Linux-Integrity Archive on
 help / color / Atom feed
From: Lakshmi Ramasubramanian <>
To: Nayna Jain <>,,,
	Michael Ellerman <>,
	Benjamin Herrenschmidt <>,
	Paul Mackerras <>,
	Ard Biesheuvel <>,
	Jeremy Kerr <>,
	Matthew Garret <>,
	Mimi Zohar <>,
	Greg Kroah-Hartman <>,
	George Wilson <>,
	Claudio Carvalho <>,
	Elaine Palmer <>,
	Eric Ricther <>,
	Oliver O'Halloran <>
Subject: Re: [PATCH v9 0/4] powerpc: expose secure variables to the kernel and userspace
Date: Mon, 11 Nov 2019 14:37:40 -0800
Message-ID: <> (raw)
In-Reply-To: <>

On 11/10/19 7:10 PM, Nayna Jain wrote:

Hi Nayna,

> In order to verify the OS kernel on PowerNV systems, secure boot requires
> X.509 certificates trusted by the platform. These are stored in secure
> variables controlled by OPAL, called OPAL secure variables. In order to
> enable users to manage the keys, the secure variables need to be exposed
> to userspace.
Are you planning to split the patches in this patch set into smaller 
chunks so that it is easier to code review and also perhaps make it 
easier when merging the changes?

Just a suggestion - but if, folks familiar with this code base don't 
have any objections, please feel free to ignore my comment.

Patch #1
  1, opal-api.h which adds the #defines  OPAL_SECVAR_ and the API signature.
  2, secvar.h then adds secvar_operations struct
  3, powerpc/kernel for the Interface definitions
  4, powernv/opal-secvar.c for the API implementations
  5, powernv/opal-call.c for the API calls
  6, powernv/opal.c for the secvar init calls.

Patch #2
1, Definitions of attribute functions like backend_show, size_show, etc.
2, secvar_sysfs_load
3, secvar_sysfs_init
4, secvar_sysfs_exit


  parent reply index

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-11  3:10 Nayna Jain
2019-11-11  3:10 ` [PATCH v9 1/4] powerpc/powernv: Add OPAL API interface to access secure variable Nayna Jain
2019-11-14  9:08   ` Michael Ellerman
2019-11-11  3:10 ` [PATCH v9 2/4] powerpc: expose secure variables to userspace via sysfs Nayna Jain
2019-11-11  3:10 ` [PATCH v9 3/4] x86/efi: move common keyring handler functions to new file Nayna Jain
2019-11-11  3:10 ` [PATCH v9 4/4] powerpc: load firmware trusted keys/hashes into kernel keyring Nayna Jain
2019-11-11 22:37 ` Lakshmi Ramasubramanian [this message]
2019-11-12  1:21   ` [PATCH v9 0/4] powerpc: expose secure variables to the kernel and userspace Michael Ellerman

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on

Archives are clonable:
	git clone --mirror linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ \
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone