[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <57dca1ea3ef66bc0935bdd1dab4536f1151f4004.camel@linux.ibm.com>
Date: Tue, 24 Jan 2023 10:14:52 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Andrew Donnellan <ajd@...ux.ibm.com>,
linuxppc-dev@...ts.ozlabs.org, linux-integrity@...r.kernel.org
Cc: gregkh@...uxfoundation.org, gcwilson@...ux.ibm.com,
linux-kernel@...r.kernel.org, nayna@...ux.ibm.com,
ruscur@...sell.cc, mpe@...erman.id.au, gjoyce@...ux.ibm.com,
sudhakar@...ux.ibm.com, bgray@...ux.ibm.com, erichte@...ux.ibm.com,
joel@....id.au
Subject: Re: [PATCH v4 24/24] integrity/powerpc: Support loading keys from
pseries secvar
On Fri, 2023-01-20 at 18:43 +1100, Andrew Donnellan wrote:
> From: Russell Currey <ruscur@...sell.cc>
>
> The secvar object format is only in the device tree under powernv.
> We now have an API call to retrieve it in a generic way, so we should
> use that instead of having to handle the DT here.
>
> Add support for pseries secvar, with the "ibm,plpks-sb-v1" format.
> The object format is expected to be the same, so there shouldn't be any
> functional differences between objects retrieved from powernv and
> pseries.
>
> Signed-off-by: Russell Currey <ruscur@...sell.cc>
> Signed-off-by: Andrew Donnellan <ajd@...ux.ibm.com>
>
> ---
>
> v3: New patch
>
> v4: Pass format buffer size (stefanb, npiggin)
> ---
> .../integrity/platform_certs/load_powerpc.c | 17 ++++++++++-------
> 1 file changed, 10 insertions(+), 7 deletions(-)
>
> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
> index dee51606d5f4..d4ce91bf3fec 100644
> --- a/security/integrity/platform_certs/load_powerpc.c
> +++ b/security/integrity/platform_certs/load_powerpc.c
> @@ -10,7 +10,6 @@
> #include <linux/cred.h>
> #include <linux/err.h>
> #include <linux/slab.h>
> -#include <linux/of.h>
> #include <asm/secure_boot.h>
> #include <asm/secvar.h>
> #include "keyring_handler.h"
> @@ -59,16 +58,22 @@ static int __init load_powerpc_certs(void)
> void *db = NULL, *dbx = NULL;
> u64 dbsize = 0, dbxsize = 0;
> int rc = 0;
> - struct device_node *node;
> + ssize_t len;
> + char buf[32];
>
> if (!secvar_ops)
> return -ENODEV;
>
> - /* The following only applies for the edk2-compat backend. */
> - node = of_find_compatible_node(NULL, NULL, "ibm,edk2-compat-v1");
> - if (!node)
> + len = secvar_ops->format(buf, 32);
"powerpc/secvar: Handle format string in the consumer" defines
opal_secvar_format() for the object format "ibm,secvar-backend". Here
shouldn't it being returning the format for "ibm,edk2-compat-v1"?
Mimi
> + if (len <= 0)
> return -ENODEV;
>
> + // Check for known secure boot implementations from OPAL or PLPKS
> + if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf)) {
> + pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf);
> + return -ENODEV;
> + }
> +
> /*
> * Get db, and dbx. They might not exist, so it isn't an error if we
> * can't get them.
> @@ -103,8 +108,6 @@ static int __init load_powerpc_certs(void)
> kfree(dbx);
> }
>
> - of_node_put(node);
> -
> return rc;
> }
> late_initcall(load_powerpc_certs);
Powered by blists - more mailing lists