From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1m5bRB-0001Kx-9V
	for mharc-grub-devel@gnu.org; Mon, 19 Jul 2021 18:08:36 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:38928)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <stefanb@linux.ibm.com>)
 id 1m5bRA-0001Kl-16
 for grub-devel@gnu.org; Mon, 19 Jul 2021 18:08:32 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:45808
 helo=mx0a-001b2d01.pphosted.com)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <stefanb@linux.ibm.com>)
 id 1m5bR8-0005I8-AB
 for grub-devel@gnu.org; Mon, 19 Jul 2021 18:08:31 -0400
Received: from pps.filterd (m0098419.ppops.net [127.0.0.1])
 by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 16JM30ae018046; Mon, 19 Jul 2021 18:08:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com;
 h=subject : to : cc :
 references : from : message-id : date : mime-version : in-reply-to :
 content-type : content-transfer-encoding; s=pp1;
 bh=QBahvY8ht70JQGTU1WODluDh47TdelpmmHmfc/tSlc0=;
 b=jjSNmjTp9cyzpSC+UB0m27z8obSHsTYqZuC+lnVzkMhG63Me8S6/hUUj5Zvg0tiT7WiV
 OfMyzsZ0VYWoFDB8OmkT0cOFy2nQ7pGX5fM5aUmhNHr2MfuzvViX6x0L8vMnIwsGtjJZ
 RneWZW+q2S+XqvPZnVkxyEpPyZUGRRbgXwoZjQzYn5DnXCkBYSAmjkbVKg3Ll4gR1dks
 9kbQWHES0I6l+C5Utb8ds7vTiyn/AdH2LEdpg2+IfR7pANk8wjvNNXfhBvITDh9VyTrA
 pr53CnUCbTfLOhE6Ddrjn/Nf66w9ykObUkKcksCBqqpYoJtUg+xJ0Rjby3MOsdIJ2wk9 zg== 
Received: from pps.reinject (localhost [127.0.0.1])
 by mx0b-001b2d01.pphosted.com with ESMTP id 39wh4ds84y-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Mon, 19 Jul 2021 18:08:27 -0400
Received: from m0098419.ppops.net (m0098419.ppops.net [127.0.0.1])
 by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16JM3brp023568;
 Mon, 19 Jul 2021 18:08:27 -0400
Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com
 [169.62.189.11])
 by mx0b-001b2d01.pphosted.com with ESMTP id 39wh4ds84r-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Mon, 19 Jul 2021 18:08:27 -0400
Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1])
 by ppma03dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16JM4XGS011370;
 Mon, 19 Jul 2021 22:08:27 GMT
Received: from b03cxnp07027.gho.boulder.ibm.com
 (b03cxnp07027.gho.boulder.ibm.com [9.17.130.14])
 by ppma03dal.us.ibm.com with ESMTP id 39upubwdf0-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Mon, 19 Jul 2021 22:08:26 +0000
Received: from b03ledav006.gho.boulder.ibm.com
 (b03ledav006.gho.boulder.ibm.com [9.17.130.237])
 by b03cxnp07027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 16JM8PN829688292
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
 Mon, 19 Jul 2021 22:08:25 GMT
Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1])
 by IMSVA (Postfix) with ESMTP id 958DDC6063;
 Mon, 19 Jul 2021 22:08:25 +0000 (GMT)
Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1])
 by IMSVA (Postfix) with ESMTP id 429B4C605A;
 Mon, 19 Jul 2021 22:08:25 +0000 (GMT)
Received: from [9.47.158.152] (unknown [9.47.158.152])
 by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP;
 Mon, 19 Jul 2021 22:08:25 +0000 (GMT)
Subject: Re: [PATCH v2 22/22] ieee1275: enter lockdown based on
 /ibm,secure-boot
To: The development of GNU GRUB <grub-devel@gnu.org>,
 Daniel Axtens <dja@axtens.net>
Cc: rashmica.g@gmail.com, alastair@d-silva.org, nayna@linux.ibm.com
References: <20210630084031.2663622-1-dja@axtens.net>
 <20210630084031.2663622-23-dja@axtens.net>
From: Stefan Berger <stefanb@linux.ibm.com>
Message-ID: <c5b90cce-94ae-982c-d775-d41eb2530a33@linux.ibm.com>
Date: Mon, 19 Jul 2021 18:08:24 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <20210630084031.2663622-23-dja@axtens.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: hMZ2fOu-KaZGoXm-zfr0qFr3yuM_IZx7
X-Proofpoint-ORIG-GUID: peH1ES8LIeBfHrRuDIfjotosPQwV-2-j
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790
 definitions=2021-07-19_11:2021-07-19,
 2021-07-19 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 bulkscore=0 mlxscore=0
 lowpriorityscore=0 clxscore=1015 impostorscore=0 malwarescore=0
 suspectscore=0 adultscore=0 priorityscore=1501 spamscore=0 mlxlogscore=999
 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2104190000 definitions=main-2107190127
Received-SPF: pass client-ip=148.163.158.5; envelope-from=stefanb@linux.ibm.com;
 helo=mx0a-001b2d01.pphosted.com
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001,
 RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jul 2021 22:08:32 -0000


