From: gjoyce@linux.vnet.ibm.com To: linux-block@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org, jonathan.derrick@linux.dev, brking@linux.vnet.ibm.com, msuchanek@suse.de, mpe@ellerman.id.au, axboe@kernel.dk, akpm@linux-foundation.org, gjoyce@linux.vnet.ibm.com, linux-efi@vger.kernel.org, keyrings@vger.kernel.org, me@benboeckel.net, elliott@hpe.com, andonnel@au1.ibm.com Subject: [PATCH 2/4] powerpc/pseries: PLPKS SED Opal keystore support Date: Fri, 5 May 2023 14:44:00 -0500 [thread overview] Message-ID: <20230505194402.2079010-3-gjoyce@linux.vnet.ibm.com> (raw) In-Reply-To: <20230505194402.2079010-1-gjoyce@linux.vnet.ibm.com> From: Greg Joyce <gjoyce@linux.vnet.ibm.com> Define operations for SED Opal to read/write keys from POWER LPAR Platform KeyStore(PLPKS). This allows non-volatile storage of SED Opal keys. Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com> Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev> --- arch/powerpc/platforms/pseries/Makefile | 1 + .../powerpc/platforms/pseries/plpks_sed_ops.c | 126 ++++++++++++++++++ 2 files changed, 127 insertions(+) create mode 100644 arch/powerpc/platforms/pseries/plpks_sed_ops.c diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile index 53c3b91af2f7..4242aed0d5d3 100644 --- a/arch/powerpc/platforms/pseries/Makefile +++ b/arch/powerpc/platforms/pseries/Makefile @@ -29,6 +29,7 @@ obj-$(CONFIG_PPC_SVM) += svm.o obj-$(CONFIG_FA_DUMP) += rtas-fadump.o obj-$(CONFIG_PSERIES_PLPKS) += plpks.o obj-$(CONFIG_PPC_SECURE_BOOT) += plpks-secvar.o +obj-$(CONFIG_PSERIES_PLPKS_SED) += plpks-sed.o obj-$(CONFIG_SUSPEND) += suspend.o obj-$(CONFIG_PPC_VAS) += vas.o vas-sysfs.o diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c b/arch/powerpc/platforms/pseries/plpks_sed_ops.c new file mode 100644 index 000000000000..086934b319a9 --- /dev/null +++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c @@ -0,0 +1,126 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * POWER Platform specific code for non-volatile SED key access + * Copyright (C) 2022 IBM Corporation + * + * Define operations for SED Opal to read/write keys + * from POWER LPAR Platform KeyStore(PLPKS). + * + * Self Encrypting Drives(SED) key storage using PLPKS + */ + +#include <linux/kernel.h> +#include <linux/slab.h> +#include <linux/string.h> +#include <linux/ioctl.h> +#include <linux/sed-opal-key.h> +#include "plpks.h" + +/* + * structure that contains all SED data + */ +struct plpks_sed_object_data { + u_char version; + u_char pad1[7]; + u_long authority; + u_long range; + u_int key_len; + u_char key[32]; +}; + +#define PLPKS_PLATVAR_POLICY WORLDREADABLE +#define PLPKS_PLATVAR_OS_COMMON 4 + +#define PLPKS_SED_OBJECT_DATA_V0 0 +#define PLPKS_SED_MANGLED_LABEL "/default/pri" +#define PLPKS_SED_COMPONENT "sed-opal" +#define PLPKS_SED_KEY "opal-boot-pin" + +/* + * authority is admin1 and range is global + */ +#define PLPKS_SED_AUTHORITY 0x0000000900010001 +#define PLPKS_SED_RANGE 0x0000080200000001 + +void plpks_init_var(struct plpks_var *var, char *keyname) +{ + var->name = keyname; + var->namelen = strlen(keyname); + if (strcmp(PLPKS_SED_KEY, keyname) == 0) { + var->name = PLPKS_SED_MANGLED_LABEL; + var->namelen = strlen(keyname); + } + var->policy = PLPKS_PLATVAR_POLICY; + var->os = PLPKS_PLATVAR_OS_COMMON; + var->data = NULL; + var->datalen = 0; + var->component = PLPKS_SED_COMPONENT; +} + +/* + * Read the SED Opal key from PLPKS given the label + */ +int sed_read_key(char *keyname, char *key, u_int *keylen) +{ + struct plpks_var var; + struct plpks_sed_object_data data; + u_int offset; + int ret; + u_int len; + + plpks_init_var(&var, keyname); + var.data = &data; + var.datalen = sizeof(data); + + ret = plpks_read_os_var(&var); + if (ret != 0) + return ret; + + offset = offsetof(struct plpks_sed_object_data, key); + if (offset > var.datalen) { + return -EINVAL; + } + + len = min(be32_to_cpu(data.key_len), *keylen); + + memcpy(key, data.key, len); + kfree(var.data); + + key[len] = '\0'; + *keylen = len; + + return 0; +} + +/* + * Write the SED Opal key to PLPKS given the label + */ +int sed_write_key(char *keyname, char *key, u_int keylen) +{ + struct plpks_var var; + struct plpks_sed_object_data data; + struct plpks_var_name vname; + + plpks_init_var(&var, keyname); + + var.datalen = sizeof(struct plpks_sed_object_data); + var.data = (u8 *)&data; + + /* initialize SED object */ + data.version = PLPKS_SED_OBJECT_DATA_V0; + data.authority = cpu_to_be64(PLPKS_SED_AUTHORITY); + data.range = cpu_to_be64(PLPKS_SED_RANGE); + memset(&data.pad1, '\0', sizeof(data.pad1)); + data.key_len = cpu_to_be32(keylen); + memcpy(data.key, (char *)key, keylen); + + /* + * Key update requires remove first. The return value + * is ignored since it's okay if the key doesn't exist. + */ + vname.namelen = var.namelen; + vname.name = var.name; + plpks_remove_var(var.component, var.os, vname); + + return plpks_write_var(var); +} -- gjoyce@linux.vnet.ibm.com
WARNING: multiple messages have this Message-ID (diff)
From: gjoyce@linux.vnet.ibm.com To: linux-block@vger.kernel.org Cc: axboe@kernel.dk, linux-efi@vger.kernel.org, gjoyce@linux.vnet.ibm.com, me@benboeckel.net, keyrings@vger.kernel.org, jonathan.derrick@linux.dev, andonnel@au1.ibm.com, brking@linux.vnet.ibm.com, akpm@linux-foundation.org, msuchanek@suse.de, linuxppc-dev@lists.ozlabs.org, elliott@hpe.com Subject: [PATCH 2/4] powerpc/pseries: PLPKS SED Opal keystore support Date: Fri, 5 May 2023 14:44:00 -0500 [thread overview] Message-ID: <20230505194402.2079010-3-gjoyce@linux.vnet.ibm.com> (raw) In-Reply-To: <20230505194402.2079010-1-gjoyce@linux.vnet.ibm.com> From: Greg Joyce <gjoyce@linux.vnet.ibm.com> Define operations for SED Opal to read/write keys from POWER LPAR Platform KeyStore(PLPKS). This allows non-volatile storage of SED Opal keys. Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com> Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev> --- arch/powerpc/platforms/pseries/Makefile | 1 + .../powerpc/platforms/pseries/plpks_sed_ops.c | 126 ++++++++++++++++++ 2 files changed, 127 insertions(+) create mode 100644 arch/powerpc/platforms/pseries/plpks_sed_ops.c diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile index 53c3b91af2f7..4242aed0d5d3 100644 --- a/arch/powerpc/platforms/pseries/Makefile +++ b/arch/powerpc/platforms/pseries/Makefile @@ -29,6 +29,7 @@ obj-$(CONFIG_PPC_SVM) += svm.o obj-$(CONFIG_FA_DUMP) += rtas-fadump.o obj-$(CONFIG_PSERIES_PLPKS) += plpks.o obj-$(CONFIG_PPC_SECURE_BOOT) += plpks-secvar.o +obj-$(CONFIG_PSERIES_PLPKS_SED) += plpks-sed.o obj-$(CONFIG_SUSPEND) += suspend.o obj-$(CONFIG_PPC_VAS) += vas.o vas-sysfs.o diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c b/arch/powerpc/platforms/pseries/plpks_sed_ops.c new file mode 100644 index 000000000000..086934b319a9 --- /dev/null +++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c @@ -0,0 +1,126 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * POWER Platform specific code for non-volatile SED key access + * Copyright (C) 2022 IBM Corporation + * + * Define operations for SED Opal to read/write keys + * from POWER LPAR Platform KeyStore(PLPKS). + * + * Self Encrypting Drives(SED) key storage using PLPKS + */ + +#include <linux/kernel.h> +#include <linux/slab.h> +#include <linux/string.h> +#include <linux/ioctl.h> +#include <linux/sed-opal-key.h> +#include "plpks.h" + +/* + * structure that contains all SED data + */ +struct plpks_sed_object_data { + u_char version; + u_char pad1[7]; + u_long authority; + u_long range; + u_int key_len; + u_char key[32]; +}; + +#define PLPKS_PLATVAR_POLICY WORLDREADABLE +#define