From: Nayna Jain <nayna@linux.ibm.com> To: linuxppc-dev@ozlabs.org Cc: Michael Ellerman <mpe@ellerman.id.au>, Mimi Zohar <zohar@linux.ibm.com>, Daniel Axtens <dja@axtens.net>, linux-kernel@vger.kernel.org, Nayna Jain <nayna@linux.ibm.com> Subject: [PATCH v3] powerpc/pseries: detect secure and trusted boot state of the system. Date: Wed, 15 Jul 2020 07:52:01 -0400 [thread overview] Message-ID: <1594813921-12425-1-git-send-email-nayna@linux.ibm.com> (raw) The device-tree property to check secure and trusted boot state is different for guests(pseries) compared to baremetal(powernv). This patch updates the existing is_ppc_secureboot_enabled() and is_ppc_trustedboot_enabled() functions to add support for pseries. The secureboot and trustedboot state are exposed via device-tree property: /proc/device-tree/ibm,secure-boot and /proc/device-tree/ibm,trusted-boot The values of ibm,secure-boot under pseries are interpreted as: 0 - Disabled 1 - Enabled in Log-only mode. This patch interprets this value as disabled, since audit mode is currently not supported for Linux. 2 - Enabled and enforced. 3-9 - Enabled and enforcing; requirements are at the discretion of the operating system. The values of ibm,trusted-boot under pseries are interpreted as: 0 - Disabled 1 - Enabled Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Daniel Axtens <dja@axtens.net> --- v3: * fixed double check. Thanks Daniel for noticing it. * updated patch description. v2: * included Michael Ellerman's feedback. * added Daniel Axtens's Reviewed-by. arch/powerpc/kernel/secure_boot.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c index 4b982324d368..118bcb5f79c4 100644 --- a/arch/powerpc/kernel/secure_boot.c +++ b/arch/powerpc/kernel/secure_boot.c @@ -6,6 +6,7 @@ #include <linux/types.h> #include <linux/of.h> #include <asm/secure_boot.h> +#include <asm/machdep.h> static struct device_node *get_ppc_fw_sb_node(void) { @@ -23,12 +24,19 @@ bool is_ppc_secureboot_enabled(void) { struct device_node *node; bool enabled = false; + u32 secureboot; node = get_ppc_fw_sb_node(); enabled = of_property_read_bool(node, "os-secureboot-enforcing"); - of_node_put(node); + if (enabled) + goto out; + + if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) + enabled = (secureboot > 1); + +out: pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); return enabled; @@ -38,12 +46,19 @@ bool is_ppc_trustedboot_enabled(void) { struct device_node *node; bool enabled = false; + u32 trustedboot; node = get_ppc_fw_sb_node(); enabled = of_property_read_bool(node, "trusted-enabled"); - of_node_put(node); + if (enabled) + goto out; + + if (!of_property_read_u32(of_root, "ibm,trusted-boot", &trustedboot)) + enabled = (trustedboot > 0); + +out: pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled"); return enabled; -- 2.26.2
WARNING: multiple messages have this Message-ID (diff)
From: Nayna Jain <nayna@linux.ibm.com> To: linuxppc-dev@ozlabs.org Cc: Nayna Jain <nayna@linux.ibm.com>, linux-kernel@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>, Daniel Axtens <dja@axtens.net> Subject: [PATCH v3] powerpc/pseries: detect secure and trusted boot state of the system. Date: Wed, 15 Jul 2020 07:52:01 -0400 [thread overview] Message-ID: <1594813921-12425-1-git-send-email-nayna@linux.ibm.com> (raw) The device-tree property to check secure and trusted boot state is different for guests(pseries) compared to baremetal(powernv). This patch updates the existing is_ppc_secureboot_enabled() and is_ppc_trustedboot_enabled() functions to add support for pseries. The secureboot and trustedboot state are exposed via device-tree property: /proc/device-tree/ibm,secure-boot and /proc/device-tree/ibm,trusted-boot The values of ibm,secure-boot under pseries are interpreted as: 0 - Disabled 1 - Enabled in Log-only mode. This patch interprets this value as disabled, since audit mode is currently not supported for Linux. 2 - Enabled and enforced. 3-9 - Enabled and enforcing; requirements are at the discretion of the operating system. The values of ibm,trusted-boot under pseries are interpreted as: 0 - Disabled 1 - Enabled Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Daniel Axtens <dja@axtens.net> --- v3: * fixed double check. Thanks Daniel for noticing it. * updated patch description. v2: * included Michael Ellerman's feedback. * added Daniel Axtens's Reviewed-by. arch/powerpc/kernel/secure_boot.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c index 4b982324d368..118bcb5f79c4 100644 --- a/arch/powerpc/kernel/secure_boot.c +++ b/arch/powerpc/kernel/secure_boot.c @@ -6,6 +6,7 @@ #include <linux/types.h> #include <linux/of.h> #include <asm/secure_boot.h> +#include <asm/machdep.h> static struct device_node *get_ppc_fw_sb_node(void) { @@ -23,12 +24,19 @@ bool is_ppc_secureboot_enabled(void) { struct device_node *node; bool enabled = false; + u32 secureboot; node = get_ppc_fw_sb_node(); enabled = of_property_read_bool(node, "os-secureboot-enforcing"); - of_node_put(node); + if (enabled) + goto out; + + if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) + enabled = (secureboot > 1); + +out: pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); return enabled; @@ -38,12 +46,19 @@ bool is_ppc_trustedboot_enabled(void) { struct device_node *node; bool enabled = false; + u32 trustedboot; node = get_ppc_fw_sb_node(); enabled = of_property_read_bool(node, "trusted-enabled"); - of_node_put(node); + if (enabled) + goto out; + + if (!of_property_read_u32(of_root, "ibm,trusted-boot", &trustedboot)) + enabled = (trustedboot > 0); + +out: pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled"); return enabled; -- 2.26.2
next reply other threads:[~2020-07-15 11:52 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-07-15 11:52 Nayna Jain [this message] 2020-07-15 11:52 ` [PATCH v3] powerpc/pseries: detect secure and trusted boot state of the system Nayna Jain 2020-07-15 16:54 ` Mimi Zohar 2020-07-15 16:54 ` Mimi Zohar 2020-07-16 0:49 ` Daniel Axtens 2020-07-16 0:49 ` Daniel Axtens 2020-07-16 4:53 ` Michael Ellerman 2020-07-16 4:53 ` Michael Ellerman 2020-07-16 8:13 ` Michal Suchánek 2020-07-17 5:58 ` Daniel Axtens 2020-07-17 8:35 ` Michal Suchánek 2020-07-17 8:35 ` Michal Suchánek 2020-07-16 12:56 ` Michael Ellerman 2020-07-16 12:56 ` Michael Ellerman
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1594813921-12425-1-git-send-email-nayna@linux.ibm.com \ --to=nayna@linux.ibm.com \ --cc=dja@axtens.net \ --cc=linux-kernel@vger.kernel.org \ --cc=linuxppc-dev@ozlabs.org \ --cc=mpe@ellerman.id.au \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.