On 6/30/21 4:40 AM, Daniel Axtens wrote:
> If the 'ibm,secure-boot' property of the root node is 2 or greater,
> enter lockdown.
>
> Signed-off-by: Daniel Axtens <dja@axtens.net>

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>


> ---
>   docs/grub.texi                 |  4 ++--
>   grub-core/Makefile.core.def    |  1 +
>   grub-core/kern/ieee1275/init.c | 27 +++++++++++++++++++++++++++
>   include/grub/lockdown.h        |  3 ++-
>   4 files changed, 32 insertions(+), 3 deletions(-)
>
> diff --git a/docs/grub.texi b/docs/grub.texi
> index 02fcda11e3bd..b13316cdb491 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi
> @@ -6189,8 +6189,8 @@ Measured boot is currently only supported on EFI platforms.
>   @section Lockdown when booting on a secure setup
>   
>   The GRUB can be locked down when booted on a secure boot environment, for example
> -if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
> -be restricted and some operations/commands cannot be executed.
> +if UEFI or Power secure boot is enabled. On a locked down configuration, the
> +GRUB will be restricted and some operations/commands cannot be executed.
>   
>   The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
>   Otherwise it does not exit.
> diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> index 4aa4cf263d94..775a031f1843 100644
> --- a/grub-core/Makefile.core.def
> +++ b/grub-core/Makefile.core.def
> @@ -317,6 +317,7 @@ kernel = {
>     powerpc_ieee1275 = kern/powerpc/cache.S;
>     powerpc_ieee1275 = kern/powerpc/dl.c;
>     powerpc_ieee1275 = kern/powerpc/compiler-rt.S;
> +  powerpc_ieee1275 = kern/lockdown.c;
>   
>     sparc64_ieee1275 = kern/sparc64/cache.S;
>     sparc64_ieee1275 = kern/sparc64/dl.c;
> diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
> index 4586bec939b2..5faf4e736074 100644
> --- a/grub-core/kern/ieee1275/init.c
> +++ b/grub-core/kern/ieee1275/init.c
> @@ -44,6 +44,7 @@
>   #ifdef __sparc__
>   #include <grub/machine/kernel.h>
>   #endif
> +#include <grub/lockdown.h>
>   
>   /* The maximum heap size we're going to claim. Not used by sparc.
>      We allocate 1/4 of the available memory under 4G, up to this limit. */
> @@ -442,6 +443,30 @@ grub_parse_cmdline (void)
>       }
>   }
>   
> +static void
> +grub_get_ieee1275_secure_boot (void)
> +{
> +  grub_ieee1275_phandle_t root;
> +  int rc;
> +  grub_uint32_t is_sb;
> +
> +  grub_ieee1275_finddevice ("/", &root);
> +
> +  rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &is_sb,
> +                                           sizeof (is_sb), 0);
> +
> +  /* ibm,secure-boot:
> +   * 0 - disabled
> +   * 1 - audit
> +   * 2 - enforce
> +   * 3 - enforce + OS-specific behaviour
> +   *
> +   * We only support enforce.
> +   */
> +  if (rc >= 0 && is_sb >= 2)
> +    grub_lockdown ();
> +}
> +
>   grub_addr_t grub_modbase;
>   
>   void
> @@ -467,6 +492,8 @@ grub_machine_init (void)
>   #else
>     grub_install_get_time_ms (grub_rtc_get_time_ms);
>   #endif
> +
> +  grub_get_ieee1275_secure_boot ();
>   }
>   
>   void
> diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
> index 40531fa823bf..ebfee4bf06e7 100644
> --- a/include/grub/lockdown.h
> +++ b/include/grub/lockdown.h
> @@ -24,7 +24,8 @@
>   #define GRUB_LOCKDOWN_DISABLED       0
>   #define GRUB_LOCKDOWN_ENABLED        1
>   
> -#ifdef GRUB_MACHINE_EFI
> +#if defined(GRUB_MACHINE_EFI) || \
> +    (defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275))
>   extern void
>   EXPORT_FUNC (grub_lockdown) (void);
>   extern int