tfea.fsf@mpe.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Nayna, Just a few comments. Nayna Jain writes: > Secure boot on PowerNV defines different IMA policies based on the secure > boot state of the system. This description has got out of sync with what the patch does I think. There's no IMA in here. I think you can just drop that sentence. > This patch defines a function to detect the secure boot state of the > system. That's what the patch really does ^ - just make it clear that it's only on powernv. > > The PPC_SECURE_BOOT config represents the base enablement of secureboot > on POWER. s/POWER/powerpc/. > > Signed-off-by: Nayna Jain > --- > arch/powerpc/Kconfig | 10 ++++++ > arch/powerpc/include/asm/secure_boot.h | 29 ++++++++++++++++++ > arch/powerpc/kernel/Makefile | 2 ++ > arch/powerpc/kernel/secure_boot.c | 42 ++++++++++++++++++++++++++ > 4 files changed, 83 insertions(+) > create mode 100644 arch/powerpc/include/asm/secure_boot.h > create mode 100644 arch/powerpc/kernel/secure_boot.c > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index 3e56c9c2f16e..b4a221886fcf 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -934,6 +934,16 @@ config PPC_MEM_KEYS > > If unsure, say y. > > +config PPC_SECURE_BOOT > + prompt "Enable secure boot support" > + bool > + depends on PPC_POWERNV > + help > + Systems with firmware secure boot enabled needs to define security ^ need > + policies to extend secure boot to the OS. This config allows user ^ a > + to enable OS secure boot on systems that have firmware support for > + it. If in doubt say N. > + > endmenu > > config ISA_DMA_API > diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h > new file mode 100644 > index 000000000000..23d2ef2f1f7b > --- /dev/null > +++ b/arch/powerpc/include/asm/secure_boot.h > @@ -0,0 +1,29 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* > + * Secure boot definitions > + * > + * Copyright (C) 2019 IBM Corporation > + * Author: Nayna Jain > + */ > +#ifndef _ASM_POWER_SECURE_BOOT_H > +#define _ASM_POWER_SECURE_BOOT_H > + > +#ifdef CONFIG_PPC_SECURE_BOOT > + > +bool is_powerpc_os_secureboot_enabled(void); > +struct device_node *get_powerpc_os_sb_node(void); This function is never used outside arch/powerpc/kernel/secure_boot.c and so doesn't need to be public. > +#else > + > +static inline bool is_powerpc_os_secureboot_enabled(void) > +{ I know there's a distinction between firmware secureboot and OS secureboot, but I don't think we need that baked into the name. So just is_ppc_secureboot_enabled() would be fine. > + return false; > +} > + > +static inline struct device_node *get_powerpc_os_sb_node(void) > +{ > + return NULL; > +} > + > +#endif > +#endif > diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile > index a7ca8fe62368..e2a54fa240ac 100644 > --- a/arch/powerpc/kernel/Makefile > +++ b/arch/powerpc/kernel/Makefile > @@ -161,6 +161,8 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),) > obj-y += ucall.o > endif > > +obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o > + > # Disable GCOV, KCOV & sanitizers in odd or sensitive code > GCOV_PROFILE_prom_init.o := n > KCOV_INSTRUMENT_prom_init.o := n > diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c > new file mode 100644 > index 000000000000..0488dbcab6b9 > --- /dev/null > +++ b/arch/powerpc/kernel/secure_boot.c > @@ -0,0 +1,42 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Copyright (C) 2019 IBM Corporation > + * Author: Nayna Jain > + */ > +#include > +#include > +#include > + > +struct device_node *get_powerpc_os_sb_node(void) > +{ > + return of_find_compatible_node(NULL, NULL, "ibm,secvar-v1"); > +} Given that's only used in this file, once, it should just be inlined into its caller. > + > +bool is_powerpc_os_secureboot_enabled(void) > +{ > + struct device_node *node; > + > + node = get_powerpc_os_sb_node(); > + if (!node) > + goto disabled; > + > + if (!of_device_is_available(node)) { > + pr_err("Secure variables support is in error state, fail secure\n"); > + goto enabled; > + } > + > + /* > + * secureboot is enabled if os-secure-enforcing property exists, > + * else disabled. > + */ > + if (!of_find_property(node, "os-secure-enforcing", NULL)) Using of_property_read_bool() is preferable. > + goto disabled; > + > +enabled: > + pr_info("secureboot mode enabled\n"); > + return true; > + > +disabled: > + pr_info("secureboot mode disabled\n"); > + return false; > +} You could make that tail a bit more concise by doing something like below, but up to you: bool enabled = false; ... enabled = of_property_read_bool(node, "os-secure-enforcing"); out: pr_info("secureboot mode %s\n", enabled ? "enabled" : "disabled"); return enabled; } cheers