From: gjoyce@linux.vnet.ibm.com
To: linux-block@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org, jonathan.derrick@linux.dev,
brking@linux.vnet.ibm.com, msuchanek@suse.de, mpe@ellerman.id.au,
axboe@kernel.dk, akpm@linux-foundation.org,
gjoyce@linux.vnet.ibm.com, linux-efi@vger.kernel.org,
keyrings@vger.kernel.org, me@benboeckel.net, elliott@hpe.com,
andonnel@au1.ibm.com
Subject: [PATCH 2/4] powerpc/pseries: PLPKS SED Opal keystore support
Date: Fri, 5 May 2023 14:44:00 -0500 [thread overview]
Message-ID: <20230505194402.2079010-3-gjoyce@linux.vnet.ibm.com> (raw)
In-Reply-To: <20230505194402.2079010-1-gjoyce@linux.vnet.ibm.com>
From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
Define operations for SED Opal to read/write keys
from POWER LPAR Platform KeyStore(PLPKS). This allows
non-volatile storage of SED Opal keys.
Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
---
arch/powerpc/platforms/pseries/Makefile | 1 +
.../powerpc/platforms/pseries/plpks_sed_ops.c | 126 ++++++++++++++++++
2 files changed, 127 insertions(+)
create mode 100644 arch/powerpc/platforms/pseries/plpks_sed_ops.c
diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile
index 53c3b91af2f7..4242aed0d5d3 100644
--- a/arch/powerpc/platforms/pseries/Makefile
+++ b/arch/powerpc/platforms/pseries/Makefile
@@ -29,6 +29,7 @@ obj-$(CONFIG_PPC_SVM) += svm.o
obj-$(CONFIG_FA_DUMP) += rtas-fadump.o
obj-$(CONFIG_PSERIES_PLPKS) += plpks.o
obj-$(CONFIG_PPC_SECURE_BOOT) += plpks-secvar.o
+obj-$(CONFIG_PSERIES_PLPKS_SED) += plpks-sed.o
obj-$(CONFIG_SUSPEND) += suspend.o
obj-$(CONFIG_PPC_VAS) += vas.o vas-sysfs.o
diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
new file mode 100644
index 000000000000..086934b319a9
--- /dev/null
+++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
@@ -0,0 +1,126 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * POWER Platform specific code for non-volatile SED key access
+ * Copyright (C) 2022 IBM Corporation
+ *
+ * Define operations for SED Opal to read/write keys
+ * from POWER LPAR Platform KeyStore(PLPKS).
+ *
+ * Self Encrypting Drives(SED) key storage using PLPKS
+ */
+
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <linux/ioctl.h>
+#include <linux/sed-opal-key.h>
+#include "plpks.h"
+
+/*
+ * structure that contains all SED data
+ */
+struct plpks_sed_object_data {
+ u_char version;
+ u_char pad1[7];
+ u_long authority;
+ u_long range;
+ u_int key_len;
+ u_char key[32];
+};
+
+#define PLPKS_PLATVAR_POLICY WORLDREADABLE
+#define PLPKS_PLATVAR_OS_COMMON 4
+
+#define PLPKS_SED_OBJECT_DATA_V0 0
+#define PLPKS_SED_MANGLED_LABEL "/default/pri"
+#define PLPKS_SED_COMPONENT "sed-opal"
+#define PLPKS_SED_KEY "opal-boot-pin"
+
+/*
+ * authority is admin1 and range is global
+ */
+#define PLPKS_SED_AUTHORITY 0x0000000900010001
+#define PLPKS_SED_RANGE 0x0000080200000001
+
+void plpks_init_var(struct plpks_var *var, char *keyname)
+{
+ var->name = keyname;
+ var->namelen = strlen(keyname);
+ if (strcmp(PLPKS_SED_KEY, keyname) == 0) {
+ var->name = PLPKS_SED_MANGLED_LABEL;
+ var->namelen = strlen(keyname);
+ }
+ var->policy = PLPKS_PLATVAR_POLICY;
+ var->os = PLPKS_PLATVAR_OS_COMMON;
+ var->data = NULL;
+ var->datalen = 0;
+ var->component = PLPKS_SED_COMPONENT;
+}
+
+/*
+ * Read the SED Opal key from PLPKS given the label
+ */
+int sed_read_key(char *keyname, char *key, u_int *keylen)
+{
+ struct plpks_var var;
+ struct plpks_sed_object_data data;
+ u_int offset;
+ int ret;
+ u_int len;
+
+ plpks_init_var(&var, keyname);
+ var.data = &data;
+ var.datalen = sizeof(data);
+
+ ret = plpks_read_os_var(&var);
+ if (ret != 0)
+ return ret;
+
+ offset = offsetof(struct plpks_sed_object_data, key);
+ if (offset > var.datalen) {
+ return -EINVAL;
+ }
+
+ len = min(be32_to_cpu(data.key_len), *keylen);
+
+ memcpy(key, data.key, len);
+ kfree(var.data);
+
+ key[len] = '\0';
+ *keylen = len;
+
+ return 0;
+}
+
+/*
+ * Write the SED Opal key to PLPKS given the label
+ */
+int sed_write_key(char *keyname, char *key, u_int keylen)
+{
+ struct plpks_var var;
+ struct plpks_sed_object_data data;
+ struct plpks_var_name vname;
+
+ plpks_init_var(&var, keyname);
+
+ var.datalen = sizeof(struct plpks_sed_object_data);
+ var.data = (u8 *)&data;
+
+ /* initialize SED object */
+ data.version = PLPKS_SED_OBJECT_DATA_V0;
+ data.authority = cpu_to_be64(PLPKS_SED_AUTHORITY);
+ data.range = cpu_to_be64(PLPKS_SED_RANGE);
+ memset(&data.pad1, '\0', sizeof(data.pad1));
+ data.key_len = cpu_to_be32(keylen);
+ memcpy(data.key, (char *)key, keylen);
+
+ /*
+ * Key update requires remove first. The return value
+ * is ignored since it's okay if the key doesn't exist.
