From patchwork Wed Sep 22 03:11:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1531004 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=Lr/PyxFS; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4HDjym3Rwtz9sRK for ; Wed, 22 Sep 2021 13:12:32 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4HDjym21hhz2ywr for ; Wed, 22 Sep 2021 13:12:32 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=Lr/PyxFS; dkim-atps=neutral X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=Lr/PyxFS; dkim-atps=neutral Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4HDjxs6DXhz2yL9 for ; Wed, 22 Sep 2021 13:11:45 +1000 (AEST) Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18M1dOrW007789 for ; Tue, 21 Sep 2021 23:11:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=2cFy/oyVg4df6q3fJHffq/E6Eewe67OGmv9n3YuidUc=; b=Lr/PyxFS+XXGxaZZIYRbwKHd9h38WX6NovjfJeRcg8/8Tu+3k/2Ng/VE+F3pY9pSCpKJ P+nZbHCRfCsFyg748bBfD6s8cPn0Jm1R38N36M3GFm1CUfTiLFnwLdoTGkO7rupeC3CA E8WcZEmv+Ng6GfhDiCjPmcei/NCYeoVp+MTZLjPiW9QyOjaZwYD3Ayx9PKoRkKgKkPMI rJdGV4V32qlCYwZ/CjRNPrlCDr77xGrVgwtg4GmalF4ow9MkceDg3oINcLfZm7NHkKJs gXYV8kIYb6fH06lV6WALH+KyyQW+qRHjKc37M1+AsMPrIeHvBYgyxx4LwUWcCnj1FWdN bQ== Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 3b7sqracgv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 21 Sep 2021 23:11:42 -0400 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 18M37wEY013832 for ; Wed, 22 Sep 2021 03:11:41 GMT Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by ppma03ams.nl.ibm.com with ESMTP id 3b7q6phjh1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 22 Sep 2021 03:11:41 +0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 18M3BbqF65012154 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Sep 2021 03:11:37 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A627AA4059; Wed, 22 Sep 2021 03:11:37 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EAE28A4040; Wed, 22 Sep 2021 03:11:36 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.65.202.213]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 22 Sep 2021 03:11:36 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Tue, 21 Sep 2021 22:11:27 -0500 Message-Id: <20210922031129.4188386-7-erichte@linux.ibm.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210922031129.4188386-1-erichte@linux.ibm.com> References: <20210922031129.4188386-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 8-gGOz1gjqYGJ8eKoBht8Q8t_rM_Tof6 X-Proofpoint-GUID: 8-gGOz1gjqYGJ8eKoBht8Q8t_rM_Tof6 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-22_01,2021-09-20_01,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 malwarescore=0 bulkscore=0 adultscore=0 mlxlogscore=999 lowpriorityscore=0 spamscore=0 phishscore=0 impostorscore=0 clxscore=1015 suspectscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109200000 definitions=main-2109220019 Subject: [Skiboot] [RFC 6/8] secvar/drivers: add a edk2-derived static key backend X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" The current edk2-compat-v1 backend expects the user of the system to enroll their own secure boot keys into variables to enable secure boot, and there is no behavior to allow default secure boot keys to be pre-loaded into variables for the hardware appliance use-case. This patch introduces a new backend driver that only exposes variables provided at compile-time, and will not process any updates. OS secure boot will always be enabled when utilizing this driver. This driver uses the same format as the edk2-compat-v1 driver, so existing code (e.g secvar-sysfs in linux) should be able to interact with this in the exact same manner. To effectively utilize this driver, it is recommended to at least provide PK and db variable data (in ESL form), as according to the defaultvars specification. RFC NOTE: This is a simple driver not intended to be directly used; the next patch will introduce a wrapper driver that will switch between using this driver and the original edk2-compat-v1 driver based on the secure boot mode. Consider this driver to be the SYSTEM_MODE behavior, and the original unmodified edk2-compat-v1 driver to be USER_MODE. That said, I think it is still useful to provide as a standalone driver, rather than baked in to the