Message ID | 1594813921-12425-1-git-send-email-nayna@linux.ibm.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 61f879d97ce4510dd29d676a20d67692e3b34806 |
Headers | show |
Series | [v3] powerpc/pseries: detect secure and trusted boot state of the system. | expand |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/apply_patch | success | Successfully applied on branch powerpc/merge (58a4eb09c4aebaaffa8b4517c71543a41539c096) |
snowpatch_ozlabs/build-ppc64le | success | Build succeeded |
snowpatch_ozlabs/build-ppc64be | success | Build succeeded |
snowpatch_ozlabs/build-ppc64e | success | Build succeeded |
snowpatch_ozlabs/build-pmac32 | success | Build succeeded |
snowpatch_ozlabs/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 47 lines checked |
snowpatch_ozlabs/needsstable | success | Patch has no Fixes tags |
On Wed, 2020-07-15 at 07:52 -0400, Nayna Jain wrote: > The device-tree property to check secure and trusted boot state is > different for guests(pseries) compared to baremetal(powernv). > > This patch updates the existing is_ppc_secureboot_enabled() and > is_ppc_trustedboot_enabled() functions to add support for pseries. > > The secureboot and trustedboot state are exposed via device-tree property: > /proc/device-tree/ibm,secure-boot and /proc/device-tree/ibm,trusted-boot > > The values of ibm,secure-boot under pseries are interpreted as: > > 0 - Disabled > 1 - Enabled in Log-only mode. This patch interprets this value as > disabled, since audit mode is currently not supported for Linux. > 2 - Enabled and enforced. > 3-9 - Enabled and enforcing; requirements are at the discretion of the > operating system. > > The values of ibm,trusted-boot under pseries are interpreted as: > 0 - Disabled > 1 - Enabled > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > Reviewed-by: Daniel Axtens <dja@axtens.net> Thanks for updating the patch description. Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Hi Nayna, Looks good to me. Sorry for not noticing this before, but I think > +#include <asm/machdep.h> is now superfluous (I think it's leftover from the machine_is version?). Maybe mpe will take pity on you and remove it when he picks up your patch. Kind regards, Daniel > > static struct device_node *get_ppc_fw_sb_node(void) > { > @@ -23,12 +24,19 @@ bool is_ppc_secureboot_enabled(void) > { > struct device_node *node; > bool enabled = false; > + u32 secureboot; > > node = get_ppc_fw_sb_node(); > enabled = of_property_read_bool(node, "os-secureboot-enforcing"); > - > of_node_put(node); > > + if (enabled) > + goto out; > + > + if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) > + enabled = (secureboot > 1); > + > +out: > pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); > > return enabled; > @@ -38,12 +46,19 @@ bool is_ppc_trustedboot_enabled(void) > { > struct device_node *node; > bool enabled = false; > + u32 trustedboot; > > node = get_ppc_fw_sb_node(); > enabled = of_property_read_bool(node, "trusted-enabled"); > - > of_node_put(node); > > + if (enabled) > + goto out; > + > + if (!of_property_read_u32(of_root, "ibm,trusted-boot", &trustedboot)) > + enabled = (trustedboot > 0); > + > +out: > pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled"); > > return enabled; > -- > 2.26.2
Daniel Axtens <dja@axtens.net> writes: > Hi Nayna, > > Looks good to me. > > Sorry for not noticing this before, but I think >> +#include <asm/machdep.h> > is now superfluous (I think it's leftover from the machine_is > version?). Maybe mpe will take pity on you and remove it when he picks > up your patch. Yeah I did that. cheers
On Wed, Jul 15, 2020 at 07:52:01AM -0400, Nayna Jain wrote: > The device-tree property to check secure and trusted boot state is > different for guests(pseries) compared to baremetal(powernv). > > This patch updates the existing is_ppc_secureboot_enabled() and > is_ppc_trustedboot_enabled() functions to add support for pseries. > > The secureboot and trustedboot state are exposed via device-tree property: > /proc/device-tree/ibm,secure-boot and /proc/device-tree/ibm,trusted-boot > > The values of ibm,secure-boot under pseries are interpreted as: ^^^ > > 0 - Disabled > 1 - Enabled in Log-only mode. This patch interprets this value