Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp1366237ybx; Tue, 5 Nov 2019 15:02:01 -0800 (PST) X-Google-Smtp-Source: APXvYqxskchNzFuWtYSayPebxVLRbkG1xtimShvS7Uu+JV/AWfM5Jc4M37IgqPlwd8HPV10carFk X-Received: by 2002:a17:906:ecf5:: with SMTP id qt21mr31557166ejb.295.1572994920982; Tue, 05 Nov 2019 15:02:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572994920; cv=none; d=google.com; s=arc-20160816; b=HQgUe5xh7Gq67MKWRIcxHhcQMAX1VVpKkj2ay+zu8QiSSlxZIfatcV+Hoy7RQu9WuP tPbS7mZ5V/ZzVAuD8bCBANW0QIRKYpPAeUe052ByntF5hkqP+cj7ARY8k75YD9wsRKLt 96MSRMVgdqu+SeZh1uYdV6+qWyCwFwlVMj11nb8Ni5b2uoKszYC4UOmqOzsjt1lyuYYv V5bj5Vz7ua5XZ24+3IJOkDJoNl2QYvNI2uNWtHfwK6AzhsPtQdsqXLE5RAKjU0uwELlH PFnvFXTFLcUSlC4IDEjCPA96K8UcxxACz8Skra8fUqlA4TOUa5xKSLJkXjr41T35SxLA iLDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date:from :references:cc:to:subject; bh=Gkt8UlZNpE19PDwrHuvKYaQq49YlwrKcXCmnY980Jro=; b=dysyUl1fGj1jLblLGJV6VVSTH8Tx51OzIA6W/fvumFsFMD5MfC4G+f1rfhc4SSWvt/ w9rOfMF7XuAzXuKzsYNMyhuzIHsHlZTwpXUNyW0OBeeQHUNhhMjDN8Vo7DKXSxueXMwI WEXZspF/CQ4KZGHpv6htzmHMhLWr/jDgGay3mQeCC/ZWKh63fsj8193MyQXxvRRWYeaz OABwB+9cwbJSnhPtTGgrMnCgGZ8GFXAQqoC608z1KHTFA9U2Uq5ThXQwbCuTk12qliqg CVOuw+bl0RsZbYPWSlSdLryNdo7FCuuWsc/gzs7+D/qIpGpnVc0n/5GJvnp8/fGrwhPL cOag== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c44si10387430ede.398.2019.11.05.15.01.33; Tue, 05 Nov 2019 15:02:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387475AbfKEXAe (ORCPT + 99 others); Tue, 5 Nov 2019 18:00:34 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:48214 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387456AbfKEXAd (ORCPT ); Tue, 5 Nov 2019 18:00:33 -0500 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id xA5MrEEa049926 for ; Tue, 5 Nov 2019 18:00:32 -0500 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0a-001b2d01.pphosted.com with ESMTP id 2w3h82hx9j-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 05 Nov 2019 18:00:32 -0500 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 5 Nov 2019 23:00:30 -0000 Received: from b06avi18626390.portsmouth.uk.ibm.com (9.149.26.192) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 5 Nov 2019 23:00:26 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xA5MxoHu33096076 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 Nov 2019 22:59:50 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2876211C052; Tue, 5 Nov 2019 23:00:25 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4423C11C054; Tue, 5 Nov 2019 23:00:23 +0000 (GMT) Received: from [9.80.236.186] (unknown [9.80.236.186]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 5 Nov 2019 23:00:23 +0000 (GMT) Subject: [PATCH v10a 1/9] powerpc: detect the secure boot mode of the system To: Mimi Zohar , linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Cc: Nayna Jain , linux-kernel@vger.kernel.org, Michael Ellerman , Benjamin Herrenschmidt , Paul Mackerras , Ard Biesheuvel , Jeremy Kerr , "Oliver O'Halloran" References: <1572492694-6520-1-git-send-email-zohar@linux.ibm.com> <1572492694-6520-2-git-send-email-zohar@linux.ibm.com> From: Eric Richter Date: Tue, 5 Nov 2019 17:00:22 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.0 MIME-Version: 1.0 In-Reply-To: <1572492694-6520-2-git-send-email-zohar@linux.ibm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 19110523-0016-0000-0000-000002C10CEB X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19110523-0017-0000-0000-00003322862E Message-Id: <46b003b9-3225-6bf7-9101-ed6580bb748c@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-11-05_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1911050187 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nayna Jain This patch defines a function to detect the secure boot state of a PowerNV system. The PPC_SECURE_BOOT config represents the base enablement of secure boot for powerpc. Signed-off-by: Nayna Jain Signed-off-by: Eric Richter --- v10a: - moved get_ppc_fw_sb_node to this patch - updated based on skiboot device tree changes - os-secure-enforcing was renamed os-secureboot-enforcing - os-secureboot-enforcing was moved to ibm,secureboot - removed now unnecessary node availibility check arch/powerpc/Kconfig | 10 ++++++++ arch/powerpc/include/asm/secure_boot.h | 23 +++++++++++++++++ arch/powerpc/kernel/Makefile | 2 ++ arch/powerpc/kernel/secure_boot.c | 34 ++++++++++++++++++++++++++ 4 files changed, 69 insertions(+) create mode 100644 arch/powerpc/include/asm/secure_boot.h create mode 100644 arch/powerpc/kernel/secure_boot.c diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 3e56c9c2f16e..56ea0019b616 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -934,6 +934,16 @@ config PPC_MEM_KEYS If unsure, say y. +config PPC_SECURE_BOOT + prompt "Enable secure boot support" + bool + depends on PPC_POWERNV + help + Systems with firmware secure boot enabled need to define security + policies to extend secure boot to the OS. This config allows a user + to enable OS secure boot on systems that have firmware support for + it. If in doubt say N. + endmenu config ISA_DMA_API diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h new file mode 100644 index 000000000000..07d0fe0ca81f --- /dev/null +++ b/arch/powerpc/include/asm/secure_boot.h @@ -0,0 +1,23 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Secure boot definitions + * + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + */ +#ifndef _ASM_POWER_SECURE_BOOT_H +#define _ASM_POWER_SECURE_BOOT_H + +#ifdef CONFIG_PPC_SECURE_BOOT + +bool is_ppc_secureboot_enabled(void); + +#else + +static inline bool is_ppc_secureboot_enabled(void) +{ + return false; +} + +#endif +#endif diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile index a7ca8fe62368..e2a54fa240ac 100644 --- a/arch/powerpc/kernel/Makefile +++ b/arch/powerpc/kernel/Makefile @@ -161,6 +161,8 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),) obj-y += ucall.o endif +obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o + # Disable GCOV, KCOV & sanitizers in odd or sensitive code GCOV_PROFILE_prom_init.o := n KCOV_INSTRUMENT_prom_init.o := n diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c new file mode 100644 index 000000000000..3f55be33f5c8 --- /dev/null +++ b/arch/powerpc/kernel/secure_boot.c @@ -0,0 +1,34 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + */ +#include +#include +#include + +static struct device_node *get_ppc_fw_sb_node(void) +{ + static const struct of_device_id ids[] = { + { .compatible = "ibm,secureboot-v1", }, + { .compatible = "ibm,secureboot-v2", }, + {}, + }; + + return of_find_matching_node(NULL, ids); +} + +bool is_ppc_secureboot_enabled(void) +{ + struct device_node *node; + bool enabled = false; + + node = get_ppc_fw_sb_node(); + enabled = of_property_read_bool(node, "os-secureboot-enforcing"); + + of_node_put(node); + + pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); + + return enabled; +} -- 2.20.1