From patchwork Sat Oct 26 09:45:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1184596 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 470bjR26Vgz9s7T for ; Sat, 26 Oct 2019 20:46:51 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 470bjR0MF4zDqq7 for ; Sat, 26 Oct 2019 20:46:51 +1100 (AEDT) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 470bhl3llczDqld for ; Sat, 26 Oct 2019 20:46:14 +1100 (AEDT) Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x9Q9bNJr095145 for ; Sat, 26 Oct 2019 05:46:09 -0400 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0b-001b2d01.pphosted.com with ESMTP id 2vvjbe20jj-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sat, 26 Oct 2019 05:46:09 -0400 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 26 Oct 2019 10:46:07 +0100 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp01.uk.ibm.com (192.168.101.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Sat, 26 Oct 2019 10:46:06 +0100 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x9Q9k4lr46399528 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 26 Oct 2019 09:46:04 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 701CF4C044; Sat, 26 Oct 2019 09:46:04 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B26BD4C046; Sat, 26 Oct 2019 09:46:03 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.231.2]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Sat, 26 Oct 2019 09:46:03 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Sat, 26 Oct 2019 04:45:42 -0500 X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 19102609-4275-0000-0000-00000377D694 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19102609-4276-0000-0000-0000388B05F7 Message-Id: <20191026094553.26635-1-erichte@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-26_02:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910260100 Subject: [Skiboot] [PATCH v4 00/11] Add Secure Variable Support X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This version of the patch set contains a lot of smaller under the hood changes that have been building up over time. Many changes were centered around reworking the information that needed to be exposed to the kernel via the device tree. More importantly, the storage driver now contains all the logic it was intended to have, just without actually using the TPM. This set is unfortunately still a bit drafty. The edk2 backend does not properly validate updates at the moment, but the general idea of the implementation is there. The documentation is still lacking as well, and will likely come as a hotpatch. Changes in V4: - removed ibm,secureboot version bump - secvar node is now a child of ibm,opal, drivers now maintain their own sub-nodes - implemented all logic requiring a tpm in the storage driver (but it doesn't actually use a tpm) - added new TPM NV high-level storage api - added mbedtls as a git submodule - added draft edk2 backend document PREVIOUS COVER LETTER: The previous implementation "Initial Skiboot Secure Variable Support" tied the OPAL runtime service API too tightly to the variable processing backend. Therefore, if the variable processing design had to be changed or updated, so did the API. This patch set redesigns the previous set to support a generic OPAL API, and pluggable drivers for persistent variable storage and variable processing. Platforms may support different storage hardware, therefore a platform must be able to select the proper storage driver for persisting variables. Platforms may also select the backend used to manipulate secure variables. The backend determines the format in which the variables are stored, and how the variables are authenticated and updated. This patch set includes the base implementation to support secure variables, and the updated OPAL runtime service API. This set also includes draft implementations for a pnor-based storage driver, and an edk2-derived backend driver. This backend driver depends on mbedtls-based crypto support, which will be in a separate forthcoming patch set. The draft implementation of the backend driver has the crypto-dependent code commented out for sake of compilation. Changes in V3: - Removed metadata field in secure variable struct, APIs, etc - Removed opal_secvar_get_size - Add probe_secvar() call to bump ibm,secureboot/compatible before secureboot/trustedboot initialization - Removed fixed-size data