Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1042849ybh; Thu, 16 Jul 2020 01:16:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJygTU4QZPtKXxR2JfV26pNyl4vtn83XUYcdWijvcp4w5zfdIG4C5gP048hl8aOh0IMLdaoB X-Received: by 2002:a50:d9cb:: with SMTP id x11mr3213609edj.93.1594887384949; Thu, 16 Jul 2020 01:16:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594887384; cv=none; d=google.com; s=arc-20160816; b=dEmj9a9by1AlQKOjXEzdzVj8u0i5QlQvuf/t5ST3jPucvflGA/nNIu+oXbdj0fmllQ MiZSf/wPehnT18qctSjMiEVCEVjMBttbHR+vs4EXMnB1tXjci/EijkhIqk2ZS9+OTC/P HmgN1yxqT2yX7nd0DWcliZdSz8PxsHYBXRyRTpZyQP7pDsgOIpX7xs+yMz/R4aLsnHy4 /T4/PCemZQyjbzTsTS7JPgUKCej8z8WgW3Cd5O+MBRHakmi+lnWgehJ6daoz5jSz/Ma+ ZgKJ7RvJJDcZRk2LewKL6YekwVRue2WaOZytVRBZaThhrS94RhRlLb1nF87cqRo8BKPb BZ4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=ET1b7nRqmO+dvmzxMzqFPs87HEl4h78yi28+0O1nMXg=; b=AwbL7GVNWM9/afMTMlMx1CMRWgl8zLdLCGmMWY4d56oO3xScNIFCMpcq12+sHNo05P zm19+CI36mTFNFJkHojpJcYX88Gv84iucEFZ6+UMIMh9wPPzDd6ostuy6YPuwXDx921Y O2LJbIq35QdaIOUsboe3N9JTCoQyJgZFcNFRwgijw5jpwx2dOMNPUfhl8R5xo4PKiyXI P6G69kTNGZv2KcEKbK5BpcDdY81EdavEQwOmhNEYK7ZIta4+usAUqQBfq2eb0wEwKqP+ idzLdea5hXdh0k7twF4tl3K8llDxUdIyNT17W+1T2add21G+RcpkgezudQyD5Gz0tL+e Y7HQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v13si2377605ejw.696.2020.07.16.01.16.02; Thu, 16 Jul 2020 01:16:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726851AbgGPINl (ORCPT + 99 others); Thu, 16 Jul 2020 04:13:41 -0400 Received: from mx2.suse.de ([195.135.220.15]:60846 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725831AbgGPINk (ORCPT ); Thu, 16 Jul 2020 04:13:40 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id E1DE5B781; Thu, 16 Jul 2020 08:13:42 +0000 (UTC) Date: Thu, 16 Jul 2020 10:13:38 +0200 From: Michal =?iso-8859-1?Q?Such=E1nek?= To: Nayna Jain Cc: linuxppc-dev@ozlabs.org, linux-kernel@vger.kernel.org, Mimi Zohar , Daniel Axtens Subject: Re: [PATCH v3] powerpc/pseries: detect secure and trusted boot state of the system. Message-ID: <20200716081337.GB32107@kitsune.suse.cz> References: <1594813921-12425-1-git-send-email-nayna@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1594813921-12425-1-git-send-email-nayna@linux.ibm.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 15, 2020 at 07:52:01AM -0400, Nayna Jain wrote: > The device-tree property to check secure and trusted boot state is > different for guests(pseries) compared to baremetal(powernv). > > This patch updates the existing is_ppc_secureboot_enabled() and > is_ppc_trustedboot_enabled() functions to add support for pseries. > > The secureboot and trustedboot state are exposed via device-tree property: > /proc/device-tree/ibm,secure-boot and /proc/device-tree/ibm,trusted-boot > > The values of ibm,secure-boot under pseries are interpreted as: ^^^ > > 0 - Disabled > 1 - Enabled in Log-only mode. This patch interprets this value as > disabled, since audit mode is currently not supported for Linux. > 2 - Enabled and enforced. > 3-9 - Enabled and enforcing; requirements are at the discretion of the > operating system. > > The values of ibm,trusted-boot under pseries are interpreted as: ^^^ These two should be different I suppose? Thanks Michal > 0 - Disabled > 1 - Enabled > > Signed-off-by: Nayna Jain > Reviewed-by: Daniel Axtens > --- > v3: > * fixed double check. Thanks Daniel for noticing it. > * updated patch description. > > v2: > * included Michael Ellerman's feedback. > * added Daniel Axtens's Reviewed-by. > > arch/powerpc/kernel/secure_boot.c | 19 +++++++++++++++++-- > 1 file changed, 17 insertions(+), 2 deletions(-) > > diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c > index 4b982324d368..118bcb5f79c4 100644 > --- a/arch/powerpc/kernel/secure_boot.c > +++ b/arch/powerpc/kernel/secure_boot.c > @@ -6,6 +6,7 @@ > #include > #include > #include > +#include > > static struct device_node *get_ppc_fw_sb_node(void) > { > @@ -23,12 +24,19 @@ bool is_ppc_secureboot_enabled(void) > { > struct device_node *node; > bool enabled = false; > + u32 secureboot; > > node = get_ppc_fw_sb_node(); > enabled = of_property_read_bool(node, "os-secureboot-enforcing"); > - > of_node_put(node); > > + if (enabled) > + goto out; > + > + if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) > + enabled = (secureboot > 1); > + > +out: > pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); > > return enabled; > @@ -38,12 +46,19 @@ bool is_ppc_trustedboot_enabled(void) > { > struct device_node *node; > bool enabled = false; > + u32 trustedboot; > > node = get_ppc_fw_sb_node(); > enabled = of_property_read_bool(node, "trusted-enabled"); > - > of_node_put(node); > > + if (enabled) > + goto out; > + > + if (!of_property_read_u32(of_root, "ibm,trusted-boot", &trustedboot)) > + enabled = (trustedboot > 0); > + > +out: > pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled"); > > return enabled; > -- > 2.26.2 >