ccadf154cb
The pseries platform can support dynamic secure boot (i.e. secure boot using user-defined keys) using variables contained with the PowerVM LPAR Platform KeyStore (PLPKS). Using the powerpc secvar API, expose the relevant variables for pseries dynamic secure boot through the existing secvar filesystem layout. The relevant variables for dynamic secure boot are signed in the keystore, and can only be modified using the H_PKS_SIGNED_UPDATE hcall. Object labels in the keystore are encoded using ucs2 format. With our fixed variable names we don't have to care about encoding outside of the necessary byte padding. When a user writes to a variable, the first 8 bytes of data must contain the signed update flags as defined by the hypervisor. When a user reads a variable, the first 4 bytes of data contain the policies defined for the object. Limitations exist due to the underlying implementation of sysfs binary attributes, as is the case for the OPAL secvar implementation - partial writes are unsupported and writes cannot be larger than PAGE_SIZE. (Even when using bin_attributes, which can be larger than a single page, sysfs only gives us one page's worth of write buffer at a time, and the hypervisor does not expose an interface for partial writes.) Co-developed-by: Nayna Jain <nayna@linux.ibm.com> Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Co-developed-by: Andrew Donnellan <ajd@linux.ibm.com> Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com> Signed-off-by: Russell Currey <ruscur@russell.cc> [mpe: Add NLS dependency to fix build errors, squash fix from ajd] Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20230210080401.345462-25-ajd@linux.ibm.com
4.6 KiB
What: /sys/firmware/secvar Date: August 2019 Contact: Nayna Jain nayna@linux.ibm.com Description: This directory is created if the POWER firmware supports OS secureboot, thereby secure variables. It exposes interface for reading/writing the secure variables
What: /sys/firmware/secvar/vars Date: August 2019 Contact: Nayna Jain nayna@linux.ibm.com Description: This directory lists all the secure variables that are supported by the firmware.
What: /sys/firmware/secvar/format Date: August 2019 Contact: Nayna Jain nayna@linux.ibm.com Description: A string indicating which backend is in use by the firmware. This determines the format of the variable and the accepted format of variable updates.
On powernv/OPAL, this value is provided by the OPAL firmware
and is expected to be "ibm,edk2-compat-v1".
On pseries/PLPKS, this is generated by the kernel based on the
version number in the SB_VERSION variable in the keystore, and
has the form "ibm,plpks-sb-v<version>", or
"ibm,plpks-sb-unknown" if there is no SB_VERSION variable.
What: /sys/firmware/secvar/vars/ Date: August 2019 Contact: Nayna Jain nayna@linux.ibm.com Description: Each secure variable is represented as a directory named as <variable_name>. The variable name is unique and is in ASCII representation. The data and size can be determined by reading their respective attribute files.
What: /sys/firmware/secvar/vars/<variable_name>/size Date: August 2019 Contact: Nayna Jain nayna@linux.ibm.com Description: An integer representation of the size of the content of the variable. In other words, it represents the size of the data.
What: /sys/firmware/secvar/vars/<variable_name>/data Date: August 2019 Contact: Nayna Jain nayna@linux.ibm.com Description: A read-only file containing the value of the variable. The size of the file represents the maximum size of the variable data.
What: /sys/firmware/secvar/vars/<variable_name>/update Date: August 2019 Contact: Nayna Jain nayna@linux.ibm.com Description: A write-only file that is used to submit the new value for the variable. The size of the file represents the maximum size of the variable data that can be written.
What: /sys/firmware/secvar/config Date: February 2023 Contact: Nayna Jain nayna@linux.ibm.com Description: This optional directory contains read-only config attributes as defined by the secure variable implementation. All data is in ASCII format. The directory is only created if the backing implementation provides variables to populate it, which at present is only PLPKS on the pseries platform.
What: /sys/firmware/secvar/config/version Date: February 2023 Contact: Nayna Jain nayna@linux.ibm.com Description: Config version as reported by the hypervisor in ASCII decimal format.
Currently only provided by PLPKS on the pseries platform.
What: /sys/firmware/secvar/config/max_object_size Date: February 2023 Contact: Nayna Jain nayna@linux.ibm.com Description: Maximum allowed size of objects in the keystore in bytes, represented in ASCII decimal format.
This is not necessarily the same as the max size that can be
written to an update file as writes can contain more than
object data, you should use the size of the update file for
that purpose.
Currently only provided by PLPKS on the pseries platform.
What: /sys/firmware/secvar/config/total_size Date: February 2023 Contact: Nayna Jain nayna@linux.ibm.com Description: Total size of the PLPKS in bytes, represented in ASCII decimal format.
Currently only provided by PLPKS on the pseries platform.
What: /sys/firmware/secvar/config/used_space Date: February 2023 Contact: Nayna Jain nayna@linux.ibm.com Description: Current space consumed by the key store, in bytes, represented in ASCII decimal format.
Currently only provided by PLPKS on the pseries platform.
What: /sys/firmware/secvar/config/supported_policies Date: February 2023 Contact: Nayna Jain nayna@linux.ibm.com Description: Bitmask of supported policy flags by the hypervisor, represented as an 8 byte hexadecimal ASCII string. Consult the hypervisor documentation for what these flags are.
Currently only provided by PLPKS on the pseries platform.
What: /sys/firmware/secvar/config/signed_update_algorithms Date: February 2023 Contact: Nayna Jain nayna@linux.ibm.com Description: Bitmask of flags indicating which algorithms the hypervisor supports for signed update of objects, represented as a 16 byte hexadecimal ASCII string. Consult the hypervisor documentation for what these flags mean.
Currently only provided by PLPKS on the pseries platform.