* [PATCH v2] powerpc/pseries: detect secure and trusted boot state of the system.
@ 2020-07-11 2:25 Nayna Jain
2020-07-14 6:38 ` Daniel Axtens
0 siblings, 1 reply; 3+ messages in thread
From: Nayna Jain @ 2020-07-11 2:25 UTC (permalink / raw)
To: linuxppc-dev; +Cc: Michael Ellerman, Mimi Zohar, linux-kernel, Nayna Jain
The device-tree property to check secure and trusted boot state is
different for guests(pseries) compared to baremetal(powernv).
This patch updates the existing is_ppc_secureboot_enabled() and
is_ppc_trustedboot_enabled() function to add support for pseries.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-by: Daniel Axtens <dja@axtens.net>
---
v2:
* included Michael Ellerman's feedback.
* added Daniel Axtens's Reviewed-by.
arch/powerpc/kernel/secure_boot.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
index 4b982324d368..efb325cbd42f 100644
--- a/arch/powerpc/kernel/secure_boot.c
+++ b/arch/powerpc/kernel/secure_boot.c
@@ -6,6 +6,7 @@
#include <linux/types.h>
#include <linux/of.h>
#include <asm/secure_boot.h>
+#include <asm/machdep.h>
static struct device_node *get_ppc_fw_sb_node(void)
{
@@ -23,12 +24,21 @@ bool is_ppc_secureboot_enabled(void)
{
struct device_node *node;
bool enabled = false;
+ u32 secureboot;
node = get_ppc_fw_sb_node();
enabled = of_property_read_bool(node, "os-secureboot-enforcing");
-
of_node_put(node);
+ if (enabled)
+ goto out;
+
+ if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) {
+ if (secureboot)
+ enabled = (secureboot > 1) ? true : false;
+ }
+
+out:
pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled");
return enabled;
@@ -38,12 +48,21 @@ bool is_ppc_trustedboot_enabled(void)
{
struct device_node *node;
bool enabled = false;
+ u32 trustedboot;
node = get_ppc_fw_sb_node();
enabled = of_property_read_bool(node, "trusted-enabled");
-
of_node_put(node);
+ if (enabled)
+ goto out;
+
+ if (!of_property_read_u32(of_root, "ibm,trusted-boot", &trustedboot)) {
+ if (trustedboot)
+ enabled = (trustedboot > 0) ? true : false;
+ }
+
+out:
pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled");
return enabled;
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] powerpc/pseries: detect secure and trusted boot state of the system.
2020-07-11 2:25 [PATCH v2] powerpc/pseries: detect secure and trusted boot state of the system Nayna Jain
@ 2020-07-14 6:38 ` Daniel Axtens
2020-07-14 15:07 ` Mimi Zohar
0 siblings, 1 reply; 3+ messages in thread
From: Daniel Axtens @ 2020-07-14 6:38 UTC (permalink / raw)
To: Nayna Jain, linuxppc-dev
Cc: Michael Ellerman, Mimi Zohar, linux-kernel, Nayna Jain
Hi Nayna,
Thanks! Would you be able to fold in some of the information from my
reply to v1 into the changelog? Until we have public PAPR release with
it, that information is the extent of the public documentation. It would
be good to get it into the git log rather than just floating around in
the mail archives!
A couple of small nits:
> + if (enabled)
> + goto out;
> +
> + if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) {
> + if (secureboot)
> + enabled = (secureboot > 1) ? true : false;
Your tests double up here - you don't need both the 'if' statement and
the 'secureboot > 1' ternary operator.
Just
+ if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) {
+ enabled = (secureboot > 1) ? true : false;
or even
+ if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) {
+ enabled = (secureboot > 1);
would work.
> + if (!of_property_read_u32(of_root, "ibm,trusted-boot", &trustedboot)) {
> + if (trustedboot)
> + enabled = (trustedboot > 0) ? true : false;
Likewise for trusted boot.
Regards,
Daniel
P.S. please could you add me to the cc: list for future revisions?
> + }
> +
> +out:
> pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled");
>
> return enabled;
> --
> 2.26.2
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] powerpc/pseries: detect secure and trusted boot state of the system.
2020-07-14 6:38 ` Daniel Axtens
@ 2020-07-14 15:07 ` Mimi Zohar
0 siblings, 0 replies; 3+ messages in thread
From: Mimi Zohar @ 2020-07-14 15:07 UTC (permalink / raw)
To: Daniel Axtens, Nayna Jain, linuxppc-dev; +Cc: Michael Ellerman, linux-kernel
On Tue, 2020-07-14 at 16:38 +1000, Daniel Axtens wrote:
> Hi Nayna,
>
> Thanks! Would you be able to fold in some of the information from my
> reply to v1 into the changelog? Until we have public PAPR release with
> it, that information is the extent of the public documentation. It would
> be good to get it into the git log rather than just floating around in
> the mail archives!
>
> A couple of small nits:
>
> > + if (enabled)
> > + goto out;
> > +
> > + if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) {
> > + if (secureboot)
> > + enabled = (secureboot > 1) ? true : false;
>
> Your tests double up here - you don't need both the 'if' statement and
> the 'secureboot > 1' ternary operator.
>
> Just
>
> + if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) {
> + enabled = (secureboot > 1) ? true : false;
>
> or even
>
> + if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) {
> + enabled = (secureboot > 1);
>
> would work.
I haven't been following this thread, which might be the reason I'm
missing something here. The patch description should explain why the
test is for "(secureboot > 1)", rather than a fixed number.
thanks,
Mimi
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-14 15:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-11 2:25 [PATCH v2] powerpc/pseries: detect secure and trusted boot state of the system Nayna Jain
2020-07-14 6:38 ` Daniel Axtens
2020-07-14 15:07 ` Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).