[PATCH v3 24/24] integrity/powerpc: Support loading keys from pseries secvar

From: Andrew Donnellan
Date: Wed Jan 18 2023 - 01:31:12 EST

Next message: Andrew Donnellan: "[PATCH v3 14/24] powerpc/pseries: Fix alignment of PLPKS structures and buffers"
Previous message: Andrew Donnellan: "[PATCH v3 20/24] powerpc/pseries: Add helpers to get PLPKS password"
In reply to: Andrew Donnellan: "[PATCH v3 20/24] powerpc/pseries: Add helpers to get PLPKS password"
Next in thread: Andrew Donnellan: "[PATCH v3 14/24] powerpc/pseries: Fix alignment of PLPKS structures and buffers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Russell Currey <ruscur@xxxxxxxxxx>

The secvar object format is only in the device tree under powernv.
We now have an API call to retrieve it in a generic way, so we should
use that instead of having to handle the DT here.

Add support for pseries secvar, with the "ibm,plpks-sb-v1" format.
The object format is expected to be the same, so there shouldn't be any
functional differences between objects retrieved from powernv and
pseries.

Signed-off-by: Russell Currey <ruscur@xxxxxxxxxx>
Signed-off-by: Andrew Donnellan <ajd@xxxxxxxxxxxxx>

---

v3: New patch
---
.../integrity/platform_certs/load_powerpc.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
index dee51606d5f4..8fa899616d92 100644
--- a/security/integrity/platform_certs/load_powerpc.c
+++ b/security/integrity/platform_certs/load_powerpc.c
@@ -10,7 +10,6 @@
#include <linux/cred.h>
#include <linux/err.h>
#include <linux/slab.h>
-#include <linux/of.h>
#include <asm/secure_boot.h>
#include <asm/secvar.h>
#include "keyring_handler.h"
@@ -59,16 +58,22 @@ static int __init load_powerpc_certs(void)
void *db = NULL, *dbx = NULL;
u64 dbsize = 0, dbxsize = 0;
int rc = 0;
- struct device_node *node;
+ ssize_t len;
+ char buf[SECVAR_MAX_FORMAT_LEN];

if (!secvar_ops)
return -ENODEV;

- /* The following only applies for the edk2-compat backend. */
- node = of_find_compatible_node(NULL, NULL, "ibm,edk2-compat-v1");
- if (!node)
+ len = secvar_ops->format(buf);
+ if (len <= 0)
return -ENODEV;

+ // Check for known secure boot implementations from OPAL or PLPKS
+ if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf)) {
+ pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf);
+ return -ENODEV;
+ }
+
/*
* Get db, and dbx. They might not exist, so it isn't an error if we
* can't get them.
@@ -103,8 +108,6 @@ static int __init load_powerpc_certs(void)
kfree(dbx);
}

- of_node_put(node);
-
return rc;
}
late_initcall(load_powerpc_certs);
--
2.39.0

Next message: Andrew Donnellan: "[PATCH v3 14/24] powerpc/pseries: Fix alignment of PLPKS structures and buffers"
Previous message: Andrew Donnellan: "[PATCH v3 20/24] powerpc/pseries: Add helpers to get PLPKS password"
In reply to: Andrew Donnellan: "[PATCH v3 20/24] powerpc/pseries: Add helpers to get PLPKS password"
Next in thread: Andrew Donnellan: "[PATCH v3 14/24] powerpc/pseries: Fix alignment of PLPKS structures and buffers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]