Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp2639677ybg; Thu, 24 Oct 2019 12:52:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqxfMBhCZC5pMxJwI4QEuLOnUWUL0fOO8NbVdBUkOq+GbH/WGSXNyjuQyngD56Kkf8d9x0jY X-Received: by 2002:a50:b558:: with SMTP id z24mr32168545edd.67.1571946724454; Thu, 24 Oct 2019 12:52:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571946724; cv=none; d=google.com; s=arc-20160816; b=tDOWfeU04x3KAlek2PHpZc9fWsxFcxLuTCM0X/8iF2atrHXvU7QkTKA1TR/QgZG0fv OKbmxuehebCqcrQKjTMfZSp2MEcJF32sj7xn/MW9Xu2ydFiG/sR/T51httiJYNwZd/pV Cv0hFyCk7CfcZkfNDl6UCtV0hVIQ2SWnULwZSeARzkeUrsNJoHvBAxiQv10CQq+wh0ZH sJKAH1XKem4QHSv6BbnLufZtfrqsV5WOwKicELiXNdMP9odWEaMWut+D8g+hGQ/wBEf/ ST8J3V3NWhzeWDd4+qYJSa/Y1I4mvnvCQnyo22NHiajsDscMkOyDARYUvcCJ78pw14fg yKLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:subject:cc:to:from; bh=UgEF45DBJ+hMLUSg5x1VejjvQ8e+QtG+PrSkROgnwRQ=; b=zX0ln4+bQhkr97r7xEtGt3H0ItdDPA/PoeaRgR1wp+Fqf8NI28xwvmZYV4LWoBQ0kG xJ+chw1crleIEBnqkUkrnkVpVrcgbwwp390W+PwXHL7GLT4GawwvF5EKqA7V1HqjrBDv +QCcDDkw+L5J1sMjZl70qdkPCWUijslV1YUMClCJFXyqMnMAbc8iJ9zNLan7jTnK28El 6+fIODiVfj1YiR6HTL+eCEJAmNw2ZGp2cVtgm/DHdIpWhJXNbW2SxRVCIhgvAb3TYU/J uCc629NrS3V6u8qXl0me4XbY6wysr8uYIhp0RfU1WanBcvfEfJhQjEl9B0WMzCx1T3Bc 98Vw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m39si18441579edc.243.2019.10.24.12.51.40; Thu, 24 Oct 2019 12:52:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2437343AbfJXDrn (ORCPT + 99 others); Wed, 23 Oct 2019 23:47:43 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:8194 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2437336AbfJXDrm (ORCPT ); Wed, 23 Oct 2019 23:47:42 -0400 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x9O3l8Na003629 for ; Wed, 23 Oct 2019 23:47:41 -0400 Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101]) by mx0a-001b2d01.pphosted.com with ESMTP id 2vu13h59wq-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 23 Oct 2019 23:47:41 -0400 Received: from localhost by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 24 Oct 2019 04:47:39 +0100 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 24 Oct 2019 04:47:35 +0100 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x9O3lX4q45285438 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 24 Oct 2019 03:47:34 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D1ECEAE04D; Thu, 24 Oct 2019 03:47:33 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 12C32AE057; Thu, 24 Oct 2019 03:47:31 +0000 (GMT) Received: from localhost.localdomain (unknown [9.40.192.65]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 24 Oct 2019 03:47:30 +0000 (GMT) From: Nayna Jain To: linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Michael Ellerman , Benjamin Herrenschmidt , Paul Mackerras , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Greg Kroah-Hartman , Claudio Carvalho , George Wilson , Elaine Palmer , Eric Ricther , "Oliver O'Halloran" , Nayna Jain , Prakhar Srivastava , Lakshmi Ramasubramanian Subject: [PATCH v9 1/8] powerpc: detect the secure boot mode of the system Date: Wed, 23 Oct 2019 22:47:10 -0500 X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191024034717.70552-1-nayna@linux.ibm.com> References: <20191024034717.70552-1-nayna@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19102403-0020-0000-0000-0000037D8109 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19102403-0021-0000-0000-000021D3C529 Message-Id: <20191024034717.70552-2-nayna@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-10-24_02:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910240033 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch defines a function to detect the secure boot state of a PowerNV system. The PPC_SECURE_BOOT config represents the base enablement of secure boot for powerpc. Signed-off-by: Nayna Jain --- arch/powerpc/Kconfig | 10 ++++++++ arch/powerpc/include/asm/secure_boot.h | 23 ++++++++++++++++++ arch/powerpc/kernel/Makefile | 2 ++ arch/powerpc/kernel/secure_boot.c | 32 ++++++++++++++++++++++++++ 4 files changed, 67 insertions(+) create mode 100644 arch/powerpc/include/asm/secure_boot.h create mode 100644 arch/powerpc/kernel/secure_boot.c diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 3e56c9c2f16e..56ea0019b616 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -934,6 +934,16 @@ config PPC_MEM_KEYS If unsure, say y. +config PPC_SECURE_BOOT + prompt "Enable secure boot support" + bool + depends on PPC_POWERNV + help + Systems with firmware secure boot enabled need to define security + policies to extend secure boot to the OS. This config allows a user + to enable OS secure boot on systems that have firmware support for + it. If in doubt say N. + endmenu config ISA_DMA_API diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h new file mode 100644 index 000000000000..07d0fe0ca81f --- /dev/null +++ b/arch/powerpc/include/asm/secure_boot.h @@ -0,0 +1,23 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Secure boot definitions + * + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + */ +#ifndef _ASM_POWER_SECURE_BOOT_H +#define _ASM_POWER_SECURE_BOOT_H + +#ifdef CONFIG_PPC_SECURE_BOOT + +bool is_ppc_secureboot_enabled(void); + +#else + +static inline bool is_ppc_secureboot_enabled(void) +{ + return false; +} + +#endif +#endif diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile index a7ca8fe62368..e2a54fa240ac 100644 --- a/arch/powerpc/kernel/Makefile +++ b/arch/powerpc/kernel/Makefile @@ -161,6 +161,8 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),) obj-y += ucall.o endif +obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o + # Disable GCOV, KCOV & sanitizers in odd or sensitive code GCOV_PROFILE_prom_init.o := n KCOV_INSTRUMENT_prom_init.o := n diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c new file mode 100644 index 000000000000..63dc82c50862 --- /dev/null +++ b/arch/powerpc/kernel/secure_boot.c @@ -0,0 +1,32 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + */ +#include +#include +#include + +bool is_ppc_secureboot_enabled(void) +{ + struct device_node *node; + bool enabled = false; + + node = of_find_compatible_node(NULL, NULL, "ibm,secvar-v1"); + if (!of_device_is_available(node)) { + pr_err("Cannot find secure variable node in device tree; failing to secure state\n"); + goto out; + } + + /* + * secureboot is enabled if os-secure-enforcing property exists, + * else disabled. + */ + enabled = of_property_read_bool(node, "os-secure-enforcing"); + +out: + of_node_put(node); + + pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); + return enabled; +} -- 2.20.1