From: Claudio Carvalho <cclaudio@linux.ibm.com>
To: linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Michael Ellerman <mpe@ellerman.id.au>,
Paul Mackerras <paulus@samba.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jeremy Kerr <jk@ozlabs.org>,
Matthew Garret <matthew.garret@nebula.com>,
Claudio Carvalho <cclaudio@linux.ibm.com>,
Nayna Jain <nayna@linux.ibm.com>
Subject: [PATCH 0/4] Enabling secure boot on PowerNV systems
Date: Tue, 2 Apr 2019 15:15:01 -0300 [thread overview]
Message-ID: <20190402181505.25037-1-cclaudio@linux.ibm.com> (raw)
This patch set is part of a series that implements secure boot on
PowerNV systems.
In order to verify the OS kernel on PowerNV, secure boot requires X.509
certificates trusted by the platform, the secure boot modes, and several
other pieces of information. These are stored in secure variables
controlled by OPAL, also known as OPAL secure variables.
This patch set adds the following features:
1. Enable efivarfs by selecting CONFIG_EFI in the CONFIG_OPAL_SECVAR
introduced in this patch set. With CONFIG_EFIVAR_FS, userspace tools can
be used to manage the secure variables.
2. Add support for OPAL secure variables by overwriting the EFI hooks
(get_variable, get_next_variable, set_variable and query_variable_info)
with OPAL call wrappers. There is probably a better way to add this
support, for example, we are investigating if we could register the
efivar_operations rather than overwriting the EFI hooks. In this patch
set, CONFIG_OPAL_SECVAR selects CONFIG_EFI. If, instead, we registered
efivar_operations, CONFIG_EFIVAR_FS would need to depend on
CONFIG_EFI|| CONFIG_OPAL_SECVAR. Comments or suggestions on the
preferred technique would be greatly appreciated.
3. Define IMA arch-specific policies based on the secure boot state and
mode of the system. On secure boot enabled powernv systems, the host OS
kernel signature will be verified by IMA appraisal.
Claudio Carvalho (2):
powerpc/include: Override unneeded early ioremap functions
powerpc/powernv: Add support for OPAL secure variables
Nayna Jain (2):
powerpc/powernv: Detect the secure boot mode of the system
powerpc: Add support to initialize ima policy rules
arch/powerpc/Kconfig | 12 ++
arch/powerpc/include/asm/early_ioremap.h | 41 +++++
arch/powerpc/include/asm/opal-api.h | 6 +-
arch/powerpc/include/asm/opal.h | 10 ++
arch/powerpc/include/asm/secboot.h | 21 +++
arch/powerpc/kernel/Makefile | 1 +
arch/powerpc/kernel/ima_arch.c | 54 ++++++
arch/powerpc/platforms/Kconfig | 3 +
arch/powerpc/platforms/powernv/Kconfig | 9 +
arch/powerpc/platforms/powernv/Makefile | 1 +
arch/powerpc/platforms/powernv/opal-call.c | 4 +
arch/powerpc/platforms/powernv/opal-secvar.c | 179 +++++++++++++++++++
arch/powerpc/platforms/powernv/secboot.c | 54 ++++++
include/linux/ima.h | 3 +-
14 files changed, 396 insertions(+), 2 deletions(-)
create mode 100644 arch/powerpc/include/asm/early_ioremap.h
create mode 100644 arch/powerpc/include/asm/secboot.h
create mode 100644 arch/powerpc/kernel/ima_arch.c
create mode 100644 arch/powerpc/platforms/powernv/opal-secvar.c
create mode 100644 arch/powerpc/platforms/powernv/secboot.c
--
2.20.1
next reply other threads:[~2019-04-02 18:15 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-02 18:15 Claudio Carvalho [this message]
2019-04-02 18:15 ` [PATCH 1/4] powerpc/include: Override unneeded early ioremap functions Claudio Carvalho
2019-04-02 18:15 ` [PATCH 2/4] powerpc/powernv: Add support for OPAL secure variables Claudio Carvalho
2019-04-02 18:15 ` [PATCH 3/4] powerpc/powernv: Detect the secure boot mode of the system Claudio Carvalho
2019-04-02 18:15 ` [PATCH 4/4] powerpc: Add support to initialize ima policy rules Claudio Carvalho
2019-04-02 19:36 ` [PATCH 0/4] Enabling secure boot on PowerNV systems Matthew Garrett
2019-04-02 21:11 ` Claudio Carvalho
2019-04-02 21:51 ` Matthew Garrett
2019-04-02 23:31 ` Claudio Carvalho
2019-04-03 22:27 ` Matthew Garrett
2019-04-05 21:11 ` Claudio Carvalho
2019-04-05 22:19 ` Matthew Garrett
2019-04-09 22:55 ` Claudio Carvalho
2019-04-10 17:36 ` Matthew Garrett
2019-05-10 21:31 ` Claudio Carvalho
2019-05-13 22:06 ` Matthew Garrett
2019-04-03 13:21 ` Michael Ellerman
2019-04-03 21:48 ` Claudio Carvalho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190402181505.25037-1-cclaudio@linux.ibm.com \
--to=cclaudio@linux.ibm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=benh@kernel.crashing.org \
--cc=jk@ozlabs.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=matthew.garret@nebula.com \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).