[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87tv9usynv.fsf@mpe.ellerman.id.au>
Date: Mon, 02 Sep 2019 21:52:36 +1000
From: Michael Ellerman <mpe@...erman.id.au>
To: Nayna Jain <nayna@...ux.ibm.com>, linuxppc-dev@...abs.org,
linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: Paul Mackerras <paulus@...ba.org>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Jeremy Kerr <jk@...abs.org>,
Matthew Garret <matthew.garret@...ula.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Claudio Carvalho <cclaudio@...ux.ibm.com>,
Elaine Palmer <erpalmer@...ibm.com>,
George Wilson <gcwilson@...ux.ibm.com>,
Eric Ricther <erichte@...ux.ibm.com>,
Nayna Jain <nayna@...ux.ibm.com>
Subject: Re: [PATCH v5 1/2] powerpc: detect the secure boot mode of the system
Hi Nayna,
Sorry I've taken so long to get to this series, there's just too many
patches that need reviewing :/
Nayna Jain <nayna@...ux.ibm.com> writes:
> Secure boot on POWER defines different IMA policies based on the secure
> boot state of the system.
The terminology throughout is a bit vague, we have POWER, PowerPC, Linux
on POWER etc.
What this patch is talking about is a particular implemention of secure
boot on some OpenPOWER machines running bare metal - am I right?
So saying "Secure boot on POWER defines different IMA policies" is a bit
broad I think. Really we've just decided that a way to implement secure
boot is to use IMA policies.
> This patch defines a function to detect the secure boot state of the
> system.
>
> The PPC_SECURE_BOOT config represents the base enablement of secureboot
> on POWER.
>
> Signed-off-by: Nayna Jain <nayna@...ux.ibm.com>
> ---
> arch/powerpc/Kconfig | 11 +++++
> arch/powerpc/include/asm/secboot.h | 27 ++++++++++++
> arch/powerpc/kernel/Makefile | 2 +
> arch/powerpc/kernel/secboot.c | 71 ++++++++++++++++++++++++++++++
> 4 files changed, 111 insertions(+)
> create mode 100644 arch/powerpc/include/asm/secboot.h
> create mode 100644 arch/powerpc/kernel/secboot.c
>
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index 77f6ebf97113..c902a39124dc 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -912,6 +912,17 @@ config PPC_MEM_KEYS
>
> If unsure, say y.
>
> +config PPC_SECURE_BOOT
> + prompt "Enable PowerPC Secure Boot"
How about "Enable secure boot support"
> + bool
> + default n
The default is 'n', so you don't need that default line.
> + depends on PPC64
Should it just depend on POWERNV for now? AFAIK there's nothing in here
that's necessarily going to be shared with the guest secure boot code is
there?
> + help
> + Linux on POWER with firmware secure boot enabled needs to define
> + security policies to extend secure boot to the OS.This config
> + allows user to enable OS Secure Boot on PowerPC systems that
> + have firmware secure boot support.
Again POWER vs PowerPC.
I think something like:
"Enable support for secure boot on some systems that have firmware
support for it. If in doubt say N."
> diff --git a/arch/powerpc/include/asm/secboot.h b/arch/powerpc/include/asm/secboot.h
secure_boot.h would be fine.
> new file mode 100644
> index 000000000000..e726261bb00b
> --- /dev/null
> +++ b/arch/powerpc/include/asm/secboot.h
> @@ -0,0 +1,27 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * PowerPC secure boot definitions
> + *
> + * Copyright (C) 2019 IBM Corporation
> + * Author: Nayna Jain <nayna@...ux.ibm.com>
I prefer to not have email addresses in copyright headers, as they just
bit rot. Your email is in the git log.
> + *
> + */
> +#ifndef POWERPC_SECBOOT_H
> +#define POWERPC_SECBOOT_H
We usually do _ASM_POWERPC_SECBOOT_H (or _ASM_POWERPC_SECURE_BOOT_H).
> +#ifdef CONFIG_PPC_SECURE_BOOT
> +extern struct device_node *is_powerpc_secvar_supported(void);
> +extern bool get_powerpc_secureboot(void);
You don't need 'extern' for functions in headers.
