Message ID | 20200227204023.22125-16-grimm@linux.ibm.com |
---|---|
State | Superseded |
Headers | show |
Series | Ultravisor support in skiboot | expand |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/apply_patch | success | Successfully applied on branch master (82aed17a5468aff6b600ee1694a10a60f942c018) |
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot | success | Test snowpatch/job/snowpatch-skiboot on branch master |
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot-dco | success | Signed-off-by present |
On 28/02/2020 07:40, Ryan Grimm wrote: > From: Michael Anderson <andmike@linux.ibm.com> How is this used? This patchset does not call add_wrapping_key_mambo() at all, do we need this patch at all? Thanks, > > Signed-off-by: Michael Anderson <andmike@linux.ibm.com> > --- > external/mambo/skiboot.tcl | 77 ++++++++++++++++++++++++++++++++++++++ > include/ultravisor.h | 2 + > platforms/mambo/uv.c | 39 +++++++++++++++++++ > 3 files changed, 118 insertions(+) > create mode 100644 platforms/mambo/uv.c > > diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl > index 39504140..877a9385 100644 > --- a/external/mambo/skiboot.tcl > +++ b/external/mambo/skiboot.tcl > @@ -95,6 +95,9 @@ mconfig net_mac MAMBO_NET_MAC 00:11:22:33:44:55 > # Net: What is the name of the tap device > mconfig net_tapdev MAMBO_NET_TAPDEV "tap0" > > +# TPM Wrapping Directory for key files > +mconfig wrapkey_dir WRAPKEY_DIR none > + > # Enable (default) or disable the "speculation-policy-favor-security" setting, > # set to 0 to disable. When enabled it causes Linux's RFI flush to be enabled. > mconfig speculation_policy_favor_security MAMBO_SPECULATION_POLICY_FAVOR_SECURITY 1 > @@ -333,6 +336,80 @@ foreach pmem_size $pmem_sizes { # PMEM_VOLATILE > set pmem_start [pmem_node_add $pmem_root $pmem_start $pmem_size] > } > > +# > +# Add files to simulate TPM wrapping keys. > +# wrapping-key-policy-a > +# wrapping-key-policy-b > +# wrapping-key-passwd > +# wrapping-key-publicname > +# > + > +proc add_key_prop { k_file node p_name } { > + set key_list [list] > + set f [open $k_file r] > + > + while {1} { > + set key_byte [read $f 2] > + if {[eof $f]} { > + close $f > + break > + } > + lappend key_list $key_byte > + } > + > + mysim of addprop $node byte_array $p_name $key_list > +} > + > +if { $mconf(wrapkey_dir) != "none" } { > + set tpm_node [ mysim of addchild $root_node "tpm_sim" "" ] > + mysim of addprop $tpm_node string "compatible" "uv,tpm_sim" > + > + # policy-a.txt > + if {[file exists $mconf(wrapkey_dir)/policy-a.txt]} { > + puts "Using policy-a.txt" > + add_key_prop $mconf(wrapkey_dir)/policy-a.txt $tpm_node "wrapping-key-policy-a" > + } else { > + puts "ERROR: Could not find policy-a.txt in : $mconf(wrapkey_dir)" > + exit > + } > + > + # policy-b.txt > + if {[file exists $mconf(wrapkey_dir)/policy-b.txt]} { > + puts "Using policy-b.txt" > + add_key_prop $mconf(wrapkey_dir)/policy-b.txt $tpm_node "wrapping-key-policy-b" > + } else { > + puts "ERROR: Could not find policy-b.txt in : $mconf(wrapkey_dir)" > + exit > + } > + > + # wrapping-key-passwd > + if {[file exists $mconf(wrapkey_dir)/wrapping-key-passwd.txt]} { > + puts "Using wrapping-key-passwd.txt" > + add_key_prop $mconf(wrapkey_dir)/wrapping-key-passwd.txt $tpm_node "wrapping-key-passwd" > + } else { > + puts "ERROR: Could not find wrapping-key-passwd.txt in : $mconf(wrapkey_dir)" > + exit > + } > + > + # wrapping-key-publicname > + if {[file exists $mconf(wrapkey_dir)/wrapping-key-publicname.txt]} { > + puts "Using