+ */
+ vname.namelen = var.namelen;
+ vname.name = var.name;
+ plpks_remove_var(var.component, var.os, vname);
+
+ return plpks_write_var(var);
+}
--
gjoyce@linux.vnet.ibm.com
WARNING: multiple messages have this Message-ID (diff)
From: gjoyce@linux.vnet.ibm.com
To: linux-block@vger.kernel.org
Cc: axboe@kernel.dk, linux-efi@vger.kernel.org,
gjoyce@linux.vnet.ibm.com, me@benboeckel.net,
keyrings@vger.kernel.org, jonathan.derrick@linux.dev,
andonnel@au1.ibm.com, brking@linux.vnet.ibm.com,
akpm@linux-foundation.org, msuchanek@suse.de,
linuxppc-dev@lists.ozlabs.org, elliott@hpe.com
Subject: [PATCH 2/4] powerpc/pseries: PLPKS SED Opal keystore support
Date: Fri, 5 May 2023 14:44:00 -0500 [thread overview]
Message-ID: <20230505194402.2079010-3-gjoyce@linux.vnet.ibm.com> (raw)
In-Reply-To: <20230505194402.2079010-1-gjoyce@linux.vnet.ibm.com>
From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
Define operations for SED Opal to read/write keys
from POWER LPAR Platform KeyStore(PLPKS). This allows
non-volatile storage of SED Opal keys.
Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
---
arch/powerpc/platforms/pseries/Makefile | 1 +
.../powerpc/platforms/pseries/plpks_sed_ops.c | 126 ++++++++++++++++++
2 files changed, 127 insertions(+)
create mode 100644 arch/powerpc/platforms/pseries/plpks_sed_ops.c
diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile
index 53c3b91af2f7..4242aed0d5d3 100644
--- a/arch/powerpc/platforms/pseries/Makefile
+++ b/arch/powerpc/platforms/pseries/Makefile
@@ -29,6 +29,7 @@ obj-$(CONFIG_PPC_SVM) += svm.o
obj-$(CONFIG_FA_DUMP) += rtas-fadump.o
obj-$(CONFIG_PSERIES_PLPKS) += plpks.o
obj-$(CONFIG_PPC_SECURE_BOOT) += plpks-secvar.o
+obj-$(CONFIG_PSERIES_PLPKS_SED) += plpks-sed.o
obj-$(CONFIG_SUSPEND) += suspend.o
obj-$(CONFIG_PPC_VAS) += vas.o vas-sysfs.o
diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
new file mode 100644
index 000000000000..086934b319a9
--- /dev/null
+++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
@@ -0,0 +1,126 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * POWER Platform specific code for non-volatile SED key access
+ * Copyright (C) 2022 IBM Corporation
+ *
+ * Define operations for SED Opal to read/write keys
+ * from POWER LPAR Platform KeyStore(PLPKS).
