From patchwork Tue Jun 25 22:02:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1122324 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45YKsR4y1Nz9s3C for ; Wed, 26 Jun 2019 08:02:51 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 45YKsQ3rYPzDqTP for ; Wed, 26 Jun 2019 08:02:50 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 45YKs10lY0zDqB3 for ; Wed, 26 Jun 2019 08:02:28 +1000 (AEST) Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x5PM1nMV008783 for ; Tue, 25 Jun 2019 18:02:25 -0400 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0a-001b2d01.pphosted.com with ESMTP id 2tbrybeuvq-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 25 Jun 2019 18:02:24 -0400 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 25 Jun 2019 23:02:22 +0100 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 25 Jun 2019 23:02:20 +0100 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x5PM2IjQ30867558 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 25 Jun 2019 22:02:18 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B28D811C066; Tue, 25 Jun 2019 22:02:18 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1561C11C05E; Tue, 25 Jun 2019 22:02:18 +0000 (GMT) Received: from yorha.austin.ibm.com (unknown [9.41.178.196]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 25 Jun 2019 22:02:17 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Tue, 25 Jun 2019 17:02:06 -0500 X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 19062522-0016-0000-0000-0000028C54CF X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19062522-0017-0000-0000-000032E9C967 Message-Id: <20190625220215.27134-1-erichte@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-06-25_14:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906250173 Subject: [Skiboot] [PATCH v2 0/9] Add Secure Variable Support X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" The previous implementation "Initial Skiboot Secure Variable Support" tied the OPAL runtime service API too tightly to the variable processing backend. Therefore, if the variable processing design had to be changed or updated, so did the API. This patch set redesigns the previous set to support a generic OPAL API, and pluggable drivers for persistent variable storage and variable processing. Platforms may support different storage hardware, therefore a platform must be able to select the proper storage driver for persisting variables. Platforms may also select the backend used to manipulate secure variables. The backend determines the format in which the variables are stored, and how the variables are authenticated and updated. This patch set includes the base implementation to support secure variables, and the updated OPAL runtime service API. This set also includes draft implementations for a pnor-based storage driver, and an edk2-derived backend driver. This backend driver depends on mbedtls-based crypto support, which will be in a separate forthcoming patch set. The draft implementation of the backend driver has the crypto-dependent code commented out for sake of compilation. Changes in V2: - ibm,secureboot compatible is set to -v3 - added secvar device tree node - removed opal_secvar_backend - added API and secvar DT node documentation - minor fixes/changes (see patch descriptions) Claudio Carvalho (1): core/flash.c: add SECBOOT read and write support Eric Richter (6): libstb/secvar: add secure variable internal abstraction secureboot: initialize secure variables if supported by the platform libstb/secvar: add secvar api implementation doc: add opal secure variable documentation secvar/storage: add draft secvar storage driver for pnor-based p9 platforms witherspoon: enable secvar for witherspoon platform Nayna Jain (2): secvar/backend: add edk2 headers to support edk2 derived backend secvar/backend: add edk2 derived key updates processing ccan/list/list.h | 38 ++ core/flash.c | 130 +++++ doc/device-tree/ibm,secureboot.rst | 10 + doc/device-tree/secvar.rst | 40 ++ doc/opal-api/opal-secvar.rst | 267 +++++++++ include/opal-api.h | 6 +- include/platform.h | 5 + include/secvar.h | 49 ++ libstb/Makefile.inc | 3 +- libstb/secureboot.c | 23 + libstb/secvar/Makefile.inc | 14 + libstb/secvar/backend/Makefile.inc | 11 + libstb/secvar/backend/edk2-compat/data.h | 70 +++ .../secvar/backend/edk2-compat/edk2-compat.c | 536 ++++++++++++++++++ libstb/secvar/backend/edk2-compat/edk2.h | 249 ++++++++ libstb/secvar/secvar.h | 75 +++ libstb/secvar/secvar_api.c | 215 +++++++ libstb/secvar/secvar_main.c | 117 ++++ libstb/secvar/secvar_util.c | 88 +++ libstb/secvar/storage/Makefile.inc | 11 + libstb/secvar/storage/secboot_p9.c | 242 ++++++++ platforms/astbmc/witherspoon.c | 7 + 22 files changed, 2204 insertions(+), 2 deletions(-) create mode 100644 doc/device-tree/secvar.rst create mode 100644 doc/opal-api/opal-secvar.rst create mode 100644 include/secvar.h create mode 100644 libstb/secvar/Makefile.inc create mode 100644 libstb/secvar/backend/Makefile.inc create mode 100644 libstb/secvar/backend/edk2-compat/data.h create mode 100644 libstb/secvar/backend/edk2-compat/edk2-compat.c create mode 100644 libstb/secvar/backend/edk2-compat/edk2.h create mode 100644 libstb/secvar/secvar.h create mode 100644 libstb/secvar/secvar_api.c create mode 100644 libstb/secvar/secvar_main.c create mode 100644 libstb/secvar/secvar_util.c create mode 100644 libstb/secvar/storage/Makefile.inc create mode 100644 libstb/secvar/storage/secboot_p9.c