mbox series

[v6,00/20] Add initial secure variable storage and backend drivers

Message ID 20200916162131.22478-1-erichte@linux.ibm.com
Headers show
Series Add initial secure variable storage and backend drivers | expand

Message

Eric Richter Sept. 16, 2020, 4:21 p.m. UTC 
This is a new revision with the following changes:

Patch 13, secvar/storage/secboot_tpm:
 - added a comment to the nv indices to clarify that they are calculated
     BEFORE writelock is set
 - added manufacturing-provisioned TPM NV public name hashes
 - redefine the NV indices if the above hashes are detected
 - restructured the init flow to accomodate the above changes

Patch 17, crypto/pkcs7:
 - allow parsing bare SignedData blobs
 - mbedtls_pkcs7_parse_der now returns the data type instead of 0 on
   success
 - adjusted for feedback based on ongoing pull request
 - now errors if it detects multiple signers (only single is supported
   for now)

Patch 18, secvar/backend/edk2:
 - fix esl validation to allow hash for dbx variable
 - fix unneccessary prlog in validate_cert()
 - fix handling of the return from pkcs7 parsing

Patch 19, secvar/backend/edk2-test:
 - added new unit test for dbx
 - updated for changes in the pkcs7 parser
 - cleaned up test data formatting
 - add pkcs7 blob vs pkcs7 signed data blob test

All other patches are the same as the previous v5 version.

This patch set depends on the following patch sets:
Improve mbedtls Infrastructure
https://lists.ozlabs.org/pipermail/skiboot/2020-April/016711.html

Advance TSS Infrastructure
https://lists.ozlabs.org/pipermail/skiboot/2020-June/016962.html


Claudio Carvalho (1):
  core/flash.c: add SECBOOT read and write support

Eric Richter (14):
  libstb/secureboot: expose secureboot_enforce for later use in secvar
  include/secvar.h: add .lockdown() hook to secvar storage driver
  secvar_main: rework secvar_main error flow, make storage locking
    explicit
  secvar_util: add new helper functions
  secvar: overhaul secvar struct by removing static sized fields
  secvar/test: update API tests for new secvar struct
  secvar_devtree: add physical presence mode helper
  doc/secvar: add document detailing secvar driver API
  secvar/storage: add secvar storage driver for pnor-based p9
  secvar/storage/fakenv: add fake tpm operations for testing
  secvar/test: add secboot_tpm storage driver test cases
  secvar/storage: add utility tool to generate NV public name hashes
  secvar/test: add edk2-compat driver test and test data
  witherspoon: enable secvar for witherspoon platform

Nayna Jain (5):
  libstb/secureboot: OS Secure Boot is enabled only if FW secureboot is
    enabled
  secvar: change backend hook interface to take in bank references
  hdata/spira: add physical presence flags
  crypto: add out-of-tree mbedtls pkcs7 parser
  secvar/backend: add edk2 derived key updates processing

