[RFC,v5,15/16] ultravisor: Pickup wraping key data from mambo
diff mbox series

Message ID 20200227204023.22125-16-grimm@linux.ibm.com
State New
Headers show
Series
  • Ultravisor support in skiboot
Related show

Checks

Context Check Description
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot-dco success Signed-off-by present
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot success Test snowpatch/job/snowpatch-skiboot on branch master
snowpatch_ozlabs/apply_patch success Successfully applied on branch master (82aed17a5468aff6b600ee1694a10a60f942c018)

Commit Message

Ryan Grimm Feb. 27, 2020, 8:40 p.m. UTC
From: Michael Anderson <andmike@linux.ibm.com>

Signed-off-by: Michael Anderson <andmike@linux.ibm.com>
---
 external/mambo/skiboot.tcl | 77 ++++++++++++++++++++++++++++++++++++++
 include/ultravisor.h       |  2 +
 platforms/mambo/uv.c       | 39 +++++++++++++++++++
 3 files changed, 118 insertions(+)
 create mode 100644 platforms/mambo/uv.c

Comments

Alexey Kardashevskiy March 12, 2020, 1:45 a.m. UTC | #1
On 28/02/2020 07:40, Ryan Grimm wrote:
> From: Michael Anderson <andmike@linux.ibm.com>


How is this used? This patchset does not call add_wrapping_key_mambo()
at all, do we need this patch at all? Thanks,