switchable wrapper driver -- it could be used on a system that does not have a protected form of storage (e.g. TPM) to still enable secure boot if a user wants to compile their own firmware, or on an appliance that does not want/need to be able to disable secure boot entirely. In both cases, it should be used with a no-op storage driver. Signed-off-by: Eric Richter --- include/secvar.h | 1 + libstb/secvar/backend/Makefile.inc | 2 +- libstb/secvar/backend/edk2-compat-static.c | 80 ++++++++++++++++++++++ 3 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 libstb/secvar/backend/edk2-compat-static.c diff --git a/include/secvar.h b/include/secvar.h index 259b9b63..3b439eaf 100644 --- a/include/secvar.h +++ b/include/secvar.h @@ -40,6 +40,7 @@ struct secvar_backend_driver { extern struct secvar_storage_driver secboot_tpm_driver; extern struct secvar_storage_driver secboot_tpm_switchable_driver; extern struct secvar_backend_driver edk2_compatible_v1; +extern struct secvar_backend_driver edk2_compatible_v1_static; int secvar_main(struct secvar_storage_driver, struct secvar_backend_driver); diff --git a/libstb/secvar/backend/Makefile.inc b/libstb/secvar/backend/Makefile.inc index 436f9faf..b929769f 100644 --- a/libstb/secvar/backend/Makefile.inc +++ b/libstb/secvar/backend/Makefile.inc @@ -5,7 +5,7 @@ SECVAR_BACKEND_DIR = libstb/secvar/backend SUBDIRS += $(SECVAR_BACKEND_DIR) -SECVAR_BACKEND_OBJS = edk2-compat.o edk2-compat-process.o edk2-compat-reset.o +SECVAR_BACKEND_OBJS = edk2-compat.o edk2-compat-process.o edk2-compat-reset.o edk2-compat-static.o SECVAR_BACKEND = $(SECVAR_BACKEND_DIR)/built-in.a $(SECVAR_BACKEND): $(SECVAR_BACKEND_OBJS:%=$(SECVAR_BACKEND_DIR)/%) diff --git a/libstb/secvar/backend/edk2-compat-static.c b/libstb/secvar/backend/edk2-compat-static.c new file mode 100644 index 00000000..8c708a8c --- /dev/null +++ b/libstb/secvar/backend/edk2-compat-static.c @@ -0,0 +1,80 @@ +#include +#include "../secvar_devtree.h" +#include "../secvar.h" +#include "../defaultvars/secvar_default_vars.h" + +static int edk2_compat_pre_process_static(struct list_head *variable_bank, + struct list_head *update_bank __unused) +{ + struct secvar *var; + + /* Avoid unused if no static keys */ + (void) var; + (void) variable_bank; + +#ifdef SECVAR_DEFAULT_PK + var = new_secvar("PK", 3, secvar_default_PK, sizeof(secvar_default_PK), SECVAR_FLAG_VOLATILE); + if (!var) + return OPAL_NO_MEM; + + list_add_tail(variable_bank, &var->link); +#endif +#ifdef SECVAR_DEFAULT_KEK + var = new_secvar("KEK", 3, secvar_default_KEK, sizeof(secvar_default_KEK), SECVAR_FLAG_VOLATILE); + if (!var) + return OPAL_NO_MEM; + + list_add_tail(variable_bank, &var->link); +#endif +#ifdef SECVAR_DEFAULT_DB + var = new_secvar("db", 3, secvar_default_db, sizeof(secvar_default_db), SECVAR_FLAG_VOLATILE); + if (!var) + return OPAL_NO_MEM; + + list_add_tail(variable_bank, &var->link); +#endif +#ifdef SECVAR_DEFAULT_DBX + var = new_secvar("dbx", 3, secvar_default_dbx, sizeof(secvar_default_dbx), SECVAR_FLAG_VOLATILE); + if (!var) + return OPAL_NO_MEM; + + list_add_tail(variable_bank, &var->link); +#endif + + return OPAL_SUCCESS; +} + + +static int edk2_compat_process_static(struct list_head *variable_bank __unused, + struct list_head *update_bank __unused) +{ + /* No updates will ever be processed, so return an EMPTY here to signal + * that no updates were managed, and thus the storage driver doesn't have + * to do anything either. */ + return OPAL_EMPTY; +} + +static int edk2_compat_post_process_static(struct list_head *variable_bank __unused, + struct list_head *update_bank __unused) +{ + + /* Always set secure mode when using this static driver. */ + + secvar_set_secure_mode(); + + return OPAL_SUCCESS; +} + +static int edk2_compat_validate_static(struct secvar *var __unused) +{ + /* No updates are processed in static key mode. Reject all. */ + return OPAL_PERMISSION; +}; + +struct secvar_backend_driver edk2_compatible_v1_static = { + .pre_process = edk2_compat_pre_process_static, + .process = edk2_compat_process_static, + .post_process = edk2_compat_post_process_static, + .validate = edk2_compat_validate_static, + .compatible = "ibm,edk2-compat-v1", // TODO: add an additional static compatible here? +};