From: Andrew Donnellan <ajd@linux.ibm.com>
To: linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org
Cc: sudhakar@linux.ibm.com, erichte@linux.ibm.com,
gregkh@linuxfoundation.org, nayna@linux.ibm.com,
npiggin@gmail.com, linux-kernel@vger.kernel.org,
zohar@linux.ibm.com, gjoyce@linux.ibm.com, ruscur@russell.cc,
joel@jms.id.au, bgray@linux.ibm.com, brking@linux.ibm.com,
gcwilson@linux.ibm.com, stefanb@linux.ibm.com
Subject: [PATCH v5 17/25] powerpc/pseries: Implement signed update for PLPKS objects
Date: Tue, 31 Jan 2023 17:39:20 +1100 [thread overview]
Message-ID: <20230131063928.388035-18-ajd@linux.ibm.com> (raw)
In-Reply-To: <20230131063928.388035-1-ajd@linux.ibm.com>
From: Nayna Jain <nayna@linux.ibm.com>
The Platform Keystore provides a signed update interface which can be used
to create, replace or append to certain variables in the PKS in a secure
fashion, with the hypervisor requiring that the update be signed using the
Platform Key.
Implement an interface to the H_PKS_SIGNED_UPDATE hcall in the plpks
driver to allow signed updates to PKS objects.
(The plpks driver doesn't need to do any cryptography or otherwise handle
the actual signed variable contents - that will be handled by userspace
tooling.)
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
[ajd: split patch, add timeout handling and misc cleanups]
Co-developed-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Russell Currey <ruscur@russell.cc>
---
v3: Merge plpks fixes and signed update series with secvar series
Fix error code handling in plpks_confirm_object_flushed() (ruscur)
Pass plpks_var struct to plpks_signed_update_var() by reference (mpe)
Consistent constant naming scheme (ruscur)
v4: Fix MAX_HCALL_OPCODE rebasing issue (npiggin)
v5: Drop the EXPORT_SYMBOL since we don't need it (npiggin)
Return an error if plpks_signed_update_var() is called with non-NULL
component (npiggin)
---
arch/powerpc/include/asm/hvcall.h | 1 +
arch/powerpc/include/asm/plpks.h | 5 ++
arch/powerpc/platforms/pseries/plpks.c | 74 ++++++++++++++++++++++++--
3 files changed, 75 insertions(+), 5 deletions(-)
diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
index 95fd7f9485d5..c099780385dd 100644
--- a/arch/powerpc/include/asm/hvcall.h
+++ b/arch/powerpc/include/asm/hvcall.h
@@ -335,6 +335,7 @@
#define H_RPT_INVALIDATE 0x448
#define H_SCM_FLUSH 0x44C
#define H_GET_ENERGY_SCALE_INFO 0x450
+#define H_PKS_SIGNED_UPDATE 0x454
#define H_WATCHDOG 0x45C
#define MAX_HCALL_OPCODE H_WATCHDOG
diff --git a/arch/powerpc/include/asm/plpks.h b/arch/powerpc/include/asm/plpks.h
index 7c5f51a9af7c..e7204e6c0ca4 100644
--- a/arch/powerpc/include/asm/plpks.h
+++ b/arch/powerpc/include/asm/plpks.h
@@ -68,6 +68,11 @@ struct plpks_var_name_list {
struct plpks_var_name varlist[];
};
+/**
+ * Updates the authenticated variable. It expects NULL as the component.
+ */
+int plpks_signed_update_var(struct plpks_var *var, u64 flags);
+
/**
* Writes the specified var and its data to PKS.