+ *
+ * Self Encrypting Drives(SED) key storage using PLPKS
+ */
+
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <linux/ioctl.h>
+#include <linux/sed-opal-key.h>
+#include "plpks.h"
+
+/*
+ * structure that contains all SED data
+ */
+struct plpks_sed_object_data {
+ u_char version;
+ u_char pad1[7];
+ u_long authority;
+ u_long range;
+ u_int key_len;
+ u_char key[32];
+};
+
+#define PLPKS_PLATVAR_POLICY WORLDREADABLE
+#define PLPKS_PLATVAR_OS_COMMON 4
+
+#define PLPKS_SED_OBJECT_DATA_V0 0
+#define PLPKS_SED_MANGLED_LABEL "/default/pri"
+#define PLPKS_SED_COMPONENT "sed-opal"
+#define PLPKS_SED_KEY "opal-boot-pin"
+
+/*
+ * authority is admin1 and range is global
+ */
+#define PLPKS_SED_AUTHORITY 0x0000000900010001
+#define PLPKS_SED_RANGE 0x0000080200000001
+
+void plpks_init_var(struct plpks_var *var, char *keyname)
+{
+ var->name = keyname;
+ var->namelen = strlen(keyname);
+ if (strcmp(PLPKS_SED_KEY, keyname) == 0) {
+ var->name = PLPKS_SED_MANGLED_LABEL;
+ var->namelen = strlen(keyname);
+ }
+ var->policy = PLPKS_PLATVAR_POLICY;
+ var->os = PLPKS_PLATVAR_OS_COMMON;
+ var->data = NULL;
+ var->datalen = 0;
+ var->component = PLPKS_SED_COMPONENT;
+}
+
+/*
+ * Read the SED Opal key from PLPKS given the label
+ */
+int sed_read_key(char *keyname, char *key, u_int *keylen)
+{
+ struct plpks_var var;
+ struct plpks_sed_object_data data;
+ u_int offset;
+ int ret;
+ u_int len;
+
+ plpks_init_var(&var, keyname);
+ var.data = &data;
+ var.datalen = sizeof(data);
+
+ ret = plpks_read_os_var(&var);
+ if (ret != 0)
+ return ret;
+
+ offset = offsetof(struct plpks_sed_object_data, key);
+ if (offset > var.datalen) {
+ return -EINVAL;
+ }
+
+ len = min(be32_to_cpu(data.key_len), *keylen);
+
+ memcpy(key, data.key, len);
+ kfree(var.data);
+
+ key[len] = '\0';
+ *keylen = len;
+
+ return 0;
+}
+
+/*
+ * Write the SED Opal key to PLPKS given the label
+ */
+int sed_write_key(char *keyname, char *key, u_int keylen)
+{
+ struct plpks_var var;
+ struct plpks_sed_object_data data;
+ struct plpks_var_name vname;
+
+ plpks_init_var(&var, keyname);
+
+ var.datalen = sizeof(struct plpks_sed_object_data);
+ var.data = (u8 *)&data;
+
+ /* initialize SED object */
+ data.version = PLPKS_SED_OBJECT_DATA_V0;
+ data.authority = cpu_to_be64(PLPKS_SED_AUTHORITY);
+ data.range = cpu_to_be64(PLPKS_SED_RANGE);
+ memset(&data.pad1, '\0', sizeof(data.pad1));
+ data.key_len = cpu_to_be32(keylen);
+ memcpy(data.key, (char *)key, keylen);
+
+ /*
+ * Key update requires remove first. The return value
+ * is ignored since it's okay if the key doesn't exist.
+ */
+ vname.namelen = var.namelen;
+ vname.name = var.name;
+ plpks_remove_var(var.component, var.os, vname);
+
+ return plpks_write_var(var);
+}
--
gjoyce@linux.vnet.ibm.com
next prev parent reply other threads:[~2023-05-05 19:45 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-05 19:43 [PATCH v5 0/4] generic and PowerPC SED Opal keystore gjoyce
2023-05-05 19:43 ` gjoyce
2023-05-05 19:43 ` [PATCH 1/4] block:sed-opal: " gjoyce
2023-05-05 19:43 ` gjoyce
2023-05-10 22:50 ` Jarkko Sakkinen
2023-05-10 22:50 ` Jarkko Sakkinen
2023-06-01 14:29 ` Greg Joyce
2023-06-01 14:29 ` Greg Joyce
2023-05-05 19:44 ` gjoyce [this message]
2023-05-05 19:44 ` [PATCH 2/4] powerpc/pseries: PLPKS SED Opal keystore support gjoyce
2023-05-05 19:44 ` [PATCH 3/4] block: sed-opal: keystore access for SED Opal keys gjoyce
2023-05-05 19:44 ` gjoyce
2023-05-05 19:44 ` [PATCH 4/4] powerpc/pseries: update SED for PLPKS api changes gjoyce
2023-05-05 19:44 ` gjoyce
2023-05-15 5:52 ` Andrew Donnellan
2023-05-15 5:52 ` Andrew Donnellan
2023-06-01 14:27 ` Greg Joyce
2023-06-01 14:27 ` Greg Joyce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230505194402.2079010-3-gjoyce@linux.vnet.ibm.com \
--to=gjoyce@linux.vnet.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=andonnel@au1.ibm.com \
--cc=axboe@kernel.dk \
--cc=brking@linux.vnet.ibm.com \
--cc=elliott@hpe.com \
--cc=jonathan.derrick@linux.dev \
--cc=keyrings@vger.kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=me@benboeckel.net \
--cc=mpe@ellerman.id.au \
--cc=msuchanek@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.