> 
> Signed-off-by: Michael Anderson <andmike@linux.ibm.com>
> ---
>  external/mambo/skiboot.tcl | 77 ++++++++++++++++++++++++++++++++++++++
>  include/ultravisor.h       |  2 +
>  platforms/mambo/uv.c       | 39 +++++++++++++++++++
>  3 files changed, 118 insertions(+)
>  create mode 100644 platforms/mambo/uv.c
> 
> diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl
> index 39504140..877a9385 100644
> --- a/external/mambo/skiboot.tcl
> +++ b/external/mambo/skiboot.tcl
> @@ -95,6 +95,9 @@ mconfig net_mac MAMBO_NET_MAC 00:11:22:33:44:55
>  # Net: What is the name of the tap device
>  mconfig net_tapdev MAMBO_NET_TAPDEV "tap0"
>  
> +# TPM Wrapping Directory for key files
> +mconfig wrapkey_dir WRAPKEY_DIR none
> +
>  # Enable (default) or disable the "speculation-policy-favor-security" setting,
>  # set to 0 to disable. When enabled it causes Linux's RFI flush to be enabled.
>  mconfig speculation_policy_favor_security MAMBO_SPECULATION_POLICY_FAVOR_SECURITY 1
> @@ -333,6 +336,80 @@ foreach pmem_size $pmem_sizes { # PMEM_VOLATILE
>      set pmem_start [pmem_node_add $pmem_root $pmem_start $pmem_size]
>  }
>  
> +#
> +# Add files to simulate TPM wrapping keys.
> +# wrapping-key-policy-a
> +# wrapping-key-policy-b
> +# wrapping-key-passwd
> +# wrapping-key-publicname
> +#
> +
> +proc add_key_prop { k_file node p_name } {
> +    set key_list [list]
> +    set f [open $k_file r]
> +
> +    while {1} {
> +        set key_byte [read $f 2]
> +        if {[eof $f]} {
> +            close $f
> +            break
> +        }
> +        lappend key_list $key_byte
> +    }
> +
> +    mysim of addprop $node byte_array $p_name $key_list
> +}
> +
> +if { $mconf(wrapkey_dir) != "none" } {
> +  set tpm_node [ mysim of addchild $root_node "tpm_sim" "" ]
> +  mysim of addprop $tpm_node string "compatible" "uv,tpm_sim"
> +
> +  # policy-a.txt
> +  if {[file exists $mconf(wrapkey_dir)/policy-a.txt]} {
> +    puts "Using policy-a.txt"
> +    add_key_prop $mconf(wrapkey_dir)/policy-a.txt $tpm_node "wrapping-key-policy-a"
> +  } else {
> +    puts "ERROR: Could not find policy-a.txt in : $mconf(wrapkey_dir)"
> +    exit
> +  }
> +
> +  # policy-b.txt
> +  if {[file exists $mconf(wrapkey_dir)/policy-b.txt]} {
> +    puts "Using policy-b.txt"
> +    add_key_prop $mconf(wrapkey_dir)/policy-b.txt $tpm_node "wrapping-key-policy-b"
> +  } else {
> +    puts "ERROR: Could not find policy-b.txt in : $mconf(wrapkey_dir)"
> +    exit
> +  }
> +
> +  # wrapping-key-passwd
> +  if {[file exists $mconf(wrapkey_dir)/wrapping-key-passwd.txt]} {
> +    puts "Using wrapping-key-passwd.txt"
> +    add_key_prop $mconf(wrapkey_dir)/wrapping-key-passwd.txt $tpm_node "wrapping-key-passwd"
> +  } else {
> +    puts "ERROR: Could not find wrapping-key-passwd.txt in : $mconf(wrapkey_dir)"
> +    exit
> +  }
> +