wrapping-key-publicname.txt" > + add_key_prop $mconf(wrapkey_dir)/wrapping-key-publicname.txt $tpm_node "wrapping-key-publicname" > + } else { > + puts "ERROR: Could not find wrapping-key-publicname.txt in : $mconf(wrapkey_dir)" > + exit > + } > + > + # wrapping-key-handle > + if {[file exists $mconf(wrapkey_dir)/wrapping-key-handle.txt]} { > + puts "Using wrapping-key-handle.txt" > + add_key_prop $mconf(wrapkey_dir)/wrapping-key-handle.txt $tpm_node "wrapping-key-handle" > + } else { > + puts "ERROR: Could not find wrapping-key-handle.txt in : $mconf(wrapkey_dir)" > + exit > + } > + > +} > > # Default NVRAM is blank and will be formatted by Skiboot if no file is provided > set fake_nvram_start $cpio_end > diff --git a/include/ultravisor.h b/include/ultravisor.h > index 347b085d..faa1d16b 100644 > --- a/include/ultravisor.h > +++ b/include/ultravisor.h > @@ -24,6 +24,8 @@ int start_ultravisor(void *fdt); > void uv_preload_image(void); > void init_uv(void); > > +int add_wrapping_key_mambo(void *fdt); > + > static inline int uv_xscom_read(u64 partid, u64 pcb_addr, u64 *val) > { > unsigned long retbuf[UCALL_BUFSIZE]; > diff --git a/platforms/mambo/uv.c b/platforms/mambo/uv.c > new file mode 100644 > index 00000000..2519d240 > --- /dev/null > +++ b/platforms/mambo/uv.c > @@ -0,0 +1,39 @@ > +// SPDX-License-Identifier: Apache-2.0 > +/* Copyright 2016-2017 IBM Corp. */ > + > +const char *wrap_key_prop_str[] = { > + "wrapping-key-passwd", > + "wrapping-key-publicname", > + "wrapping-key-policy-a", > + "wrapping-key-policy-b", > + NULL > +}; > + > +int add_wrapping_key_mambo(void *fdt) > +{ > + struct dt_node *tpm_sim_node; > + const struct dt_property *property = NULL; > + int i; > + > + tpm_sim_node = dt_find_compatible_node(dt_root, NULL, "uv,tpm_sim"); > + if (!tpm_sim_node) { > + prlog(PR_INFO, "uv,tpm_sim compatible node not found\n"); > + return OPAL_HARDWARE; > + } > + > + fdt_begin_node(fdt, "ibm,uv-tpm"); > + fdt_property_string(fdt, "compatible", "ibm,uv-tpm"); > + > + for (i = 0; wrap_key_prop_str[i] != NULL; i++) { > + property = dt_find_property(tpm_sim_node, wrap_key_prop_str[i]); > + if (property) { > + fdt_property(fdt, wrap_key_prop_str[i], > + property->prop, > + property->len); > + } > + } > + > + fdt_end_node(fdt); > + > + return OPAL_SUCCESS; > +} >
On Thu, 2020-03-12 at 12:45 +1100, Alexey Kardashevskiy wrote: > > On 28/02/2020 07:40, Ryan Grimm wrote: > > From: Michael Anderson <andmike@linux.ibm.com> > > > How is this used? This patchset does not call > add_wrapping_key_mambo() > at all, do we need this patch at all? Thanks, > These wrapping key patches will be dropped. -Ryan
diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl index 39504140..877a9385 100644 --- a/external/mambo/skiboot.tcl +++ b/external/mambo/skiboot.tcl @@ -95,6 +95,9 @@ mconfig net_mac MAMBO_NET_MAC 00:11:22:33:44:55 # Net: What is the name of the tap device mconfig net_tapdev MAMBO_NET_TAPDEV "tap0" +# TPM Wrapping Directory for key files +mconfig wrapkey_dir WRAPKEY_DIR none + # Enable (default) or disable the "speculation-policy-favor-security" setting, # set to 0 to disable. When enabled it causes Linux's RFI flush to be enabled. mconfig speculation_policy_favor_security MAMBO_SPECULATION_POLICY_FAVOR_SECURITY 1 @@ -333,6 +336,80 @@ foreach pmem_size $pmem_sizes { # PMEM_VOLATILE set pmem_start [pmem_node_add $pmem_root $pmem_start $pmem_size] } +# +# Add files to simulate TPM wrapping keys. +# wrapping-key-policy-a +# wrapping-key-policy-b +# wrapping-key-passwd +# wrapping-key-publicname +# + +proc add_key_prop { k_file node p_name } { + set key_list [list] + set f [open $k_file r] + + while {1} { + set key_byte [read $f 2] + if {[eof $f]} { + close $f + break + } + lappend key_list $key_byte + } + + mysim of addprop $node byte_array $p_name $key_list +} + +if { $mconf(wrapkey_dir) != "none" } { + set tpm_node [ mysim of addchild $root_node "tpm_sim" "" ] + mysim of addprop $tpm_node string "compatible" "uv,tpm_sim" + + # policy-a.txt + if {[file exists $mconf(wrapkey_dir)/policy-a.txt]} { + puts "Using policy-a.txt" + add_key_prop $mconf(wrapkey_dir)/policy-a.txt $tpm_node "wrapping-key-policy-a" + } else { + puts "ERROR: Could not find policy-a.txt in : $mconf(wrapkey_dir)" + exit + } + + # policy-b.txt + if {[file exists $mconf(wrapkey_dir)/policy-b.txt]} { + puts "Using policy-b.txt" + add_key_prop $mconf(wrapkey_dir)/policy-b.txt $tpm_node "wrapping-key-policy-b" + } else { + puts "ERROR: Could not find policy-b.txt in : $mconf(wrapkey_dir)" + exit + } + + # wrapping-key-passwd + if {[file exists $mconf(wrapkey_dir)/wrapping-key-passwd.txt]} { + puts "Using wrapping-key-passwd.txt" + add_key_prop $mconf(wrapkey_dir)/wrapping-key-passwd.txt $tpm_node "wrapping-key-passwd" + } else { + puts "ERROR: Could not find wrapping-key-passwd.txt in : $mconf(wrapkey_dir)" + exit + } + + # wrapping-key-publicname + if {[file exists $mconf(wrapkey_dir)/wrapping-key-publicname.txt]} { + puts "Using wrapping-key-publicname.txt" + add_key_prop $mconf(wrapkey_dir)/wrapping-key-publicname.txt $tpm_node "wrapping-key-publicname" + } else { + puts "ERROR: Could not find wrapping-key-publicname.txt in : $mconf(wrapkey_dir)" + exit + } + + # wrapping-key-handle + if {[file exists $mconf(wrapkey_dir)/wrapping-key-handle.txt]} { + puts "Using wrapping-key-handle.txt" + add_key_prop $mconf(wrapkey_dir)/wrapping-key-handle.txt $tpm_node "wrapping-key-handle" + } else { + puts "ERROR: Could not find wrapping-key-handle.txt in : $mconf(wrapkey_dir)" + exit + } + +} # Default NVRAM is blank and will be formatted by Skiboot if no file is provided set fake_nvram_start $cpio_end diff --git a/include/ultravisor.h b/include/ultravisor.h index 347b085d..faa1d16b 100644 --- a/include/ultravisor.h +++ b/include/ultravisor.h @@ -24,6 +24,8 @@ int start_ultravisor(void *fdt); void uv_preload_image(void); void init_uv(void); +int add_wrapping_key_mambo(void *fdt); + static inline int uv_xscom_read(u64 partid, u64 pcb_addr, u64 *val) { unsigned long retbuf[UCALL_BUFSIZE]; diff --git a/platforms/mambo/uv.c b/platforms/mambo/uv.c new file mode 100644 index 00000000..2519d240 --- /dev/null +++ b/platforms/mambo/uv.c @@ -0,0 +1,39 @@ +// SPDX-License-Identifier: Apache-2.0 +/* Copyright 2016-2017 IBM Corp. */ + +const char *wrap_key_prop_str[] = { + "wrapping-key-passwd", + "wrapping-key-publicname", + "wrapping-key-policy-a", + "wrapping-key-policy-b", + NULL +}; + +int add_wrapping_key_mambo(void *fdt) +{ + struct dt_node *tpm_sim_node; + const struct dt_property *property = NULL; + int i; + + tpm_sim_node = dt_find_compatible_node(dt_root, NULL, "uv,tpm_sim"); + if (!tpm_sim_node) { + prlog(PR_INFO, "uv,tpm_sim compatible node not found\n"); + return OPAL_HARDWARE; + } + + fdt_begin_node(fdt, "ibm,uv-tpm"); + fdt_property_string(fdt, "compatible", "ibm,uv-tpm"); + + for (i = 0; wrap_key_prop_str[i] != NULL; i++) { + property = dt_find_property(tpm_sim_node, wrap_key_prop_str[i]); + if (property) { + fdt_property(fdt, wrap_key_prop_str[i], + property->prop, + property->len); + } + } + + fdt_end_node(fdt); + + return OPAL_SUCCESS; +}