PLPKS_PLATVAR_OS_COMMON 4 + +#define PLPKS_SED_OBJECT_DATA_V0 0 +#define PLPKS_SED_MANGLED_LABEL "/default/pri" +#define PLPKS_SED_COMPONENT "sed-opal" +#define PLPKS_SED_KEY "opal-boot-pin" + +/* + * authority is admin1 and range is global + */ +#define PLPKS_SED_AUTHORITY 0x0000000900010001 +#define PLPKS_SED_RANGE 0x0000080200000001 + +void plpks_init_var(struct plpks_var *var, char *keyname) +{ + var->name = keyname; + var->namelen = strlen(keyname); + if (strcmp(PLPKS_SED_KEY, keyname) == 0) { + var->name = PLPKS_SED_MANGLED_LABEL; + var->namelen = strlen(keyname); + } + var->policy = PLPKS_PLATVAR_POLICY; + var->os = PLPKS_PLATVAR_OS_COMMON; + var->data = NULL; + var->datalen = 0; + var->component = PLPKS_SED_COMPONENT; +} + +/* + * Read the SED Opal key from PLPKS given the label + */ +int sed_read_key(char *keyname, char *key, u_int *keylen) +{ + struct plpks_var var; + struct plpks_sed_object_data data; + u_int offset; + int ret; + u_int len; + + plpks_init_var(&var, keyname); + var.data = &data; + var.datalen = sizeof(data); + + ret = plpks_read_os_var(&var); + if (ret != 0) + return ret; + + offset = offsetof(struct plpks_sed_object_data, key); + if (offset > var.datalen) { + return -EINVAL; + } + + len = min(be32_to_cpu(data.key_len), *keylen); + + memcpy(key, data.key, len); + kfree(var.data); + + key[len] = '\0'; + *keylen = len; + + return 0; +} + +/* + * Write the SED Opal key to PLPKS given the label + */ +int sed_write_key(char *keyname, char *key, u_int keylen) +{ + struct plpks_var var; + struct plpks_sed_object_data data; + struct plpks_var_name vname; + + plpks_init_var(&var, keyname); + + var.datalen = sizeof(struct plpks_sed_object_data); + var.data = (u8 *)&data; + + /* initialize SED object */ + data.version = PLPKS_SED_OBJECT_DATA_V0; + data.authority = cpu_to_be64(PLPKS_SED_AUTHORITY); + data.range = cpu_to_be64(PLPKS_SED_RANGE); + memset(&data.pad1, '\0', sizeof(data.pad1)); + data.key_len = cpu_to_be32(keylen); + memcpy(data.key, (char *)key, keylen); + + /* + * Key update requires remove first. The return value + * is ignored since it's okay if the key doesn't exist. + */ + vname.namelen = var.namelen; + vname.name = var.name; + plpks_remove_var(var.component, var.os, vname); + + return plpks_write_var(var); +} -- gjoyce@linux.vnet.ibm.com
next prev parent reply other threads:[~2023-05-05 19:45 UTC|newest] Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-05-05 19:43 [PATCH v5 0/4] generic and PowerPC SED Opal keystore gjoyce 2023-05-05 19:43 ` gjoyce 2023-05-05 19:43 ` [PATCH 1/4] block:sed-opal: " gjoyce 2023-05-05 19:43 ` gjoyce 2023-05-10 22:50 ` Jarkko Sakkinen 2023-05-10 22:50 ` Jarkko Sakkinen 2023-06-01 14:29 ` Greg Joyce 2023-06-01 14:29 ` Greg Joyce 2023-05-05 19:44 ` gjoyce [this message] 2023-05-05 19:44 ` [PATCH 2/4] powerpc/pseries: PLPKS SED Opal keystore support gjoyce 2023-05-05 19:44 ` [PATCH 3/4] block: sed-opal: keystore access for SED Opal keys gjoyce 2023-05-05 19:44 ` gjoyce 2023-05-05 19:44 ` [PATCH 4/4] powerpc/pseries: update SED for PLPKS api changes gjoyce 2023-05-05 19:44 ` gjoyce 2023-05-15 5:52 ` Andrew Donnellan 2023-05-15 5:52 ` Andrew Donnellan 2023-06-01 14:27 ` Greg Joyce 2023-06-01 14:27 ` Greg Joyce
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20230505194402.2079010-3-gjoyce@linux.vnet.ibm.com \ --to=gjoyce@linux.vnet.ibm.com \ --cc=akpm@linux-foundation.org \ --cc=andonnel@au1.ibm.com \ --cc=axboe@kernel.dk \ --cc=brking@linux.vnet.ibm.com \ --cc=elliott@hpe.com \ --cc=jonathan.derrick@linux.dev \ --cc=keyrings@vger.kernel.org \ --cc=linux-block@vger.kernel.org \ --cc=linux-efi@vger.kernel.org \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=me@benboeckel.net \ --cc=mpe@ellerman.id.au \ --cc=msuchanek@suse.de \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.