From patchwork Tue Feb 1 05:05:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joel Stanley X-Patchwork-Id: 1587073 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=pQcqzwBz; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=linux-aspeed-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4JntD24YQBz9sCD for ; Tue, 1 Feb 2022 16:05:22 +1100 (AEDT) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4JntD14Vhlz3bTr for ; Tue, 1 Feb 2022 16:05:21 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=pQcqzwBz; dkim-atps=neutral X-Original-To: linux-aspeed@lists.ozlabs.org Delivered-To: linux-aspeed@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::62d; helo=mail-pl1-x62d.google.com; envelope-from=joel.stan@gmail.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=pQcqzwBz; dkim-atps=neutral Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4JntCw3JM4z2yK6 for ; Tue, 1 Feb 2022 16:05:16 +1100 (AEDT) Received: by mail-pl1-x62d.google.com with SMTP id b15so14471881plg.3 for ; Mon, 31 Jan 2022 21:05:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=8HhN0Mo5AAEuJ7GLyfzVMfqoylDTPvGZrezMx4WuD1Y=; b=pQcqzwBzTMUt9lhcStTT9fwKTd+uM9KFGW/Xynp4UnrxScTW2VG33Teyi7PCL+v98j 6POqQnKQFswISlLtU1hDylQGsrJ0qYsaq8Fp6JhEs66Of+MKNRPSZneIImArPfuYgUn+ zdaF5/zKLPBZ77KtJF6uiTeUHGew/VLxlM3EFtTaz4Z926PX9SiXhaXButFkPqlVyWng 3eNlSiowJnArQTA46mnNNUkJtYWdXFQmJmkDIVTUrr7omZAivB/M4amoSlDdUx1iVUPa yAv9WWxSRi3tnMczSWHJyHkwcEhuIRWpBwSaoSDhBHx8pXgsfZK97aGdfPRMhVKs1Ect RQuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=8HhN0Mo5AAEuJ7GLyfzVMfqoylDTPvGZrezMx4WuD1Y=; b=rtR1FAKhf9pWZeYniCb/K3W9UNNULJBx1ts6Z62GClDsw0XYnMoq7nlj0tTDCGsRcy BroAsd7WZlzl/dL2kEoxox6gEE0LdaCLzFNSso+RYzcadpR18hZ4OwDgMEvk0zxz6W+l rySkpTYsQWk/r5IYPvxeTNGaQwOozEhRHBAgDQ7OhQrBidhd7unhVd1xNn90OHp8JA51 TNIaWEs7hPEzYMXDB9wiDg8Ecsiv5I5sOIfugHcTx88YAzjhVVovJcvFdfn9Egxo22JQ wm9gM7ixnSTHfUNFLtmwtb9FUgt46/rxWOfBQQnFYM2PaGue5JjatrDV1UU9jvB80nhn oNYA== X-Gm-Message-State: AOAM530sRTJQe2qfX4QRCfoDYCMGg2Y7KOsSHC1iCXS3liZLtyiWa5iG fOI6lcSjgmAPrUrYogMhYzQ= X-Google-Smtp-Source: ABdhPJz5avUIU4+X4vd3nMCzoEWBcmSaRvczxUqWfR52EfwhLQGqxyCpeHdGLQIZDWK9NzHJ6jgwxQ== X-Received: by 2002:a17:90a:f298:: with SMTP id fs24mr350977pjb.75.1643691913680; Mon, 31 Jan 2022 21:05:13 -0800 (PST) Received: from voyager.lan ([45.124.203.14]) by smtp.gmail.com with ESMTPSA id u37sm6181991pga.2.2022.01.31.21.05.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 21:05:13 -0800 (PST) From: Joel Stanley To: Arnd Bergmann , Andrew Jeffery , Greg Kroah-Hartman , "Rafael J . Wysocki" Subject: [PATCH 1/2] firmware: Add boot information sysfs Date: Tue, 1 Feb 2022 15:35:00 +1030 Message-Id: <20220201050501.182961-2-joel@jms.id.au> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220201050501.182961-1-joel@jms.id.au> References: <20220201050501.182961-1-joel@jms.id.au> MIME-Version: 1.0 X-BeenThere: linux-aspeed@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux ASPEED SoC development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-aspeed@lists.ozlabs.