From patchwork Mon Jan 20 02:36:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1225597 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 481G8G0vsqz9sR1 for ; Mon, 20 Jan 2020 13:39:10 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 481G8F5LHWzDqZm for ; Mon, 20 Jan 2020 13:39:09 +1100 (AEDT) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 481G651kcszDqXw for ; Mon, 20 Jan 2020 13:37:10 +1100 (AEDT) Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 00K2WotG133370 for ; Sun, 19 Jan 2020 21:37:08 -0500 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 2xmg7xg4hd-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sun, 19 Jan 2020 21:37:07 -0500 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 20 Jan 2020 02:37:06 -0000 Received: from b06avi18878370.portsmouth.uk.ibm.com (9.149.26.194) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 20 Jan 2020 02:37:05 -0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06avi18878370.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 00K2b3ei43057430 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 20 Jan 2020 02:37:03 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5BFC24C046; Mon, 20 Jan 2020 02:37:03 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id ABEFD4C04E; Mon, 20 Jan 2020 02:37:02 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.231.232]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 20 Jan 2020 02:37:02 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Sun, 19 Jan 2020 20:36:48 -0600 X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 20012002-0008-0000-0000-0000034AE74D X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 20012002-0009-0000-0000-00004A6B4866 Message-Id: <20200120023700.5373-1-erichte@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-01-19_08:2020-01-16, 2020-01-19 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1015 lowpriorityscore=0 priorityscore=1501 impostorscore=0 suspectscore=0 bulkscore=0 spamscore=0 adultscore=0 phishscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-2001200020 Subject: [Skiboot] [PATCH v2 00/12] Add initial secure variable storage and backend drivers X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This version of the patch set now has a mostly feature complete pair of drivers to manage secure boot keys, and an enabling patch for witherspoon platforms. Most notably, this new set now includes a TSS library, and utilizes the TPM NV index for storage, as opposed to the previous set's simulation using PNOR. The PNOR simulation has also been included for testing and review purposes. This set can be tested using the following preconfigured op-build tree containing all the patches and configuration required to enable secure boot: https://github.com/naynajain/op-build/tree/op-build-stb-v1 To test without a TPM, see patch 12's description and commented out code. PREVIOUS COVER LETTER: This patch set adds the first set of storage and backend drivers for the secure variable implementation. Included also is a patch to add support for secure variables on witherspoon platforms. As both drivers may need to utilize the single TPM NV index reserved for secure boot, patch 1 includes a small abstraction to allow drivers to play nice and share the space without stepping on each other. Future revisions of this set will include a TSS implementation to interact with a physical TPM. For now, it uses PNOR to simulate the TPM NV space. The secboot_tpm storage driver uses the SECBOOT partition in PNOR to store the variables, and a TPM NV index to store a hash of the variables for checking data integrity. As this uses the TPM NV abstraction, it currently uses PNOR space instead of actual TPM NV, and thus should not yet be considered actually secure. The edk2-compat driver processes updates using an edk2-like format and key hierarchy. As this depends heavily on crypto support (specifically RSA 2048, x509, sha256, and pkcs7) this set includes mbedtls as a git submodule, and a mbedtls-styled pkcs7 parser. Claudio Carvalho (1): core/flash.c: add SECBOOT read and write support Eric Richter (8): crypto: add mbedtls build integration via git submodule libstb: add ibmtpm20tss library via submodule libstb/tss2: add skiboot wrappers for TSS commands secvar_tpmnv: add high-level tpm nv index abstraction for secvar secvar/storage: add secvar storage driver for pnor-based p9 platforms secvar/test: add edk2-compat driver test and test data secvar_util.c: add dealloc_secvar helper to match alloc_secvar witherspoon: enable secvar for witherspoon platform Mauro S. M. Rodrigues (1): libstb: Register TPM chip for further use within TSS Nayna Jain (2): crypto: add out-of-tree mbedtls pkcs7 parser secvar/backend: add edk2 derived key updates processing .gitmodules | 8 + core/flash.c | 130 +++ doc/secvar/edk2.rst | 49 ++ include/platform.h | 4 + include/secvar.h | 2 + libstb/Makefile.inc | 9 +- libstb/crypto/Makefile.inc | 46 + libstb/crypto/mbedtls | 1 + libstb/crypto/mbedtls-config.h | 100 +++ libstb/crypto/pkcs7/Makefile.inc | 12 + libstb/crypto/pkcs7/pkcs7.c | 505 +++++++++++ libstb/crypto/pkcs7/pkcs7.h | 178 ++++ libstb/drivers/tpm_i2c_nuvoton.c | 2 + libstb/mbedtls/Makefile.inc | 11 - libstb/mbedtls/sha512.c | 480 ---------- libstb/mbedtls/sha512.h | 141 --- libstb/secvar/Makefile.inc | 3 +- libstb/secvar/backend/Makefile.inc | 4 +- libstb/secvar/backend/edk2-compat.c | 877 +++++++++++++++++++ libstb/secvar/backend/edk2.h | 243 +++++ libstb/secvar/secvar.h | 1 + libstb/secvar/secvar_tpmnv.c | 265 ++++++ libstb/secvar/secvar_tpmnv.h | 16 + libstb/secvar/secvar_util.c | 10 + libstb/secvar/storage/Makefile.inc | 4 +- libstb/secvar/storage/secboot_tpm.c | 267 ++++++ libstb/secvar/storage/secboot_tpm.h | 26 + libstb/secvar/test/Makefile.check | 8 +- libstb/secvar/test/data/KEK.h | 170 ++++ libstb/secvar/test/data/PK1.h | 170 ++++ libstb/secvar/test/data/edk2_test_data.h | 764 ++++++++++++++++ libstb/secvar/test/data/multipleDB.h | 246 ++++++ libstb/secvar/test/data/multipleKEK.h | 236 +++++ libstb/secvar/test/data/multiplePK.h | 236 +++++ libstb/secvar/test/data/noPK.h | 102 +++ libstb/secvar/test/secvar-test-edk2-compat.c | 394 +++++++++ libstb/secvar/test/secvar-test-secboot-tpm.c | 142 +++ libstb/secvar/test/secvar_common_test.c | 2 + libstb/tpm_chip.h | 19 +- libstb/tss2/Makefile.inc | 39 + libstb/tss2/ibmtpm20tss | 1 + libstb/tss2/netinet/in.h | 13 + libstb/tss2/tpm2.c | 38 + libstb/tss2/tpm2.h | 49 ++ libstb/tss2/tssskiboot.c | 527 +++++++++++ libstb/tss2/tssskiboot.h | 62 ++ platforms/astbmc/witherspoon.c | 13 + 47 files changed, 5964 insertions(+), 661 deletions(-) create mode 100644 .gitmodules create mode 100644 doc/secvar/edk2.rst create mode 100644 libstb/crypto/Makefile.inc create mode 160000 libstb/crypto/mbedtls create mode 100644 libstb/crypto/mbedtls-config.h create mode 100644 libstb/crypto/pkcs7/Makefile.inc create mode 100644 libstb/crypto/pkcs7/pkcs7.c create mode 100644 libstb/crypto/pkcs7/pkcs7.h delete mode 100644 libstb/mbedtls/Makefile.inc delete mode 100644 libstb/mbedtls/sha512.c delete mode 100644 libstb/mbedtls/sha512.h create mode 100644 libstb/secvar/backend/edk2-compat.c create mode 100644 libstb/secvar/backend/edk2.h create mode 100644 libstb/secvar/secvar_tpmnv.c create mode 100644 libstb/secvar/secvar_tpmnv.h create mode 100644 libstb/secvar/storage/secboot_tpm.c create mode 100644 libstb/secvar/storage/secboot_tpm.h create mode 100644 libstb/secvar/test/data/KEK.h create mode 100644 libstb/secvar/test/data/PK1.h create mode 100644 libstb/secvar/test/data/edk2_test_data.h create mode 100644 libstb/secvar/test/data/multipleDB.h create mode 100644 libstb/secvar/test/data/multipleKEK.h create mode 100644 libstb/secvar/test/data/multiplePK.h create mode 100644 libstb/secvar/test/data/noPK.h create mode 100644 libstb/secvar/test/secvar-test-edk2-compat.c create mode 100644 libstb/secvar/test/secvar-test-secboot-tpm.c create mode 100644 libstb/tss2/Makefile.inc create mode 160000 libstb/tss2/ibmtpm20tss create mode 100644 libstb/tss2/netinet/in.h create mode 100644 libstb/tss2/tpm2.c create mode 100644 libstb/tss2/tpm2.h create mode 100644 libstb/tss2/tssskiboot.c create mode 100644 libstb/tss2/tssskiboot.h