* Any caller of PKS driver should present a valid component type for
diff --git a/arch/powerpc/platforms/pseries/plpks.c b/arch/powerpc/platforms/pseries/plpks.c
index 1189246b03dc..cee06fb9a370 100644
--- a/arch/powerpc/platforms/pseries/plpks.c
+++ b/arch/powerpc/platforms/pseries/plpks.c
@@ -81,6 +81,12 @@ static int pseries_status_to_err(int rc)
err = -ENOENT;
break;
case H_BUSY:
+ case H_LONG_BUSY_ORDER_1_MSEC:
+ case H_LONG_BUSY_ORDER_10_MSEC:
+ case H_LONG_BUSY_ORDER_100_MSEC:
+ case H_LONG_BUSY_ORDER_1_SEC:
+ case H_LONG_BUSY_ORDER_10_SEC:
+ case H_LONG_BUSY_ORDER_100_SEC:
err = -EBUSY;
break;
case H_AUTHORITY:
@@ -184,14 +190,17 @@ static struct label *construct_label(char *component, u8 varos, u8 *name,
u16 namelen)
{
struct label *label;
- size_t slen;
+ size_t slen = 0;
if (!name || namelen > PLPKS_MAX_NAME_SIZE)
return ERR_PTR(-EINVAL);
- slen = strlen(component);
- if (component && slen > sizeof(label->attr.prefix))
- return ERR_PTR(-EINVAL);
+ // Support NULL component for signed updates
+ if (component) {
+ slen = strlen(component);
+ if (slen > sizeof(label->attr.prefix))
+ return ERR_PTR(-EINVAL);
+ }
// The label structure must not cross a page boundary, so we align to the next power of 2
label = kzalloc(roundup_pow_of_two(sizeof(*label)), GFP_KERNEL);
@@ -397,6 +406,61 @@ static int plpks_confirm_object_flushed(struct label *label,
return pseries_status_to_err(rc);
}
+int plpks_signed_update_var(struct plpks_var *var, u64 flags)
+{
+ unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0};
+ int rc;
+ struct label *label;
+ struct plpks_auth *auth;
+ u64 continuetoken = 0;
+ u64 timeout = 0;
+
+ if (!var->data || var->datalen <= 0 || var->namelen > PLPKS_MAX_NAME_SIZE)
+ return -EINVAL;
+
+ if (!(var->policy & PLPKS_SIGNEDUPDATE))
+ return -EINVAL;
+
+ // Signed updates need the component to be NULL.
+ if (var->component)
+ return -EINVAL;
+
+ auth = construct_auth(PLPKS_OS_OWNER);
+ if (IS_ERR(auth))
+ return PTR_ERR(auth);
+
+ label = construct_label(var->component, var->os, var->name, var->namelen);
+ if (IS_ERR(label)) {
+ rc = PTR_ERR(label);
+ goto out;
+ }
+
+ do {
+ rc = plpar_hcall9(H_PKS_SIGNED_UPDATE, retbuf,
+ virt_to_phys(auth), virt_to_phys(label),
+ label->size, var->policy, flags,
+ virt_to_phys(var->data), var->datalen,
+ continuetoken);
+
+ continuetoken = retbuf[0];
+ if (pseries_status_to_err(rc) == -EBUSY) {
+ int delay_ms = get_longbusy_msecs(rc);
+ mdelay(delay_ms);
+ timeout += delay_ms;
+ }
+ rc = pseries_status_to_err(rc);
+ } while (rc == -EBUSY && timeout < PLPKS_MAX_TIMEOUT);
+
+ if (!rc)
+ rc = plpks_confirm_object_flushed(label, auth);
+
+ kfree(label);
+out:
+ kfree(auth);
+
+ return rc;
+}
+
int plpks_write_var(struct plpks_var var)
{
unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 };
@@ -443,7 +507,7 @@ int plpks_remove_var(char *component, u8 varos, struct plpks_var_name vname)
struct label *label;
int rc;
- if (!component || vname.namelen > PLPKS_MAX_NAME_SIZE)
+ if (vname.namelen > PLPKS_MAX_NAME_SIZE)
return -EINVAL;
auth = construct_auth(PLPKS_OS_OWNER);
--
2.39.1
next prev parent reply other threads:[~2023-01-31 6:58 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-31 6:39 [PATCH v5 00/25] pSeries dynamic secure boot secvar interface + platform keyring loading Andrew Donnellan
2023-01-31 6:39 ` [PATCH v5 01/25] powerpc/pseries: Fix handling of PLPKS object flushing timeout Andrew Donnellan
2023-01-31 6:39 ` [PATCH v5 02/25] powerpc/pseries: Fix alignment of PLPKS structures and buffers Andrew Donnellan
2023-01-31 6:39 ` [PATCH v5 03/25] powerpc/secvar: Fix incorrect return in secvar_sysfs_load() Andrew Donnellan
2023-01-31 15:18 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 04/25] powerpc/secvar: Use u64 in secvar_operations Andrew Donnellan
