| Message ID | 1570497267-13672-2-git-send-email-nayna@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | powerpc: Enabling IMA arch specific secure boot policies | expand |
Hi Nayna, Just a few comments. Nayna Jain <nayna@linux.ibm.com> writes: > Secure boot on PowerNV defines different IMA policies based on the secure > boot state of the system. This description has got out of sync with what the patch does I think. There's no IMA in here. I think you can just drop that sentence. > This patch defines a function to detect the secure boot state of the > system. That's what the patch really does ^ - just make it clear that it's only on powernv. > > The PPC_SECURE_BOOT config represents the base enablement of secureboot > on POWER. s/POWER/powerpc/. > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > --- > arch/powerpc/Kconfig | 10 ++++++ > arch/powerpc/include/asm/secure_boot.h | 29 ++++++++++++++++++ > arch/powerpc/kernel/Makefile | 2 ++ > arch/powerpc/kernel/secure_boot.c | 42 ++++++++++++++++++++++++++ > 4 files changed, 83 insertions(+) > create mode 100644 arch/powerpc/include/asm/secure_boot.h > create mode 100644 arch/powerpc/kernel/secure_boot.c > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index 3e56c9c2f16e..b4a221886fcf 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -934,6 +934,16 @@ config PPC_MEM_KEYS > > If unsure, say y. > > +config PPC_SECURE_BOOT > + prompt "Enable secure boot support" > + bool > + depends on PPC_POWERNV > + help > + Systems with firmware secure boot enabled needs to define security ^ need > + policies to extend secure boot to the OS. This config allows user ^ a > + to enable OS secure boot on systems that have firmware support for > + it. If in doubt say N. > + > endmenu > > config ISA_DMA_API > diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h > new file mode 100644 > index 000000000000..23d2ef2f1f7b > --- /dev/null > +++ b/arch/powerpc/include/asm/secure_boot.h > @@ -0,0 +1,29 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* > + * Secure boot definitions > + * > + * Copyright (C) 2019 IBM Corporation > + * Author: Nayna Jain > + */ > +#ifndef _ASM_POWER_SECURE_BOOT_H > +#define _ASM_POWER_SECURE_BOOT_H > + > +#ifdef CONFIG_PPC_SECURE_BOOT > + > +bool is_powerpc_os_secureboot_enabled(void); > +struct device_node *get_powerpc_os_sb_node(void); This function is never used outside arch/powerpc/kernel/secure_boot.c and so doesn't need to be public. > +#else > + > +static inline bool is_powerpc_os_secureboot_enabled(void) > +{ I know there's a distinction between firmware secureboot and OS secureboot, but I don't think we need that baked into the name. So just is_ppc_secureboot_enabled() would be fine. > + return false; > +} > + > +static inline struct device_node *get_powerpc_os_sb_node(void) > +{ > + return NULL; > +} > + > +#endif > +#endif > diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile > index a7ca8fe62368..e2a54fa240ac 100644 > --- a/arch/powerpc/kernel/Makefile > +++ b/arch/powerpc/kernel/Makefile > @@ -161,6 +161,8 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),) > obj-y += ucall.o > endif > > +obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o > + > # Disable GCOV, KCOV & sanitizers in odd or sensitive code > GCOV_PROFILE_prom_init.o := n > KCOV_INSTRUMENT_prom_init.o := n > diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c > new file mode 100644 > index 000000000000..0488dbcab6b9 > --- /dev/null > +++ b/arch/powerpc/kernel/secure_boot.c > @@ -0,0 +1,42 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Copyright (C) 2019 IBM Corporation > + * Author: Nayna Jain > + */ > +#include <linux/types.h> > +#include <linux/of.h> > +#include <asm/secure_boot.h> > + > +struct device_node *get_powerpc_os_sb_node(void) > +{ > + return of_find_compatible_node(NULL, NULL, "ibm,secvar-v1"); > +} Given that's only used in this file, once, it should just be inlined into its caller. > + > +bool is_powerpc_os_secureboot_enabled(void) > +{ > + struct device_node *node; > + > + node = get_powerpc_os_sb_node(); > + if (!node) > + goto disabled; > + > + if (!of_device_is_available(node)) { > + pr_err("Secure