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Errors-To: linux-aspeed-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Linux-aspeed" Machines often have firmware that perform some action before Linux is loaded. It's useful to know how this firmware is configured, so create a sysfs directory and some example properties that a system can choose to expose to describe how the system was started. Currently the intended use describes five files, relating to hardware root of trust configuration. Signed-off-by: Joel Stanley --- .../ABI/testing/sysfs-firmware-bootinfo | 43 +++++++++++++++++++ drivers/base/firmware.c | 14 ++++++ include/linux/firmware_bootinfo.h | 8 ++++ 3 files changed, 65 insertions(+) create mode 100644 Documentation/ABI/testing/sysfs-firmware-bootinfo create mode 100644 include/linux/firmware_bootinfo.h diff --git a/Documentation/ABI/testing/sysfs-firmware-bootinfo b/Documentation/ABI/testing/sysfs-firmware-bootinfo new file mode 100644 index 000000000000..cd6c42316345 --- /dev/null +++ b/Documentation/ABI/testing/sysfs-firmware-bootinfo @@ -0,0 +1,43 @@ +What: /sys/firmware/bootinfo/* +Date: Jan 2022 +Description: + A system can expose information about how it was started in + this directory. + + This information is agnostic as to the firmware implementation. + + A system may expose a subset of these properties as applicable. + + +What: /sys/firmware/bootinfo/secure_boot +Date: Jan 2022 +Description: + Indicates the system was started with secure boot enabled in + the firmware. + + +What: /sys/firmware/bootinfo/abr_image +Date: Jan 2022 +Description: + Indicates the system was started from the alternate image + loaded from an Alternate Boot Region. Often this is a result of + the primary firmware image failing to start the system. + + +What: /sys/firmware/bootinfo/low_security_key +Date: Jan 2022 +Description: + Indicates the system's secure boot was verified with a low + security or development key. + +What: /sys/firmware/bootinfo/otp_protected +Date: Jan 2022 +Description: + Indicates the system's boot configuration region is write + protected and cannot be modified. + +What: /sys/firmware/bootinfo/uart_boot +Date: Jan 2022 +Description: + Indicates the system firmware was loaded from a UART instead of + an internal boot device. diff --git a/drivers/base/firmware.c b/drivers/base/firmware.c index 8dff940e0db9..2a6478aa178d 100644 --- a/drivers/base/firmware.c +++ b/drivers/base/firmware.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "base.h" @@ -24,3 +25,16 @@ int __init firmware_init(void) return -ENOMEM; return 0; } + +/* + * Exposes attributes documented in Documentation/ABI/testing/sysfs-firmware-bootinfo + */ +int __init firmware_bootinfo_init(const struct attribute_group *attr_group) +{ + struct kobject *kobj= kobject_create_and_add("bootinfo", firmware_kobj); + if (!kobj) + return -ENOMEM; + + return sysfs_create_group(kobj, attr_group); +} +EXPORT_SYMBOL_GPL(firmware_bootinfo_init); diff --git a/include/linux/firmware_bootinfo.h b/include/linux/firmware_bootinfo.h new file mode 100644 index 000000000000..581b68508ec8 --- /dev/null +++ b/include/linux/firmware_bootinfo.h @@ -0,0 +1,8 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +// Copyright 2022 IBM Corp + +#include +#include + +int __init firmware_bootinfo_init(const struct attribute_group *attr_group); + From patchwork Tue Feb 1 05:05:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joel Stanley X-Patchwork-Id: 1587075 