From: Russell Currey <ruscur@russell.cc>
To: linuxppc-dev@lists.ozlabs.org
Cc: ajd@linux.ibm.com, gregkh@linuxfoundation.org,
nayna@linux.ibm.com, linux-kernel@vger.kernel.org,
zohar@linux.ibm.com, Russell Currey <ruscur@russell.cc>,
gcwilson@linux.ibm.com
Subject: [PATCH 0/6] pseries dynamic secure boot interface using secvar
Date: Wed, 28 Dec 2022 18:29:37 +1100 [thread overview]
Message-ID: <20221228072943.429266-1-ruscur@russell.cc> (raw)
This series exposes an interface to userspace for reading and writing
secure variables contained within the PowerVM LPAR Platform KeyStore
(PLPKS) for the purpose of configuring dynamic secure boot.
This series builds on past work by Nayna Jain[0] in exposing PLPKS
variables to userspace. Rather than being a generic interface for
interacting with the keystore, however, we use the existing powerpc
secvar infrastructure to only expose objects in the keystore used
for dynamic secure boot. This has the benefit of leveraging an
existing interface and making the implementation relatively minimal.
This series needs to be applied on top of Andrew's recent bugfix
series[1].
There are a few relevant details to note about the implementation:
* New additions to the secvar API, format() and max_size()
* New optional sysfs directory "config/" for arbitrary ASCII variables
* Some OPAL-specific code has been relocated from secvar-sysfs.c to
powernv platform code. Would appreciate any powernv testing!
* Variable names are fixed and only those used for secure boot are
exposed. This is not a generic PLPKS interface, but also
doesn't preclude one being added in future.
With this series, both powernv and pseries platforms support dynamic
secure boot through the same interface.
[0]: https://lore.kernel.org/linuxppc-dev/20221106210744.603240-1-nayna@linux.ibm.com/
[1]: https://lore.kernel.org/linuxppc-dev/20221220071626.1426786-1-ajd@linux.ibm.com/
Russell Currey (6):
powerpc/pseries: Log hcall return codes for PLPKS debug
powerpc/secvar: WARN_ON_ONCE() if multiple secvar ops are set
powerpc/secvar: Handle format string in the consumer
powerpc/secvar: Handle max object size in the consumer
powerpc/secvar: Extend sysfs to include config vars
powerpc/pseries: Implement secvars for dynamic secure boot
Documentation/ABI/testing/sysfs-secvar | 8 +
arch/powerpc/include/asm/secvar.h | 5 +
arch/powerpc/kernel/secvar-ops.c | 4 +-
arch/powerpc/kernel/secvar-sysfs.c | 76 +++---
arch/powerpc/platforms/powernv/opal-secvar.c | 44 +++
arch/powerpc/platforms/pseries/Kconfig | 13 +
arch/powerpc/platforms/pseries/Makefile | 4 +-
arch/powerpc/platforms/pseries/plpks-secvar.c | 250 ++++++++++++++++++
arch/powerpc/platforms/pseries/plpks.c | 2 +
9 files changed, 365 insertions(+), 41 deletions(-)
create mode 100644 arch/powerpc/platforms/pseries/plpks-secvar.c
--
2.38.1
next reply other threads:[~2022-12-28 7:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-28 7:29 Russell Currey [this message]
2022-12-28 7:29 ` [PATCH 1/6] powerpc/pseries: Log hcall return codes for PLPKS debug Russell Currey
2022-12-28 7:29 ` [PATCH 2/6] powerpc/secvar: WARN_ON_ONCE() if multiple secvar ops are set Russell Currey
2022-12-28 7:29 ` [PATCH 3/6] powerpc/secvar: Handle format string in the consumer Russell Currey
2022-12-28 7:29 ` [PATCH 4/6] powerpc/secvar: Handle max object size " Russell Currey
2022-12-28 7:29 ` [PATCH 5/6] powerpc/secvar: Extend sysfs to include config vars Russell Currey
2022-12-28 7:29 ` [PATCH 6/6] powerpc/pseries: Implement secvars for dynamic secure boot Russell Currey
2022-12-28 8:12 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221228072943.429266-1-ruscur@russell.cc \
--to=ruscur@russell.cc \
--cc=ajd@linux.ibm.com \
--cc=gcwilson@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nayna@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).