Commit c1d96cd9 authored by Srish Srinivasan's avatar Srish Srinivasan Committed by Madhavan Srinivasan
Browse files

powerpc/secvar: Expose secvars relevant to the key management mode 



The PLPKS enabled PowerVM LPAR sysfs exposes all of the secure boot
secvars irrespective of the key management mode.

The PowerVM LPAR supports static and dynamic key management for secure
boot. The key management option can be updated in the management
console. The secvars PK, trustedcadb, and moduledb can be consumed both
in the static and dynamic key management modes for the loading of signed
third-party kernel modules. However, other secvars i.e. KEK, grubdb,
grubdbx, sbat, db and dbx, which are used to verify the grub and kernel
images, are consumed only in the dynamic key management mode.

Expose only PK, trustedcadb, and moduledb in the static key management
mode.

Co-developed-by: default avatarSouradeep <soura@imap.linux.ibm.com>
Signed-off-by: default avatarSouradeep <soura@imap.linux.ibm.com>
Signed-off-by: default avatarSrish Srinivasan <ssrish@linux.ibm.com>
Tested-by: default avatarR Nageswara Sastry <rnsastry@linux.ibm.com>
Reviewed-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Reviewed-by: default avatarStefan Berger <stefanb@linux.ibm.com>
Reviewed-by: default avatarNayna Jain <nayna@linux.ibm.com>
Reviewed-by: default avatarAndrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: default avatarMadhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250610211907.101384-3-ssrish@linux.ibm.com
parent fbf355f3

Documentation/ABI/testing/sysfs-secvar

+7 −0
Original line number Diff line number Diff line
@@ -38,6 +38,13 @@ Description: Each secure variable is represented as a directory named as 
		representation. The data and size can be determined by reading

		their respective attribute files.



		Only secvars relevant to the key management mode are exposed.

		Only in the dynamic key management mode should the user have

		access (read and write) to the secure boot secvars db, dbx,

		grubdb, grubdbx, and sbat. These secvars are not consumed in the

		static key management mode. PK, trustedcadb and moduledb are the

		secvars common to both static and dynamic key management modes.



What:		/sys/firmware/secvar/vars/<variable_name>/size

Date:		August 2019

Contact:	Nayna Jain <nayna@linux.ibm.com>

arch/powerpc/platforms/pseries/plpks-secvar.c

+24 −4
Original line number Diff line number Diff line
@@ -59,7 +59,14 @@ static u32 get_policy(const char *name) 
		return PLPKS_SIGNEDUPDATE;

}



static const char * const plpks_var_names[] = {

static const char * const plpks_var_names_static[] = {

	"PK",

	"moduledb",

	"trustedcadb",

	NULL,

};



static const char * const plpks_var_names_dynamic[] = {

	"PK",

	"KEK",

	"db",
@@ -213,21 +220,34 @@ static int plpks_max_size(u64 *max_size) 
	return 0;

}



static const struct secvar_operations plpks_secvar_ops_static = {

	.get = plpks_get_variable,

	.set = plpks_set_variable,

	.format = plpks_secvar_format,

	.max_size = plpks_max_size,

	.config_attrs = config_attrs,

	.var_names = plpks_var_names_static,

};



static const struct secvar_operations plpks_secvar_ops = {

static const struct secvar_operations plpks_secvar_ops_dynamic = {

	.get = plpks_get_variable,

	.set = plpks_set_variable,

	.format = plpks_secvar_format,

	.max_size = plpks_max_size,

	.config_attrs = config_attrs,

	.var_names = plpks_var_names,

	.var_names = plpks_var_names_dynamic,

};



static int plpks_secvar_init(void)

{

	u8 mode;



	if (!plpks_is_available())

		return -ENODEV;



	return set_secvar_ops(&plpks_secvar_ops);

	mode = plpks_get_sb_keymgmt_mode();

	if (mode)

		return set_secvar_ops(&plpks_secvar_ops_dynamic);

	return set_secvar_ops(&plpks_secvar_ops_static);

}

machine_device_initcall(pseries, plpks_secvar_init);