2023-01-31 6:39 ` [PATCH v5 05/25] powerpc/secvar: Warn and error if multiple secvar ops are set Andrew Donnellan
2023-01-31 14:48 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 06/25] powerpc/secvar: Use sysfs_emit() instead of sprintf() Andrew Donnellan
2023-01-31 15:20 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 07/25] powerpc/secvar: Handle format string in the consumer Andrew Donnellan
2023-01-31 15:23 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 08/25] powerpc/secvar: Handle max object size " Andrew Donnellan
2023-01-31 15:26 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 09/25] powerpc/secvar: Clean up init error messages Andrew Donnellan
2023-01-31 15:45 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 10/25] powerpc/secvar: Extend sysfs to include config vars Andrew Donnellan
2023-01-31 15:49 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 11/25] powerpc/secvar: Allow backend to populate static list of variable names Andrew Donnellan
2023-01-31 15:54 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 12/25] powerpc/secvar: Warn when PAGE_SIZE is smaller than max object size Andrew Donnellan
2023-01-31 15:57 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 13/25] powerpc/secvar: Don't print error on ENOENT when reading variables Andrew Donnellan
2023-01-31 15:58 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 14/25] powerpc/pseries: Move plpks.h to include directory Andrew Donnellan
2023-01-31 15:59 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 15/25] powerpc/pseries: Move PLPKS constants to header file Andrew Donnellan
2023-01-31 16:07 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 16/25] powerpc/pseries: Expose PLPKS config values, support additional fields Andrew Donnellan
2023-01-31 16:13 ` Stefan Berger
2023-01-31 6:39 ` Andrew Donnellan [this message]
2023-01-31 16:30 ` [PATCH v5 17/25] powerpc/pseries: Implement signed update for PLPKS objects Stefan Berger
2023-01-31 6:39 ` [PATCH v5 18/25] powerpc/pseries: Log hcall return codes for PLPKS debug Andrew Donnellan
2023-01-31 16:31 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 19/25] powerpc/pseries: Make caller pass buffer to plpks_read_var() Andrew Donnellan
2023-01-31 16:38 ` Stefan Berger
2023-02-07 5:25 ` Andrew Donnellan
2023-01-31 6:39 ` [PATCH v5 20/25] powerpc/pseries: Turn PSERIES_PLPKS into a hidden option Andrew Donnellan
2023-01-31 16:40 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 21/25] powerpc/pseries: Add helper to get PLPKS password length Andrew Donnellan
2023-01-31 16:42 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 22/25] powerpc/pseries: Pass PLPKS password on kexec Andrew Donnellan
2023-01-31 16:52 ` Stefan Berger
2023-01-31 6:39 ` [PATCH v5 23/25] powerpc/pseries: Implement secvars for dynamic secure boot Andrew Donnellan
2023-01-31 17:11 ` Stefan Berger
2023-02-01 6:32 ` Andrew Donnellan
2023-01-31 6:39 ` [PATCH v5 24/25] integrity/powerpc: Improve error handling & reporting when loading certs Andrew Donnellan
2023-01-31 6:39 ` [PATCH v5 25/25] integrity/powerpc: Support loading keys from PLPKS Andrew Donnellan
2023-01-31 17:17 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230131063928.388035-18-ajd@linux.ibm.com \
--to=ajd@linux.ibm.com \
--cc=bgray@linux.ibm.com \
--cc=brking@linux.ibm.com \
--cc=erichte@linux.ibm.com \
--cc=gcwilson@linux.ibm.com \
--cc=gjoyce@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=joel@jms.id.au \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nayna@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=ruscur@russell.cc \
--cc=stefanb@linux.ibm.com \
--cc=sudhakar@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).