> +  # wrapping-key-publicname
> +  if {[file exists $mconf(wrapkey_dir)/wrapping-key-publicname.txt]} {
> +    puts "Using wrapping-key-publicname.txt"
> +    add_key_prop $mconf(wrapkey_dir)/wrapping-key-publicname.txt $tpm_node "wrapping-key-publicname"
> +  } else {
> +    puts "ERROR: Could not find wrapping-key-publicname.txt in : $mconf(wrapkey_dir)"
> +    exit
> +  }
> +
> +  # wrapping-key-handle
> +  if {[file exists $mconf(wrapkey_dir)/wrapping-key-handle.txt]} {
> +    puts "Using wrapping-key-handle.txt"
> +    add_key_prop $mconf(wrapkey_dir)/wrapping-key-handle.txt $tpm_node "wrapping-key-handle"
> +  } else {
> +    puts "ERROR: Could not find wrapping-key-handle.txt in : $mconf(wrapkey_dir)"
> +    exit
> +  }
> +
> +}
>  
>  # Default NVRAM is blank and will be formatted by Skiboot if no file is provided
>  set fake_nvram_start $cpio_end
> diff --git a/include/ultravisor.h b/include/ultravisor.h
> index 347b085d..faa1d16b 100644
> --- a/include/ultravisor.h
> +++ b/include/ultravisor.h
> @@ -24,6 +24,8 @@ int start_ultravisor(void *fdt);
>  void uv_preload_image(void);
>  void init_uv(void);
>  
> +int add_wrapping_key_mambo(void *fdt);
> +
>  static inline int uv_xscom_read(u64 partid, u64 pcb_addr, u64 *val)
>  {
>  	unsigned long retbuf[UCALL_BUFSIZE];
> diff --git a/platforms/mambo/uv.c b/platforms/mambo/uv.c
> new file mode 100644
> index 00000000..2519d240
> --- /dev/null
> +++ b/platforms/mambo/uv.c
> @@ -0,0 +1,39 @@
> +// SPDX-License-Identifier: Apache-2.0
> +/* Copyright 2016-2017 IBM Corp. */
> +
> +const char *wrap_key_prop_str[] = {
> +	"wrapping-key-passwd",
> +	"wrapping-key-publicname",
> +	"wrapping-key-policy-a",
> +	"wrapping-key-policy-b",
> +	NULL
> +};
> +
> +int add_wrapping_key_mambo(void *fdt)
> +{
> +	struct dt_node *tpm_sim_node;
> +	const struct dt_property *property = NULL;
> +	int i;
> +
> +	tpm_sim_node = dt_find_compatible_node(dt_root, NULL, "uv,tpm_sim");
> +	if (!tpm_sim_node) {
> +		prlog(PR_INFO, "uv,tpm_sim compatible node not found\n");
> +		return OPAL_HARDWARE;
> +	}
> +
> +	fdt_begin_node(fdt, "ibm,uv-tpm");
> +	fdt_property_string(fdt, "compatible", "ibm,uv-tpm");
> +
> +	for (i = 0; wrap_key_prop_str[i] != NULL; i++) {
> +		property = dt_find_property(tpm_sim_node, wrap_key_prop_str[i]);
> +		if (property) {
> +			fdt_property(fdt, wrap_key_prop_str[i],
> +				property->prop,
> +				property->len);
> +		}
> +	}
> +
> +	fdt_end_node(fdt);
> +
> +	return OPAL_SUCCESS;
> +}
>
Ryan Grimm March 26, 2020, 2:36 p.m. UTC | #2
On Thu, 2020-03-12 at 12:45 +1100, Alexey Kardashevskiy wrote:
> 
> On 28/02/2020 07:40, Ryan Grimm wrote:
> > From: Michael Anderson <andmike@linux.ibm.com>
> 
> 
> How is this used? This patchset does not call
> add_wrapping_key_mambo()
> at all, do we need this patch at all? Thanks,
> 