variables support is in error state, fail secure\n"); > + goto enabled; > + } > + > + /* > + * secureboot is enabled if os-secure-enforcing property exists, > + * else disabled. > + */ > + if (!of_find_property(node, "os-secure-enforcing", NULL)) Using of_property_read_bool() is preferable. > + goto disabled; > + > +enabled: > + pr_info("secureboot mode enabled\n"); > + return true; > + > +disabled: > + pr_info("secureboot mode disabled\n"); > + return false; > +} You could make that tail a bit more concise by doing something like below, but up to you: bool enabled = false; ... enabled = of_property_read_bool(node, "os-secure-enforcing"); out: pr_info("secureboot mode %s\n", enabled ? "enabled" : "disabled"); return enabled; } cheers
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 3e56c9c2f16e..b4a221886fcf 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -934,6 +934,16 @@ config PPC_MEM_KEYS If unsure, say y. +config PPC_SECURE_BOOT + prompt "Enable secure boot support" + bool + depends on PPC_POWERNV + help + Systems with firmware secure boot enabled needs to define security + policies to extend secure boot to the OS. This config allows user + to enable OS secure boot on systems that have firmware support for + it. If in doubt say N. + endmenu config ISA_DMA_API diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h new file mode 100644 index 000000000000..23d2ef2f1f7b --- /dev/null +++ b/arch/powerpc/include/asm/secure_boot.h @@ -0,0 +1,29 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Secure boot definitions + * + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + */ +#ifndef _ASM_POWER_SECURE_BOOT_H +#define _ASM_POWER_SECURE_BOOT_H + +#ifdef CONFIG_PPC_SECURE_BOOT + +bool is_powerpc_os_secureboot_enabled(void); +struct device_node *get_powerpc_os_sb_node(void); + +#else + +static inline bool is_powerpc_os_secureboot_enabled(void) +{ + return false; +} + +static inline struct device_node *get_powerpc_os_sb_node(void) +{ + return NULL; +} + +#endif +#endif diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile index a7ca8fe62368..e2a54fa240ac 100644 --- a/arch/powerpc/kernel/Makefile +++ b/arch/powerpc/kernel/Makefile @@ -161,6 +161,8 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),) obj-y += ucall.o endif +obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o + # Disable GCOV, KCOV & sanitizers in odd or sensitive code GCOV_PROFILE_prom_init.o := n KCOV_INSTRUMENT_prom_init.o := n diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c new file mode 100644 index 000000000000..0488dbcab6b9 --- /dev/null +++ b/arch/powerpc/kernel/secure_boot.c @@ -0,0 +1,42 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + */ +#include <linux/types.h> +#include <linux/of.h> +#include <asm/secure_boot.h> + +struct device_node *get_powerpc_os_sb_node(void) +{ + return of_find_compatible_node(NULL, NULL, "ibm,secvar-v1"); +} + +bool is_powerpc_os_secureboot_enabled(void) +{ + struct device_node *node; + + node = get_powerpc_os_sb_node(); + if (!node) + goto disabled; + + if (!of_device_is_available(node)) { + pr_err("Secure variables support is in error state, fail secure\n"); + goto enabled; + } + + /* + * secureboot is enabled if os-secure-enforcing property exists, + * else disabled. + */ + if (!of_find_property(node, "os-secure-enforcing", NULL)) + goto disabled; + +enabled: + pr_info("secureboot mode enabled\n"); + return true; + +disabled: + pr_info("secureboot mode disabled\n"); + return false; +}
Secure boot on PowerNV defines different IMA policies based on the secure boot state of the system. This patch defines a function to detect the secure boot state of the system. The PPC_SECURE_BOOT config represents the base enablement of secureboot on POWER. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- arch/powerpc/Kconfig | 10 ++++++ arch/powerpc/include/asm/secure_boot.h | 29 ++++++++++++++++++ arch/powerpc/kernel/Makefile | 2 ++ arch/powerpc/kernel/secure_boot.c | 42 ++++++++++++++++++++++++++ 4 files changed, 83 insertions(+) create mode 100644 arch/powerpc/include/asm/secure_boot.h create mode 100644 arch/powerpc/kernel/secure_boot.c