| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 19 Oct 2019 14:06:12 -0400
From: Nayna Jain <nayna@...ux.ibm.com>
To: linuxppc-dev@...abs.org, linux-efi@...r.kernel.org,
linux-integrity@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
Michael Ellerman <mpe@...erman.id.au>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Paul Mackerras <paulus@...ba.org>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Jeremy Kerr <jk@...abs.org>,
Matthew Garret <matthew.garret@...ula.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Claudio Carvalho <cclaudio@...ux.ibm.com>,
George Wilson <gcwilson@...ux.ibm.com>,
Elaine Palmer <erpalmer@...ibm.com>,
Eric Ricther <erichte@...ux.ibm.com>,
"Oliver O'Halloran" <oohall@...il.com>,
Nayna Jain <nayna@...ux.ibm.com>,
Prakhar Srivastava <prsriva02@...il.com>,
Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
Subject: [PATCH v8 3/8] powerpc: detect the trusted boot state of the system
While secure boot permits only properly verified signed kernels to be
booted, trusted boot takes a measurement of the kernel image prior to
boot that can be subsequently compared against good known values via
attestation services.
This patch reads the trusted boot state of a PowerNV system. The state
is used to conditionally enable additional measurement rules in the IMA
arch-specific policies.
Signed-off-by: Nayna Jain <nayna@...ux.ibm.com>
---
arch/powerpc/include/asm/secure_boot.h | 6 ++++++
arch/powerpc/kernel/secure_boot.c | 24 ++++++++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h
index 07d0fe0ca81f..a2ff556916c6 100644
--- a/arch/powerpc/include/asm/secure_boot.h
+++ b/arch/powerpc/include/asm/secure_boot.h
@@ -11,6 +11,7 @@
#ifdef CONFIG_PPC_SECURE_BOOT
bool is_ppc_secureboot_enabled(void);
+bool is_ppc_trustedboot_enabled(void);
#else
@@ -19,5 +20,10 @@ static inline bool is_ppc_secureboot_enabled(void)
return false;
}
+static inline bool is_ppc_trustedboot_enabled(void)
+{
+ return false;
+}
+
#endif
#endif
diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
index 99bba7915629..9753470ab08a 100644
--- a/arch/powerpc/kernel/secure_boot.c
+++ b/arch/powerpc/kernel/secure_boot.c
@@ -7,6 +7,17 @@
#include <linux/of.h>
#include <asm/secure_boot.h>
+static struct device_node *get_ppc_fw_sb_node(void)
+{
+ static const struct of_device_id ids[] = {
+ { .compatible = "ibm,secureboot-v1", },
+ { .compatible = "ibm,secureboot-v2", },
+ {},
+ };
+
+ return of_find_matching_node(NULL, ids);
+}
+
bool is_ppc_secureboot_enabled(void)
{
struct device_node *node;
@@ -28,3 +39,16 @@ bool is_ppc_secureboot_enabled(void)
pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled");
return enabled;
}
+
+bool is_ppc_trustedboot_enabled(void)
+{
+ struct device_node *node;
+ bool enabled = false;
+
+ node = get_ppc_fw_sb_node();
+ enabled = of_property_read_bool(node, "trusted-enabled");
+
+ pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled");
+
+ return enabled;
+}
--
2.20.1
Powered by blists - more mailing lists