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=cRTGOvUd; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=linux-aspeed-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4JntD80gvFz9sCD for ; Tue, 1 Feb 2022 16:05:28 +1100 (AEDT) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4JntD75tdyz3bV4 for ; Tue, 1 Feb 2022 16:05:27 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=cRTGOvUd; dkim-atps=neutral X-Original-To: linux-aspeed@lists.ozlabs.org Delivered-To: linux-aspeed@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::52e; helo=mail-pg1-x52e.google.com; envelope-from=joel.stan@gmail.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=cRTGOvUd; dkim-atps=neutral Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4JntD00wr4z2xKT for ; Tue, 1 Feb 2022 16:05:20 +1100 (AEDT) Received: by mail-pg1-x52e.google.com with SMTP id e9so14312171pgb.3 for ; Mon, 31 Jan 2022 21:05:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=KXZhXqP+hJTCEG0KLlnHSrSIKRsgu3yP6iR8K2/utRA=; b=cRTGOvUdVQ3VIpJHalZf12OyJMEycgkXop8Rx0kknHVuzOdzJ2MXCo9u3nKKw2GrGc PEZn8o0Xmseg8Zi1sphhHK9O1fd2s2IUN7UO/nY3Y6bqDFX6NtEZmqZqdGHdp9N9jKP6 i+Ls2/GRKXaFoYQvFXD5B/7aDkp7c4HzJh9a6tgunLySRbuB/xpwoXxxxCHaR4MUiktY 7dWUuETtJHy4bRiu1RRvaKHfEohjO18GsM2onAPSIa61wk0j7+GRgNzUcHVB/W2Wqd+i dSfoGiGC/iL8duI2rEPqjZyAV6AZMhm6L5zSoTyi5zdY0koHTXepGDEhtdQTUsrnsfxo MW0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=KXZhXqP+hJTCEG0KLlnHSrSIKRsgu3yP6iR8K2/utRA=; b=Cf7ttnnQbAsd8quKxNBXHAU3SnKxH5CdYzm+o0jI4WqlAuGj4Gs55ltuHY1m7HoPT2 kBKc1pRNgQ25HFIwMjz7L4DBWlRkPHNF84sxvmOoJiVpB+P8CTGDGv5RvjWNrk+4K6zt Vy2yV941wvgPZttLPDnj79ifOzsO+uomZx7RBDvJDhA768/lDpYNgrIYjoSrWhAPfBQq ponlcXymtZGmeCHvKPFCZOTfeywSrI2km/mcfZWm7QDx6gzrA5WBqHX17KKLamHnmNmL 8cA1m7GZdGP6Cg3ebAvvxGE/YgmkSZL76LDtcNL5DhpRSfdriSbCWd7aj25kaBg+P9+8 sZag== X-Gm-Message-State: AOAM533W0JNIDwHpl96RmPbPtNO6E8bawOV42ARLiNnwyjb58Ma2aIZg hKJgSTHn9IU3XdwN8ihO85s= X-Google-Smtp-Source: ABdhPJyyiAnlj0jVqXEFutCAzEC/wZnZT8ZEHQEjaUAnr+6+PlrOSxgyRqfRvqoQBuDLXDpcscM7Lw== X-Received: by 2002:aa7:88c9:: with SMTP id k9mr23203828pff.58.1643691917941; Mon, 31 Jan 2022 21:05:17 -0800 (PST) Received: from voyager.lan ([45.124.203.14]) by smtp.gmail.com with ESMTPSA id u37sm6181991pga.2.2022.01.31.21.05.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 21:05:17 -0800 (PST) From: Joel Stanley To: Arnd Bergmann , Andrew Jeffery , Greg Kroah-Hartman , "Rafael J . Wysocki" Subject: [PATCH 2/2] ARM: aspeed: Add secure boot controller support Date: Tue, 1 Feb 2022 15:35:01 +1030 Message-Id: <20220201050501.182961-3-joel@jms.id.au> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220201050501.182961-1-joel@jms.id.au> References: <20220201050501.182961-1-joel@jms.id.au> MIME-Version: 1.0 X-BeenThere: linux-aspeed@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux ASPEED SoC development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-aspeed@lists.ozlabs.