mbox series

[0/7] Add Secure Variable Support

Message ID 20190610122649.16618-1-erichte@linux.ibm.com
Headers show
Series Add Secure Variable Support | expand

Message

Eric Richter June 10, 2019, 12:26 p.m. UTC
The previous implementation "Initial Skiboot Secure Variable Support"
tied the OPAL runtime service API too tightly to the variable processing
backend. Therefore, if the variable processing design had to be changed
or updated, so did the API. This patch set redesigns the previous set to
support a generic OPAL API, and pluggable drivers for persistent variable
storage and variable processing.

Platforms may support different storage hardware, therefore a platform
must be able to select the proper storage driver for persisting variables. 

Platforms may also select the backend used to manipulate secure variables.
The backend determines the format in which the variables are stored, and
how the variables are authenticated and updated. 

This patch set includes the base implementation to support secure
variables, and the updated OPAL runtime service API. This set also
includes draft implementations for a pnor-based storage driver, and an
edk2-derived backend driver. This backend driver depends on mbedtls-based
crypto support, which will be in a separate forthcoming patch set. The
draft implementation of the backend driver has the crypto-dependent code
commented out for sake of compilation.

This patch set is technically the V3 version of the previous patch
set[1], but due to the substantial changes to the code and the inclusion
of new RFC patches (patches 4-7), this set has been posted as a new
series.

[1] https://lists.ozlabs.org/pipermail/skiboot/2019-April/013967.html

ORIGINAL COVER LETTER:

In order to support the secure boot of the host OS on POWER, the platform
needs three things:
 - Variables that can only be modified with proper authorization
      ("Secure variables")
 - Tamper-proof storage for secure variables ("Trust storage")
 - Interface to access and manage secure variables

The secure variables will need to be consumed by the linux kernel and
sysadmins. During the boot process, the linux IMA subsystem will fetch
keys stored in the secure variables to verify the signature of the kexec
image. Therefore, these variables must contain keys that have been
authorized. Furthermore, the variables need to be persisted across reboots,
and thus must be resistant to unauthorized writes to system flash. Finally,
sysadmins also need to access the secure variables for key management.

This patch series proposes a definition of secure variables, how to store
the secure variables in the trust storage via the PNOR secboot partition,
as well as an interface via OPAL runtime services to access them. Further
implementation detail can be found in the individual patch descriptions. 


Claudio Carvalho (1):
  core/flash.c: add SECBOOT read and write support

Eric Richter (4):
  libstb/secvar: add secure variable internal abstraction
  libstb/secvar: add secvar api implementation
  secvar/storage: add draft secvar storage driver for pnor-based p9
    platforms
  witherspoon: enable secvar for witherspoon platform

Nayna Jain (2):
  secvar/backend: add edk2 headers to support edk2 derived backend
  secvar/backend: add edk2 derived key updates processing

 ccan/list/list.h                   |  38 ++
 core/flash.c                       | 130 +++++++
 include/opal-api.h                 |   7 +-
 include/platform.h                 |   5 +
 include/secvar.h                   |  41 +++
 libstb/Makefile.inc                |   3 +-
 libstb/secureboot.c                |   2 +
 libstb/secvar/Makefile.inc         |  14 +
 libstb/secvar/backend/Makefile.inc |  11 +
 libstb/secvar/backend/edk2/data.h  |  75 ++++
 libstb/secvar/backend/edk2/edk2.c  | 535 +++++++++++++++++++++++++++++
 libstb/secvar/backend/edk2/edk2.h  | 249 ++++++++++++++
 libstb/secvar/secvar.h             |  74 ++++
 libstb/secvar/secvar_api.c         | 248 +++++++++++++
 libstb/secvar/secvar_main.c        |  89 +++++
 libstb/secvar/secvar_util.c        |  88 +++++
 libstb/secvar/storage/Makefile.inc |  11 +
 libstb/secvar/storage/secboot_p9.c | 243 +++++++++++++
 platforms/astbmc/witherspoon.c     |   7 +
 19 files changed, 1868 insertions(+), 2 deletions(-)
 create mode 100644 include/secvar.h
 create mode 100644 libstb/secvar/Makefile.inc
 create mode 100644 libstb/secvar/backend/Makefile.inc
 create mode 100644 libstb/secvar/backend/edk2/data.h
 create mode 100644 libstb/secvar/backend/edk2/edk2.c
 create mode 100644 libstb/secvar/backend/edk2/edk2.h
 create mode 100644 libstb/secvar/secvar.h
 create mode 100644 libstb/secvar/secvar_api.c
 create mode 100644 libstb/secvar/secvar_main.c
 create mode 100644 libstb/secvar/secvar_util.c
 create mode 100644 libstb/secvar/storage/Makefile.inc
 create mode 100644 libstb/secvar/storage/secboot_p9.c