> +#else
> +static inline struct device_node *is_powerpc_secvar_supported(void)
> +{
> + return NULL;
> +}
> +
> +static inline bool get_powerpc_secureboot(void)
> +{
> + return false;
> +}
> +
> +#endif
> +#endif
> diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
> index ea0c69236789..d310ebb4e526 100644
> --- a/arch/powerpc/kernel/Makefile
> +++ b/arch/powerpc/kernel/Makefile
> @@ -157,6 +157,8 @@ endif
> obj-$(CONFIG_EPAPR_PARAVIRT) += epapr_paravirt.o epapr_hcalls.o
> obj-$(CONFIG_KVM_GUEST) += kvm.o kvm_emul.o
>
> +obj-$(CONFIG_PPC_SECURE_BOOT) += secboot.o
> +
> # Disable GCOV, KCOV & sanitizers in odd or sensitive code
> GCOV_PROFILE_prom_init.o := n
> KCOV_INSTRUMENT_prom_init.o := n
> diff --git a/arch/powerpc/kernel/secboot.c b/arch/powerpc/kernel/secboot.c
> new file mode 100644
> index 000000000000..5ea0d52d64ef
> --- /dev/null
> +++ b/arch/powerpc/kernel/secboot.c
> @@ -0,0 +1,71 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) 2019 IBM Corporation
> + * Author: Nayna Jain <nayna@...ux.ibm.com>
> + *
> + * secboot.c
> + * - util function to get powerpc secboot state
That's not really necessary.
> + */
> +#include <linux/types.h>
> +#include <linux/of.h>
> +#include <asm/secboot.h>
> +
> +struct device_node *is_powerpc_secvar_supported(void)
This is a pretty weird signature. The "is_" implies it will return a
bool, but then it actually returns a device node *.
> +{
> + struct device_node *np;
> + int status;
> +
> + np = of_find_node_by_name(NULL, "ibm,secureboot");
> + if (!np) {
> + pr_info("secureboot node is not found\n");
> + return NULL;
> + }
There's no good reason to search by name. You should just search by compatible.
eg. of_find_compatible_node()
> + status = of_device_is_compatible(np, "ibm,secureboot-v3");
> + if (!status) {
> + pr_info("Secure variables are not supported by this firmware\n");
> + return NULL;
> + }
> +
> + return np;
> +}
> +
> +bool get_powerpc_secureboot(void)
> +{
> + struct device_node *np;
> + struct device_node *secvar_np;
> + const u64 *psecboot;
> + u64 secboot = 0;
> +
> + np = is_powerpc_secvar_supported();
> + if (!np)
> + goto disabled;
> +
> + /* Fail-safe for any failure related to secvar */
> + secvar_np = of_get_child_by_name(np, "secvar");
Finding a child by name is not ideal, it encodes the structure of the
tree in the API. It's better to just search by compatible.
eg. of_find_compatible_node("ibm,secvar-v1")
You should also define what that means, ie. write a little snippet of
doc to define what the expected properties are and their meaning and so
on.
> + if (!secvar_np) {
> + pr_err("Expected secure variables support, fail-safe\n");
I'm a bit confused by this. This is the exact opposite of what I
understand fail-safe to mean. We shouldn't tell the user the system is
securely booted unless we're 100% sure it is. Right?
> + goto enabled;
> + }
> +
> + if (!of_device_is_available(secvar_np)) {
> + pr_err("Secure variables support is in error state, fail-safe\n");
> + goto enabled;
> + }
It seems a little weird to use the status property to indicate ok/error
and then also have a "secure-mode" property. Wouldn't just "secure-mode"
be sufficient with several states to represent what we need?
> + psecboot = of_get_property(secvar_np, "secure-mode", NULL);
> + if (!psecboot)
> + goto enabled;
Please use of_read_property_u64() or similar.
> + secboot = be64_to_cpup((__be64 *)psecboot);
> + if (!(secboot & (~0x0)))
I'm not sure what that's trying to do.
> + goto disabled;
> +
> +enabled:
> + pr_info("secureboot mode enabled\n");
> + return true;
> +
> +disabled:
> + pr_info("secureboot mode disabled\n");
> + return false;
> +}
cheers
Powered by blists - more mailing lists