These wrapping key patches will be dropped.

-Ryan

Patch
diff mbox series

diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl
index 39504140..877a9385 100644
--- a/external/mambo/skiboot.tcl
+++ b/external/mambo/skiboot.tcl
@@ -95,6 +95,9 @@  mconfig net_mac MAMBO_NET_MAC 00:11:22:33:44:55
 # Net: What is the name of the tap device
 mconfig net_tapdev MAMBO_NET_TAPDEV "tap0"
 
+# TPM Wrapping Directory for key files
+mconfig wrapkey_dir WRAPKEY_DIR none
+
 # Enable (default) or disable the "speculation-policy-favor-security" setting,
 # set to 0 to disable. When enabled it causes Linux's RFI flush to be enabled.
 mconfig speculation_policy_favor_security MAMBO_SPECULATION_POLICY_FAVOR_SECURITY 1
@@ -333,6 +336,80 @@  foreach pmem_size $pmem_sizes { # PMEM_VOLATILE
     set pmem_start [pmem_node_add $pmem_root $pmem_start $pmem_size]
 }
 
+#
+# Add files to simulate TPM wrapping keys.
+# wrapping-key-policy-a
+# wrapping-key-policy-b
+# wrapping-key-passwd
+# wrapping-key-publicname
+#
+
+proc add_key_prop { k_file node p_name } {
+    set key_list [list]
+    set f [open $k_file r]
+
+    while {1} {
+        set key_byte [read $f 2]
+        if {[eof $f]} {
+            close $f
+            break
+        }
+        lappend key_list $key_byte
+    }
+
+    mysim of addprop $node byte_array $p_name $key_list
+}
+
+if { $mconf(wrapkey_dir) != "none" } {
+  set tpm_node [ mysim of addchild $root_node "tpm_sim" "" ]
+  mysim of addprop $tpm_node string "compatible" "uv,tpm_sim"
+
+  # policy-a.txt
+  if {[file exists $mconf(wrapkey_dir)/policy-a.txt]} {
+    puts "Using policy-a.txt"
+    add_key_prop $mconf(wrapkey_dir)/policy-a.txt $tpm_node "wrapping-key-policy-a"
+  } else {
+    puts "ERROR: Could not find policy-a.txt in : $mconf(wrapkey_dir)"
+    exit
+  }
+
+  # policy-b.txt
+  if {[file exists $mconf(wrapkey_dir)/policy-b.txt]} {
+    puts "Using policy-b.txt"
+    add_key_prop $mconf(wrapkey_dir)/policy-b.txt $tpm_node "wrapping-key-policy-b"
+  } else {
+    puts "ERROR: Could not find policy-b.txt in : $mconf(wrapkey_dir)"
+    exit
+  }
+
+  # wrapping-key-passwd
+  if {[file exists $mconf(wrapkey_dir)/wrapping-key-passwd.txt]} {
+    puts "Using wrapping-key-passwd.txt"
+    add_key_prop $mconf(wrapkey_dir)/wrapping-key-passwd.txt $tpm_node "wrapping-key-passwd"
+  } else {
+    puts "ERROR: Could not find wrapping-key-passwd.txt in : $mconf(wrapkey_dir)"
+    exit
+  }
+
+  # wrapping-key-publicname
+  if {[file exists $mconf(wrapkey_dir)/wrapping-key-publicname.txt]} {
+    puts "Using wrapping-key-publicname.txt"
+    add_key_prop $mconf(wrapkey_dir)/wrapping-key-publicname.txt $tpm_node "wrapping-key-publicname"
+  } else {
+    puts "ERROR: Could not find wrapping-key-publicname.txt in : $mconf(wrapkey_dir)"
+    exit
+  }
+
+  # wrapping-key-handle
+  if {[file exists $mconf(wrapkey_dir)/wrapping-key-handle.txt]} {
+    puts "Using wrapping-key-handle.txt"
+    add_key_prop $mconf(wrapkey_dir)/wrapping-key-handle.txt $tpm_node "wrapping-key-handle"
+  } else {
+    puts "ERROR: Could not find wrapping-key-handle.txt in : $mconf(wrapkey_dir)"
+    exit
+  }
+
+}
 
 # Default NVRAM is blank and will be formatted by Skiboot if no file is provided
 set fake_nvram_start $cpio_end
diff --git a/include/ultravisor.h b/include/ultravisor.h
index 347b085d..faa1d16b 100644
--- a/include/ultravisor.h
+++ b/include/ultravisor.h
@@ -24,6 +24,8 @@  int start_ultravisor(void *fdt);
 void uv_preload_image(void);
 void init_uv(void);
 
+int add_wrapping_key_mambo(void *fdt);
+
 static inline int uv_xscom_read(u64 partid, u64 pcb_addr, u64 *val)
 {
 	unsigned long retbuf[UCALL_BUFSIZE];
diff --git a/platforms/mambo/uv.c b/platforms/mambo/uv.c
new file mode 100644
index 00000000..2519d240
--- /dev/null
+++ b/platforms/mambo/uv.c
@@ -0,0 +1,39 @@ 
+// SPDX-License-Identifier: Apache-2.0
+/* Copyright 2016-2017 IBM Corp. */
+
+const char *wrap_key_prop_str[] = {
+	"wrapping-key-passwd",
+	"wrapping-key-publicname",
+	"wrapping-key-policy-a",
+	"wrapping-key-policy-b",
+	NULL
+};
+
+int add_wrapping_key_mambo(void *fdt)
+{
+	struct dt_node *tpm_sim_node;
+	const struct dt_property *property = NULL;
+	int i;
+
+	tpm_sim_node = dt_find_compatible_node(dt_root, NULL, "uv,tpm_sim");
+	if (!tpm_sim_node) {
+		prlog(PR_INFO, "uv,tpm_sim compatible node not found\n");
+		return OPAL_HARDWARE;
+	}
+
+	fdt_begin_node(fdt, "ibm,uv-tpm");
+	fdt_property_string(fdt, "compatible", "ibm,uv-tpm");
+
+	for (i = 0; wrap_key_prop_str[i] != NULL; i++) {
+		property = dt_find_property(tpm_sim_node, wrap_key_prop_str[i]);
+		if (property) {
+			fdt_property(fdt, wrap_key_prop_str[i],
+				property->prop,
+				property->len);
+		}
+	}
+
+	fdt_end_node(fdt);
+
+	return OPAL_SUCCESS;
+}