| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1594813921-12425-1-git-send-email-nayna@linux.ibm.com>
Date: Wed, 15 Jul 2020 07:52:01 -0400
From: Nayna Jain <nayna@...ux.ibm.com>
To: linuxppc-dev@...abs.org
Cc: Michael Ellerman <mpe@...erman.id.au>,
Mimi Zohar <zohar@...ux.ibm.com>,
Daniel Axtens <dja@...ens.net>, linux-kernel@...r.kernel.org,
Nayna Jain <nayna@...ux.ibm.com>
Subject: [PATCH v3] powerpc/pseries: detect secure and trusted boot state of the system.
The device-tree property to check secure and trusted boot state is
different for guests(pseries) compared to baremetal(powernv).
This patch updates the existing is_ppc_secureboot_enabled() and
is_ppc_trustedboot_enabled() functions to add support for pseries.
The secureboot and trustedboot state are exposed via device-tree property:
/proc/device-tree/ibm,secure-boot and /proc/device-tree/ibm,trusted-boot
The values of ibm,secure-boot under pseries are interpreted as:
0 - Disabled
1 - Enabled in Log-only mode. This patch interprets this value as
disabled, since audit mode is currently not supported for Linux.
2 - Enabled and enforced.
3-9 - Enabled and enforcing; requirements are at the discretion of the
operating system.
The values of ibm,trusted-boot under pseries are interpreted as:
0 - Disabled
1 - Enabled
Signed-off-by: Nayna Jain <nayna@...ux.ibm.com>
Reviewed-by: Daniel Axtens <dja@...ens.net>
---
v3:
* fixed double check. Thanks Daniel for noticing it.
* updated patch description.
v2:
* included Michael Ellerman's feedback.
* added Daniel Axtens's Reviewed-by.
arch/powerpc/kernel/secure_boot.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
index 4b982324d368..118bcb5f79c4 100644
--- a/arch/powerpc/kernel/secure_boot.c
+++ b/arch/powerpc/kernel/secure_boot.c
@@ -6,6 +6,7 @@
#include <linux/types.h>
#include <linux/of.h>
#include <asm/secure_boot.h>
+#include <asm/machdep.h>
static struct device_node *get_ppc_fw_sb_node(void)
{
@@ -23,12 +24,19 @@ bool is_ppc_secureboot_enabled(void)
{
struct device_node *node;
bool enabled = false;
+ u32 secureboot;
node = get_ppc_fw_sb_node();
enabled = of_property_read_bool(node, "os-secureboot-enforcing");
-
of_node_put(node);
+ if (enabled)
+ goto out;
+
+ if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot))
+ enabled = (secureboot > 1);
+
+out:
pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled");
return enabled;
@@ -38,12 +46,19 @@ bool is_ppc_trustedboot_enabled(void)
{
struct device_node *node;
bool enabled = false;
+ u32 trustedboot;
node = get_ppc_fw_sb_node();
enabled = of_property_read_bool(node, "trusted-enabled");
-
of_node_put(node);
+ if (enabled)
+ goto out;
+
+ if (!of_property_read_u32(of_root, "ibm,trusted-boot", &trustedboot))
+ enabled = (trustedboot > 0);
+
+out:
pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled");
return enabled;
--
2.26.2
Powered by blists - more mailing lists