lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610211907.101384-3-ssrish@linux.ibm.com> Date: Wed, 11 Jun 2025 02:49:06 +0530 From: Srish Srinivasan <ssrish@...ux.ibm.com> To: linux-integrity@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org Cc: maddy@...ux.ibm.com, mpe@...erman.id.au, npiggin@...il.com, christophe.leroy@...roup.eu, naveen@...nel.org, ajd@...ux.ibm.com, zohar@...ux.ibm.com, nayna@...ux.ibm.com, rnsastry@...ux.ibm.com, msuchanek@...e.de, linux-kernel@...r.kernel.org Subject: [PATCH v4 2/3] powerpc/secvar: Expose secvars relevant to the key management mode The PLPKS enabled PowerVM LPAR sysfs exposes all of the secure boot secvars irrespective of the key management mode. The PowerVM LPAR supports static and dynamic key management for secure boot. The key management option can be updated in the management console. The secvars PK, trustedcadb, and moduledb can be consumed both in the static and dynamic key management modes for the loading of signed third-party kernel modules. However, other secvars i.e. KEK, grubdb, grubdbx, sbat, db and dbx, which are used to verify the grub and kernel images, are consumed only in the dynamic key management mode. Expose only PK, trustedcadb, and moduledb in the static key management mode. Co-developed-by: Souradeep <soura@...p.linux.ibm.com> Signed-off-by: Souradeep <soura@...p.linux.ibm.com> Signed-off-by: Srish Srinivasan <ssrish@...ux.ibm.com> Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com> Reviewed-by: Stefan Berger <stefanb@...ux.ibm.com> Reviewed-by: Nayna Jain <nayna@...ux.ibm.com> Reviewed-by: Andrew Donnellan <ajd@...ux.ibm.com> --- Documentation/ABI/testing/sysfs-secvar | 7 +++++ arch/powerpc/platforms/pseries/plpks-secvar.c | 28 ++++++++++++++++--- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/Documentation/ABI/testing/sysfs-secvar b/Documentation/ABI/testing/sysfs-secvar index f001a4f4bd2e..1016967a730f 100644 --- a/Documentation/ABI/testing/sysfs-secvar +++ b/Documentation/ABI/testing/sysfs-secvar @@ -38,6 +38,13 @@ Description: Each secure variable is represented as a directory named as representation. The data and size can be determined by reading their respective attribute files. + Only secvars relevant to the key management mode are exposed. + Only in the dynamic key management mode should the user have + access (read and write) to the secure boot secvars db, dbx, + grubdb, grubdbx, and sbat. These secvars are not consumed in the + static key management mode. PK, trustedcadb and moduledb are the + secvars common to both static and dynamic key management modes. + What: /sys/firmware/secvar/vars/<variable_name>/size Date: August 2019 Contact: Nayna Jain <nayna@...ux.ibm.com> diff --git a/arch/powerpc/platforms/pseries/plpks-secvar.c b/arch/powerpc/platforms/pseries/plpks-secvar.c index 767e5e8c6990..f9e9cc40c9d0 100644 --- a/arch/powerpc/platforms/pseries/plpks-secvar.c +++ b/arch/powerpc/platforms/pseries/plpks-secvar.c @@ -59,7 +59,14 @@ static u32 get_policy(const char *name) return PLPKS_SIGNEDUPDATE; } -static const char * const plpks_var_names[] = { +static const char * const plpks_var_names_static[] = { + "PK", + "moduledb", + "trustedcadb", + NULL, +}; + +static const char * const plpks_var_names_dynamic[] = { "PK", "KEK", "db", @@ -213,21 +220,34 @@ static int plpks_max_size(u64 *max_size) return 0; } +static const struct secvar_operations plpks_secvar_ops_static = { + .get = plpks_get_variable, + .set = plpks_set_variable, + .format = plpks_secvar_format, + .max_size = plpks_max_size, + .config_attrs = config_attrs, + .var_names = plpks_var_names_static, +}; -static const struct secvar_operations plpks_secvar_ops = { +static const struct secvar_operations plpks_secvar_ops_dynamic = { .get = plpks_get_variable, .set = plpks_set_variable, .format = plpks_secvar_format, .max_size = plpks_max_size, .config_attrs = config_attrs, - .var_names = plpks_var_names, + .var_names = plpks_var_names_dynamic, }; static int plpks_secvar_init(void) { + u8 mode; + if (!plpks_is_available()) return -ENODEV; - return set_secvar_ops(&plpks_secvar_ops); + mode = plpks_get_sb_keymgmt_mode(); + if (mode) + return set_secvar_ops(&plpks_secvar_ops_dynamic); + return set_secvar_ops(&plpks_secvar_ops_static); } machine_device_initcall(pseries, plpks_secvar_init); -- 2.47.1
Powered by blists - more mailing lists