as > disabled, since audit mode is currently not supported for Linux. > 2 - Enabled and enforced. > 3-9 - Enabled and enforcing; requirements are at the discretion of the > operating system. > > The values of ibm,trusted-boot under pseries are interpreted as: ^^^ These two should be different I suppose? Thanks Michal > 0 - Disabled > 1 - Enabled > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > Reviewed-by: Daniel Axtens <dja@axtens.net> > --- > v3: > * fixed double check. Thanks Daniel for noticing it. > * updated patch description. > > v2: > * included Michael Ellerman's feedback. > * added Daniel Axtens's Reviewed-by. > > arch/powerpc/kernel/secure_boot.c | 19 +++++++++++++++++-- > 1 file changed, 17 insertions(+), 2 deletions(-) > > diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c > index 4b982324d368..118bcb5f79c4 100644 > --- a/arch/powerpc/kernel/secure_boot.c > +++ b/arch/powerpc/kernel/secure_boot.c > @@ -6,6 +6,7 @@ > #include <linux/types.h> > #include <linux/of.h> > #include <asm/secure_boot.h> > +#include <asm/machdep.h> > > static struct device_node *get_ppc_fw_sb_node(void) > { > @@ -23,12 +24,19 @@ bool is_ppc_secureboot_enabled(void) > { > struct device_node *node; > bool enabled = false; > + u32 secureboot; > > node = get_ppc_fw_sb_node(); > enabled = of_property_read_bool(node, "os-secureboot-enforcing"); > - > of_node_put(node); > > + if (enabled) > + goto out; > + > + if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) > + enabled = (secureboot > 1); > + > +out: > pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); > > return enabled; > @@ -38,12 +46,19 @@ bool is_ppc_trustedboot_enabled(void) > { > struct device_node *node; > bool enabled = false; > + u32 trustedboot; > > node = get_ppc_fw_sb_node(); > enabled = of_property_read_bool(node, "trusted-enabled"); > - > of_node_put(node); > > + if (enabled) > + goto out; > + > + if (!of_property_read_u32(of_root, "ibm,trusted-boot", &trustedboot)) > + enabled = (trustedboot > 0); > + > +out: > pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled"); > > return enabled; > -- > 2.26.2 >
On Wed, 15 Jul 2020 07:52:01 -0400, Nayna Jain wrote: > The device-tree property to check secure and trusted boot state is > different for guests(pseries) compared to baremetal(powernv). > > This patch updates the existing is_ppc_secureboot_enabled() and > is_ppc_trustedboot_enabled() functions to add support for pseries. > > The secureboot and trustedboot state are exposed via device-tree property: > /proc/device-tree/ibm,secure-boot and /proc/device-tree/ibm,trusted-boot > > [...] Applied to powerpc/next. [1/1] powerpc/pseries: Detect secure and trusted boot state of the system. https://git.kernel.org/powerpc/c/61f879d97ce4510dd29d676a20d67692e3b34806 cheers
Michal Suchánek <msuchanek@suse.de> writes: > On Wed, Jul 15, 2020 at 07:52:01AM -0400, Nayna Jain wrote: >> The device-tree property to check secure and trusted boot state is >> different for guests(pseries) compared to baremetal(powernv). >> >> This patch updates the existing is_ppc_secureboot_enabled() and >> is_ppc_trustedboot_enabled() functions to add support for pseries. >> >> The secureboot and trustedboot state are exposed via device-tree property: >> /proc/device-tree/ibm,secure-boot and /proc/device-tree/ibm,trusted-boot >> >> The values of ibm,secure-boot under pseries are interpreted as: > ^^^ >> >> 0 - Disabled >> 1 - Enabled in Log-only mode. This patch interprets this value as >> disabled, since audit mode is currently not supported for Linux. >> 2 - Enabled and enforced. >> 3-9 - Enabled and enforcing; requirements are at the discretion of the >> operating system. >> >> The values of ibm,trusted-boot under pseries are interpreted as: > ^^^ > These two should be different I suppose? I'm not quite sure what you mean? They'll be documented in a future revision of the PAPR, once I get my act together and submit the relevant internal paperwork. Daniel > > Thanks > > Michal >> 0 - Disabled >> 1 - Enabled >> >> Signed-off-by: Nayna Jain <nayna@linux.ibm.com> >> Reviewed-by: Daniel Axtens <dja@axtens.net> >> --- >> v3: >> * fixed double check. Thanks Daniel for noticing it. >> * updated patch description. >> >> v2: >> * included Michael Ellerman's feedback. >> * added Daniel Axtens's Reviewed-by. >> >> arch/powerpc/kernel/secure_boot.c | 19 +++++++++++++++++-- >> 1 file changed, 17 insertions(+), 2 deletions(-) >> >> diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c >> index 4b982324d368..118bcb5f79c4 100644 >> --- a/arch/powerpc/kernel/secure_boot.c >> +++ b/arch/powerpc/kernel/secure_boot.c >> @@ -6,6 +6,7 @@ >> #include <linux/types.h> >> #include <linux/of.h> >> #include <asm/secure_boot.h> >> +#include <asm/machdep.h> >> >> static struct device_node *get_ppc_fw_sb_node(void) >> { >> @@ -23,12 +24,19 @@ bool is_ppc_secureboot_enabled(void) >> { >> struct device_node *node; >> bool enabled = false; >> + u32 secureboot; >> >> node = get_ppc_fw_sb_node(); >> enabled = of_property_read_bool(node, "os-secureboot-enforcing"); >> - >> of_node_put(node); >> >> + if (enabled) >> + goto out; >> + >> + if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) >> + enabled = (secureboot > 1); >> + >> +out: >> pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); >> >> return enabled; >> @@ -38,12 +46,19 @@ bool is_ppc_trustedboot_enabled(void) >> { >> struct device_node *node; >> bool enabled = false; >> + u32 trustedboot; >> >> node = get_ppc_fw_sb_node(); >> enabled = of_property_read_bool(node, "trusted-enabled"); >> - >> of_node_put(node); >> >> + if (enabled) >> + goto out; >> + >> + if (!of_property_read_u32(of_root, "ibm,trusted-boot", &trustedboot)) >> + enabled = (trustedboot > 0); >> + >> +out: >> pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled"); >> >> return enabled; >> -- >> 2.26.2 >>
On Fri, Jul 17, 2020 at 03:58:01PM +1000, Daniel Axtens wrote: > Michal Suchánek <msuchanek@suse.de> writes: > > > On Wed, Jul 15, 2020 at 07:52:01AM -0400, Nayna Jain wrote: > >> The device-tree property to check secure and trusted boot state is > >> different for guests(pseries) compared to baremetal(powernv). > >> > >> This patch updates the existing is_ppc_secureboot_enabled() and > >> is_ppc_trustedboot_enabled() functions to add support for pseries. > >> > >> The secureboot and trustedboot state are exposed via device-tree property: > >> /proc/device-tree/ibm,secure-boot and /proc/device-tree/ibm,trusted-boot > >> > >> The values of ibm,secure-boot under pseries are interpreted as: > > ^^^ > >> > >> 0 - Disabled > >> 1 - Enabled in Log-only mode. This patch interprets this value as > >> disabled, since audit mode is currently not supported for Linux. > >> 2 - Enabled and enforced. > >> 3-9 - Enabled and enforcing; requirements are at the discretion of the > >> operating system. > >> > >> The values of ibm,trusted-boot under pseries are interpreted as: > > ^^^ > > These two should be different I suppose? > > I'm not quite sure what you mean? They'll be documented in a future > revision of the PAPR, once I get my act together and submit the > relevant internal paperwork. Nevermind, one talks about secure boot, the other about trusted boot. Thanks Michal
diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c index 4b982324d368..118bcb5f79c4 100644 --- a/arch/powerpc/kernel/secure_boot.c +++ b/arch/powerpc/kernel/secure_boot.c @@ -6,6 +6,7 @@ #include <linux/types.h> #include <linux/of.h> #include <asm/secure_boot.h> +#include <asm/machdep.h> static struct device_node *get_ppc_fw_sb_node(void) { @@ -23,12 +24,19 @@ bool is_ppc_secureboot_enabled(void) { struct device_node *node; bool enabled = false; + u32 secureboot; node = get_ppc_fw_sb_node(); enabled = of_property_read_bool(node, "os-secureboot-enforcing"); - of_node_put(node); + if (enabled) + goto out; + + if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) + enabled = (secureboot > 1); + +out: pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); return enabled; @@ -38,12 +46,19 @@ bool is_ppc_trustedboot_enabled(void) { struct device_node *node; bool enabled = false; + u32 trustedboot; node = get_ppc_fw_sb_node(); enabled = of_property_read_bool(node, "trusted-enabled"); - of_node_put(node); + if (enabled) + goto out; + + if (!of_property_read_u32(of_root, "ibm,trusted-boot", &trustedboot)) + enabled = (trustedboot > 0); + +out: pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled"); return enabled;