From: Eric Richter <erichte@linux.ibm.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: Nayna Jain <nayna@linux.ibm.com>,
linux-kernel@vger.kernel.org,
Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jeremy Kerr <jk@ozlabs.org>,
"Oliver O'Halloran" <oohall@gmail.com>
Subject: [PATCH v10a 3/9] powerpc: detect the trusted boot state of the system
Date: Tue, 5 Nov 2019 17:02:07 -0600 [thread overview]
Message-ID: <e9eeee6b-b9bf-1e41-2954-61dbd6fbfbcf@linux.ibm.com> (raw)
In-Reply-To: <1572492694-6520-4-git-send-email-zohar@linux.ibm.com>
From: Nayna Jain <nayna@linux.ibm.com>
While secure boot permits only properly verified signed kernels to be
booted, trusted boot calculates the file hash of the kernel image and
stores the measurement prior to boot, that can be subsequently compared
against good known values via attestation services.
This patch reads the trusted boot state of a PowerNV system. The state
is used to conditionally enable additional measurement rules in the IMA
arch-specific policies.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
---
v10a:
- moved get_ppc_fw_sb_node to patch 1 in the series
arch/powerpc/include/asm/secure_boot.h | 6 ++++++
arch/powerpc/kernel/secure_boot.c | 15 +++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h
index 07d0fe0ca81f..a2ff556916c6 100644
--- a/arch/powerpc/include/asm/secure_boot.h
+++ b/arch/powerpc/include/asm/secure_boot.h
@@ -11,6 +11,7 @@
#ifdef CONFIG_PPC_SECURE_BOOT
bool is_ppc_secureboot_enabled(void);
+bool is_ppc_trustedboot_enabled(void);
#else
@@ -19,5 +20,10 @@ static inline bool is_ppc_secureboot_enabled(void)
return false;
}
+static inline bool is_ppc_trustedboot_enabled(void)
+{
+ return false;
+}
+
#endif
#endif
diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
index 3f55be33f5c8..95d2ff086e55 100644
--- a/arch/powerpc/kernel/secure_boot.c
+++ b/arch/powerpc/kernel/secure_boot.c
@@ -32,3 +32,18 @@ bool is_ppc_secureboot_enabled(void)
return enabled;
}
+
+bool is_ppc_trustedboot_enabled(void)
+{
+ struct device_node *node;
+ bool enabled = false;
+
+ node = get_ppc_fw_sb_node();
+ enabled = of_property_read_bool(node, "trusted-enabled");
+
+ of_node_put(node);
+
+ pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled");
+
+ return enabled;
+}
--
2.20.1
next prev parent reply other threads:[~2019-11-05 23:02 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-31 3:31 [PATCH v10 0/9] powerpc: Enabling IMA arch specific secure boot policies Mimi Zohar
2019-10-31 3:31 ` [PATCH v10 1/9] powerpc: detect the secure boot mode of the system Mimi Zohar
2019-11-05 5:14 ` Eric Richter
2019-11-05 23:00 ` [PATCH v10a " Eric Richter
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 2/9] powerpc/ima: add support to initialize ima policy rules Mimi Zohar
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 3/9] powerpc: detect the trusted boot state of the system Mimi Zohar
2019-11-05 23:02 ` Eric Richter [this message]
2019-11-14 9:08 ` [PATCH v10a " Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 4/9] powerpc/ima: define trusted boot policy Mimi Zohar
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 5/9] ima: make process_buffer_measurement() generic Mimi Zohar
2019-10-31 17:02 ` Lakshmi Ramasubramanian
2019-10-31 17:22 ` Lakshmi Ramasubramanian
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 6/9] certs: add wrapper function to check blacklisted binary hash Mimi Zohar
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 7/9] ima: check against blacklisted hashes for files with modsig Mimi Zohar
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [PATCH v10 8/9] powerpc/ima: update ima arch policy to check for blacklist Mimi Zohar
2019-11-14 9:08 ` Michael Ellerman
2019-10-31 3:31 ` [RFC PATCH v10 9/9] powerpc/ima: indicate kernel modules appended signatures are enforced Mimi Zohar
2019-11-14 9:08 ` Michael Ellerman
2019-12-09 20:27 ` [PATCH v10 0/9] powerpc: Enabling IMA arch specific secure boot policies Lakshmi Ramasubramanian
2019-12-09 21:36 ` Mimi Zohar
[not found] ` <3322befc-d1b9-41cf-aabf-0259fe3adb2b@linux.microsoft.com>
2019-12-09 23:33 ` Verified the key measurement patches in v5.5-rc1 Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e9eeee6b-b9bf-1e41-2954-61dbd6fbfbcf@linux.ibm.com \
--to=erichte@linux.ibm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=benh@kernel.crashing.org \
--cc=jk@ozlabs.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=oohall@gmail.com \
--cc=paulus@samba.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).