allocation in secvar struct to conserve space - Expanded documentation updates - Included initial implementation of secvar API unit testing - Minor other fixes as mentioned in individual patch descriptions Changes in V2: - ibm,secureboot compatible is set to -v3 - added secvar device tree node - removed opal_secvar_backend - added API and secvar DT node documentation - minor fixes/changes (see patch descriptions) Claudio Carvalho (1): core/flash.c: add SECBOOT read and write support Eric Richter (8): libstb/secvar: add secure variable internal abstraction secvar_tpmnv: add high-level tpm nv index abstraction for secvar libstb/secvar: add secvar api implementation doc: add opal secure variable documentation secvar/test: add rudimentary secvar API unit testing secvar/storage: add draft secvar storage driver for pnor-based p9 platforms crypto: add mbedtls build integration via git submodule witherspoon: enable secvar for witherspoon platform Nayna Jain (2): crypto: add out-of-tree mbedtls pkcs7 parser secvar/backend: add edk2 derived key updates processing .gitmodules | 4 + Makefile.main | 1 + ccan/list/list.h | 38 ++ core/flash.c | 130 ++++ core/init.c | 4 + doc/device-tree/ibm,secureboot.rst | 10 + doc/device-tree/secvar.rst | 84 +++ doc/opal-api/opal-secvar.rst | 192 ++++++ doc/secvar/edk2.rst | 49 ++ include/opal-api.h | 5 +- include/platform.h | 6 + include/secvar.h | 45 ++ libstb/Makefile.inc | 6 +- libstb/crypto/Makefile.inc | 22 + libstb/crypto/mbedtls | 1 + libstb/crypto/mbedtls-config.h | 98 ++++ libstb/crypto/pkcs7/Makefile.inc | 10 + libstb/crypto/pkcs7/pkcs7.c | 476 +++++++++++++++ libstb/crypto/pkcs7/pkcs7.h | 176 ++++++ libstb/secvar/Makefile.inc | 14 + libstb/secvar/backend/Makefile.inc | 13 + .../secvar/backend/edk2-compat/edk2-compat.c | 555 ++++++++++++++++++ libstb/secvar/backend/edk2-compat/edk2.h | 249 ++++++++ libstb/secvar/secvar.h | 60 ++ libstb/secvar/secvar_api.c | 158 +++++ libstb/secvar/secvar_devtree.c | 136 +++++ libstb/secvar/secvar_devtree.h | 15 + libstb/secvar/secvar_main.c | 89 +++ libstb/secvar/secvar_tpmnv.c | 167 ++++++ libstb/secvar/secvar_tpmnv.h | 11 + libstb/secvar/secvar_util.c | 106 ++++ libstb/secvar/storage/Makefile.inc | 11 + libstb/secvar/storage/secboot_tpm.c | 309 ++++++++++ libstb/secvar/test/Makefile.check | 46 ++ libstb/secvar/test/secvar-test-enqueue.c | 160 +++++ libstb/secvar/test/secvar-test-getvar.c | 112 ++++ libstb/secvar/test/secvar-test-nextvar.c | 132 +++++ libstb/secvar/test/secvar-test-secboot-tpm.c | 134 +++++ libstb/secvar/test/secvar-test-void.c | 24 + libstb/secvar/test/secvar_api_test.c | 92 +++ libstb/secvar/test/secvar_common_test.c | 64 ++ platforms/astbmc/witherspoon.c | 7 + 42 files changed, 4019 insertions(+), 2 deletions(-) create mode 100644 .gitmodules create mode 100644 doc/device-tree/secvar.rst create mode 100644 doc/opal-api/opal-secvar.rst create mode 100644 doc/secvar/edk2.rst create mode 100644 include/secvar.h create mode 100644 libstb/crypto/Makefile.inc create mode 160000 libstb/crypto/mbedtls create mode 100644 libstb/crypto/mbedtls-config.h create mode 100644 libstb/crypto/pkcs7/Makefile.inc create mode 100644 libstb/crypto/pkcs7/pkcs7.c create mode 100644 libstb/crypto/pkcs7/pkcs7.h create mode 100644 libstb/secvar/Makefile.inc create mode 100644 libstb/secvar/backend/Makefile.inc create mode 100644 libstb/secvar/backend/edk2-compat/edk2-compat.c create mode 100644 libstb/secvar/backend/edk2-compat/edk2.h create mode 100644 libstb/secvar/secvar.h create mode 100644 libstb/secvar/secvar_api.c create mode 100644 libstb/secvar/secvar_devtree.c create mode 100644 libstb/secvar/secvar_devtree.h create mode 100644 libstb/secvar/secvar_main.c create mode 100644 libstb/secvar/secvar_tpmnv.c create mode 100644 libstb/secvar/secvar_tpmnv.h create mode 100644 libstb/secvar/secvar_util.c create mode 100644 libstb/secvar/storage/Makefile.inc create mode 100644 libstb/secvar/storage/secboot_tpm.c create mode 100644 libstb/secvar/test/Makefile.check create mode 100644 libstb/secvar/test/secvar-test-enqueue.c create mode 100644 libstb/secvar/test/secvar-test-getvar.c create mode 100644 libstb/secvar/test/secvar-test-nextvar.c create mode 100644 libstb/secvar/test/secvar-test-secboot-tpm.c create mode 100644 libstb/secvar/test/secvar-test-void.c create mode 100644 libstb/secvar/test/secvar_api_test.c create mode 100644 libstb/secvar/test/secvar_common_test.c