diff mbox series

[v2,3/9] secureboot: initialize secure variables if supported by the platform

Message ID 20190625220215.27134-4-erichte@linux.ibm.com
State RFC
Headers show
Series Add Secure Variable Support | expand

Checks

Context Check Description
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot-dco success Signed-off-by present
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot fail Test snowpatch/job/snowpatch-skiboot on branch master
snowpatch_ozlabs/apply_patch success Successfully applied on branch master (b904cb733750de1bb0e04e5012c391a9c3094d11)

Commit Message

Eric Richter June 25, 2019, 10:02 p.m. UTC
Platforms determine whether or not they support secure boot by implementing
a specific hook. After firmware secureboot has been initialized, if the
platform hook has been implemented, we increase the secureboot version to
"ibm,secureboot-v3" indicating secure variables are supported. The secure
variables are then initialized.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
---
 libstb/secureboot.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

Comments

Eric Richter June 28, 2019, 2:06 p.m. UTC | #1
On 6/25/19 5:02 PM, Eric Richter wrote:
> Platforms determine whether or not they support secure boot by implementing
> a specific hook. After firmware secureboot has been initialized, if the
> platform hook has been implemented, we increase the secureboot version to
> "ibm,secureboot-v3" indicating secure variables are supported. The secure
> variables are then initialized.
> 
> Signed-off-by: Eric Richter <erichte@linux.ibm.com>
> ---
>  libstb/secureboot.c | 23 +++++++++++++++++++++++
>  1 file changed, 23 insertions(+)
> 
> diff --git a/libstb/secureboot.c b/libstb/secureboot.c
> index 1578f52e..d8ed61b8 100644
> --- a/libstb/secureboot.c
> +++ b/libstb/secureboot.c
> @@ -75,6 +75,24 @@ bool secureboot_is_compatible(struct dt_node *node, int *version, const char **c
>  	return false;
>  }
> 
> +static int update_secureboot_compatible(void)
> +{
> +	struct dt_node *sb_node;
> +	struct dt_property *sb_compat;
> +
> +	sb_node = dt_find_by_path(dt_root, "/ibm,secureboot/");
> +	if (!sb_node)
> +		return 1;
> +
> +	sb_compat = (struct dt_property*) dt_find_property(sb_node, "compatible");
> +	if (!sb_compat)
> +		return 2;
> +
> +	strcpy(sb_compat->prop, "ibm,secureboot-v3");
> +
> +	return 0;
> +}
> +
>  void secureboot_init(void)
>  {
>  	struct dt_node *node;
> @@ -170,6 +188,11 @@ void secureboot_init(void)
>  	if (cvc_init())
>  		secureboot_enforce();
> 
> +	if (platform.secvar_init) {
> +		if (update_secureboot_compatible())
> +			secureboot_enforce();
> +		platform.secvar_init();
> +	}

Turns out this is a terrible place to update the compatible property,
as trustedboot_init() still expects "ibm,secureboot-v2".

I have a patch in the works that will be sent with a V3 of the series that
instead probes for secure variable support prior to any secure boot related
initialization and increments the compatible version. Secure and trusted
boot init functions will also be updated to handle -v3.

>  	secure_init = true;
>  }
>
diff mbox series

Patch

diff --git a/libstb/secureboot.c b/libstb/secureboot.c
index 1578f52e..d8ed61b8 100644
--- a/libstb/secureboot.c
+++ b/libstb/secureboot.c
@@ -75,6 +75,24 @@  bool secureboot_is_compatible(struct dt_node *node, int *version, const char **c
 	return false;
 }
 
+static int update_secureboot_compatible(void)
+{
+	struct dt_node *sb_node;
+	struct dt_property *sb_compat;
+
+	sb_node = dt_find_by_path(dt_root, "/ibm,secureboot/");
+	if (!sb_node)
+		return 1;
+
+	sb_compat = (struct dt_property*) dt_find_property(sb_node, "compatible");
+	if (!sb_compat)
+		return 2;
+
+	strcpy(sb_compat->prop, "ibm,secureboot-v3");
+
+	return 0;
+}
+
 void secureboot_init(void)
 {
 	struct dt_node *node;
@@ -170,6 +188,11 @@  void secureboot_init(void)
 	if (cvc_init())
 		secureboot_enforce();
 
+	if (platform.secvar_init) {
+		if (update_secureboot_compatible())
+			secureboot_enforce();
+		platform.secvar_init();
+	}
 	secure_init = true;
 }