| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Jun 2019 16:50:25 -0400
From: Nayna Jain <nayna@...ux.ibm.com>
To: linuxppc-dev@...abs.org, linux-efi@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, linux-integrity@...r.kernel.org,
Michael Ellerman <mpe@...erman.id.au>,
Paul Mackerras <paulus@...ba.org>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Jeremy Kerr <jk@...abs.org>,
Matthew Garret <matthew.garret@...ula.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Claudio Carvalho <cclaudio@...ux.ibm.com>,
Nayna Jain <nayna@...ux.ibm.com>,
George Wilson <gcwilson@...ux.ibm.com>,
Elaine Palmer <erpalmer@...ibm.com>,
Eric Ricther <erichte@...ux.ibm.com>
Subject: [PATCH 0/2] powerpc/powernv: expose secure variables to userspace
This patch set is part of a series that implements secure boot on PowerNV
systems[1]. The original series had been split into two patchsets:
1. powerpc: enable ima arch specific policies[2]
2. powerpc/powernv: expose secure variables to userspace, which is this
patchset.
Since there are major changes in this patchset compared to the previous
one[1], I am posting it as new series rather than v2.
As part of PowerNV secure boot support, NV OS verification keys are stored
and controlled by OPAL as secure variables. However, to allow users to
manage these keys, the secure variables need to be exposed to userspace.
OPAL provides the runtime services for the kernel to be able to access the
secure variables[3]. This patchset defines the kernel interface for the
OPAL APIs. These APIs are used by the hooks, which expose these variables
to userspace for reading/writing.
In order to reuse the existing tools, we currently use the efi hooks to
expose the secure variables via sysfs. Keeping the usability and
maintainability in mind, we are starting with this scheme as simple sysfs
implementation. We expect to refine it over time as we incorporate the
feedback.
The patchset makes substantial reuse of drivers/firmware/efi/efivars.c and
drivers/firmware/efi/vars.c, however because POWER platforms do not use
EFI, a new config, POWER_SECVAR_SYSFS, is defined to enable this sysfs
interface in POWER.
This patchset has a pre-requisiste of other OPAL APIs which are posted as
part of ima arch specific patches[2].
[1]https://patchwork.kernel.org/cover/10882149/
[2]https://lkml.org/lkml/2019/6/11/868
[3]https://patchwork.ozlabs.org/project/skiboot/list/?series=112868
Claudio Carvalho (1):
powerpc/powernv: add OPAL APIs for secure variables
Nayna Jain (1):
powerpc: expose secure variables via sysfs
arch/powerpc/Kconfig | 2 +
arch/powerpc/include/asm/opal-api.h | 3 +
arch/powerpc/include/asm/opal-secvar.h | 9 +
arch/powerpc/include/asm/opal.h | 8 +
arch/powerpc/platforms/powernv/opal-call.c | 3 +
arch/powerpc/platforms/powernv/opal-secvar.c | 60 +++-
drivers/firmware/Makefile | 1 +
drivers/firmware/efi/efivars.c | 2 +-
drivers/firmware/powerpc/Kconfig | 12 +
drivers/firmware/powerpc/Makefile | 3 +
drivers/firmware/powerpc/efi_error.c | 46 +++
drivers/firmware/powerpc/secvar.c | 326 +++++++++++++++++++
12 files changed, 473 insertions(+), 2 deletions(-)
create mode 100644 drivers/firmware/powerpc/Kconfig
create mode 100644 drivers/firmware/powerpc/Makefile
create mode 100644 drivers/firmware/powerpc/efi_error.c
create mode 100644 drivers/firmware/powerpc/secvar.c
--
2.20.1
Powered by blists - more mailing lists