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Errors-To: linux-aspeed-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Linux-aspeed" This reads out the status of the secure boot controller and exposes it in sysfs using the bootinfo sysfs api. An example on a AST2600A3 QEMU model: # grep -r . /sys/firmware/bootinfo/* /sys/firmware/bootinfo/abr_image:0 /sys/firmware/bootinfo/low_security_key:0 /sys/firmware/bootinfo/otp_protected:0 /sys/firmware/bootinfo/secure_boot:1 /sys/firmware/bootinfo/uart_boot:0 On boot the state of the system according to the secure boot controller will be printed: [ 0.037634] AST2600 secure boot enabled or [ 0.037935] AST2600 secure boot disabled The initialisation is changed from early_initcall to subsys_initcall because we need the firmware_kobj to be initialised, and because there's no requirement to print this information early. Signed-off-by: Joel Stanley Reviewed-by: Ryan Chen --- drivers/soc/aspeed/aspeed-socinfo.c | 84 ++++++++++++++++++++++++++++- 1 file changed, 83 insertions(+), 1 deletion(-) diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c index 1ca140356a08..fe77b31e4d1d 100644 --- a/drivers/soc/aspeed/aspeed-socinfo.c +++ b/drivers/soc/aspeed/aspeed-socinfo.c @@ -8,6 +8,9 @@ #include #include #include +#include + +static u32 security_status; static struct { const char *name; @@ -74,6 +77,83 @@ static const char *siliconid_to_rev(u32 siliconid) return "??"; } +#define SEC_STATUS 0x14 +#define ABR_IMAGE_SOURCE BIT(13) +#define OTP_PROTECTED BIT(8) +#define LOW_SEC_KEY BIT(7) +#define SECURE_BOOT BIT(6) +#define UART_BOOT BIT(5) + +static ssize_t abr_image_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + return sprintf(buf, "%d\n", !!(security_status & ABR_IMAGE_SOURCE)); +} +static DEVICE_ATTR_RO(abr_image); + +static ssize_t low_security_key_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + return sprintf(buf, "%d\n", !!(security_status & LOW_SEC_KEY)); +} +static DEVICE_ATTR_RO(low_security_key); + +static ssize_t otp_protected_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + return sprintf(buf, "%d\n", !!(security_status & OTP_PROTECTED)); +} +static DEVICE_ATTR_RO(otp_protected); + +static ssize_t secure_boot_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + return sprintf(buf, "%d\n", !!(security_status & SECURE_BOOT)); +} +static DEVICE_ATTR_RO(secure_boot); + +static ssize_t uart_boot_show(struct device *dev, struct device_attribute *attr, char *buf) +{ + /* Invert the bit, as 1 is boot from SPI/eMMC */ + return sprintf(buf, "%d\n", !(security_status & UART_BOOT)); +} +static DEVICE_ATTR_RO(uart_boot); + +static struct attribute *aspeed_attrs[] = { + &dev_attr_abr_image.attr, + &dev_attr_low_security_key.attr, + &dev_attr_otp_protected.attr, + &dev_attr_secure_boot.attr, + &dev_attr_uart_boot.attr, + NULL, +}; +ATTRIBUTE_GROUPS(aspeed); + +static int __init aspeed_bootinfo_init(void) +{ + struct device_node *np; + void __iomem *base; + + /* AST2600 only */ + np = of_find_compatible_node(NULL, NULL, "aspeed,ast2600-sbc"); + if (!of_device_is_available(np)) + return -ENODEV; + + base = of_iomap(np, 0); + if (!base) { + of_node_put(np); + return -ENODEV; + } + + security_status = readl(base + SEC_STATUS); + + iounmap(base); + of_node_put(np); + + firmware_bootinfo_init(aspeed_groups[0]); + + pr_info("AST2600 secure boot %s\n", + (security_status & SECURE_BOOT) ? "enabled" : "disabled"); + + return 0; +} + static int __init aspeed_socinfo_init(void) { struct soc_device_attribute *attrs; @@ -148,6 +228,8 @@ static int __init aspeed_socinfo_init(void) attrs->revision, attrs->soc_id); + aspeed_bootinfo_init(); + return 0; } -early_initcall(aspeed_socinfo_init); +subsys_initcall(aspeed_socinfo_init);