lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6e2267c6-fdd9-b017-ed94-3dc9a8878a29@linux.ibm.com>
Date:   Tue, 31 Jan 2023 11:40:56 -0500
From:   Stefan Berger <stefanb@...ux.ibm.com>
To:     Andrew Donnellan <ajd@...ux.ibm.com>,
        linuxppc-dev@...ts.ozlabs.org, linux-integrity@...r.kernel.org
Cc:     ruscur@...sell.cc, bgray@...ux.ibm.com, nayna@...ux.ibm.com,
        gcwilson@...ux.ibm.com, gjoyce@...ux.ibm.com, brking@...ux.ibm.com,
        sudhakar@...ux.ibm.com, erichte@...ux.ibm.com,
        gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
        zohar@...ux.ibm.com, joel@....id.au, npiggin@...il.com
Subject: Re: [PATCH v5 20/25] powerpc/pseries: Turn PSERIES_PLPKS into a
 hidden option



On 1/31/23 01:39, Andrew Donnellan wrote:
> It seems a bit unnecessary for the PLPKS code to have a user-visible
> config option when it doesn't do anything on its own, and there's existing
> options for enabling Secure Boot-related features.
> 
> It should be enabled by PPC_SECURE_BOOT, which will eventually be what
> uses PLPKS to populate keyrings.
> 
> However, we can't get of the separate option completely, because it will
> also be used for SED Opal purposes.
> 
> Change PSERIES_PLPKS into a hidden option, which is selected by
> PPC_SECURE_BOOT.
> 
> Signed-off-by: Andrew Donnellan <ajd@...ux.ibm.com>
> Signed-off-by: Russell Currey <ruscur@...sell.cc>

Reviewed-by: Stefan Berger <stefanb@...ux.ibm.com>

> 
> ---
> 
> v3: New patch
> 
> v5: Change the previous description into a comment (npiggin)
> ---
>   arch/powerpc/Kconfig                   |  1 +
>   arch/powerpc/platforms/pseries/Kconfig | 19 +++++++++----------
>   2 files changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index b8c4ac56bddc..d4ed46101bec 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -1029,6 +1029,7 @@ config PPC_SECURE_BOOT
>   	depends on PPC_POWERNV || PPC_PSERIES
>   	depends on IMA_ARCH_POLICY
>   	imply IMA_SECURE_AND_OR_TRUSTED_BOOT
> +	select PSERIES_PLPKS if PPC_PSERIES
>   	help
>   	  Systems with firmware secure boot enabled need to define security
>   	  policies to extend secure boot to the OS. This config allows a user
> diff --git a/arch/powerpc/platforms/pseries/Kconfig b/arch/powerpc/platforms/pseries/Kconfig
> index a3b4d99567cb..e51d65969318 100644
> --- a/arch/powerpc/platforms/pseries/Kconfig
> +++ b/arch/powerpc/platforms/pseries/Kconfig
> @@ -151,16 +151,15 @@ config IBMEBUS
>   
>   config PSERIES_PLPKS
>   	depends on PPC_PSERIES
> -	bool "Support for the Platform Key Storage"
> -	help
> -	  PowerVM provides an isolated Platform Keystore(PKS) storage
> -	  allocation for each LPAR with individually managed access
> -	  controls to store sensitive information securely. It can be
> -	  used to store asymmetric public keys or secrets as required
> -	  by different usecases. Select this config to enable
> -	  operating system interface to hypervisor to access this space.
> -
> -	  If unsure, select N.
> +	bool
> +	# PowerVM provides an isolated Platform Keystore (PKS) storage
> +	# allocation for each LPAR with individually managed access
> +	# controls to store sensitive information securely. It can be
> +	# used to store asymmetric public keys or secrets as required
> +	# by different usecases.
> +	#
> +	# This option is selected by in-kernel consumers that require
> +	# access to the PKS.
>   
>   config PAPR_SCM
>   	depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