 core/flash.c                                  | 126 +++
 core/init.c                                   |   2 +-
 doc/device-tree/ibm,secureboot.rst            |  17 +
 doc/secvar/driver-api.rst                     | 312 +++++++
 doc/secvar/edk2.rst                           |  49 ++
 doc/secvar/secboot_tpm.rst                    | 175 ++++
 hdata/spira.c                                 |  11 +
 hdata/spira.h                                 |   7 +-
 include/secvar.h                              |  31 +-
 include/skiboot.h                             |   3 +
 libstb/crypto/Makefile.inc                    |   4 +-
 libstb/crypto/mbedtls-config.h                |   1 +
 libstb/crypto/mbedtls/include/mbedtls/oid.h   |  11 +
 libstb/crypto/pkcs7/Makefile.inc              |  12 +
 libstb/crypto/pkcs7/pkcs7.c                   | 596 ++++++++++++++
 libstb/crypto/pkcs7/pkcs7.h                   | 225 ++++++
 libstb/secureboot.c                           |   7 +-
 libstb/secureboot.h                           |   2 +
 libstb/secvar/backend/Makefile.inc            |   4 +-
 libstb/secvar/backend/edk2-compat-process.c   | 762 ++++++++++++++++++
 libstb/secvar/backend/edk2-compat-process.h   |  63 ++
 libstb/secvar/backend/edk2-compat-reset.c     | 115 +++
 libstb/secvar/backend/edk2-compat-reset.h     |  24 +
 libstb/secvar/backend/edk2-compat.c           | 282 +++++++
 libstb/secvar/backend/edk2.h                  | 251 ++++++
 libstb/secvar/secvar.h                        |  29 +-
 libstb/secvar/secvar_api.c                    |  68 +-
 libstb/secvar/secvar_devtree.c                |  15 +
 libstb/secvar/secvar_devtree.h                |   2 +
 libstb/secvar/secvar_main.c                   |  89 +-
 libstb/secvar/secvar_util.c                   | 108 ++-
 libstb/secvar/storage/Makefile.inc            |  11 +-
 libstb/secvar/storage/fakenv_ops.c            | 175 ++++
 libstb/secvar/storage/gen_tpmnv_public_name.c | 107 +++
 libstb/secvar/storage/secboot_tpm.c           | 737 +++++++++++++++++
 libstb/secvar/storage/secboot_tpm.h           |  61 ++
 libstb/secvar/storage/tpmnv_ops.c             |  15 +
 libstb/secvar/test/Makefile.check             |  11 +-
 libstb/secvar/test/data/KEK.h                 | 161 ++++
 libstb/secvar/test/data/OldTSKEK.h            | 161 ++++
 libstb/secvar/test/data/PK.h                  | 161 ++++
 libstb/secvar/test/data/db.h                  | 161 ++++
 libstb/secvar/test/data/dbsigneddata.h        | 160 ++++
 libstb/secvar/test/data/dbx.h                 | 102 +++
 libstb/secvar/test/data/dbxmalformed.h        | 105 +++
 libstb/secvar/test/data/dbxsha512.h           | 104 +++
 libstb/secvar/test/data/invalidkek.h          | 161 ++++
 libstb/secvar/test/data/malformedkek.h        | 102 +++
 libstb/secvar/test/data/multipleDB.h          | 225 ++++++
 libstb/secvar/test/data/multipleKEK.h         | 225 ++++++
 libstb/secvar/test/data/multiplePK.h          | 224 +++++
 libstb/secvar/test/data/noPK.h                |  98 +++
 libstb/secvar/test/secvar-test-edk2-compat.c  | 291 +++++++
 libstb/secvar/test/secvar-test-enqueue.c      |   6 +-
 libstb/secvar/test/secvar-test-getvar.c       |  21 +-
 libstb/secvar/test/secvar-test-nextvar.c      |  26 +-
 libstb/secvar/test/secvar-test-secboot-tpm.c  | 143 ++++
 libstb/secvar/test/secvar_common_test.c       |   2 +
 platforms/astbmc/witherspoon.c                |   7 +
 59 files changed, 7014 insertions(+), 152 deletions(-)
 create mode 100644 doc/secvar/driver-api.rst
 create mode 100644 doc/secvar/edk2.rst
 create mode 100644 doc/secvar/secboot_tpm.rst
 create mode 100644 libstb/crypto/pkcs7/Makefile.inc
 create mode 100644 libstb/crypto/pkcs7/pkcs7.c
 create mode 100644 libstb/crypto/pkcs7/pkcs7.h
 create mode 100644 libstb/secvar/backend/edk2-compat-process.c
 create mode 100644 libstb/secvar/backend/edk2-compat-process.h
 create mode 100644 libstb/secvar/backend/edk2-compat-reset.c
 create mode 100644 libstb/secvar/backend/edk2-compat-reset.h
 create mode 100644 libstb/secvar/backend/edk2-compat.c
 create mode 100644 libstb/secvar/backend/edk2.h
 create mode 100644 libstb/secvar/storage/fakenv_ops.c
 create mode 100644 libstb/secvar/storage/gen_tpmnv_public_name.c
 create mode 100644 libstb/secvar/storage/secboot_tpm.c
 create mode 100644 libstb/secvar/storage/secboot_tpm.h
 create mode 100644 libstb/secvar/storage/tpmnv_ops.c
 create mode 100644 libstb/secvar/test/data/KEK.h
 create mode 100644 libstb/secvar/test/data/OldTSKEK.h
 create mode 100644 libstb/secvar/test/data/PK.h
 create mode 100644 libstb/secvar/test/data/db.h
 create mode 100644 libstb/secvar/test/data/dbsigneddata.h
 create mode 100644 libstb/secvar/test/data/dbx.h
 create mode 100644 libstb/secvar/test/data/dbxmalformed.h
 create mode 100644 libstb/secvar/test/data/dbxsha512.h
 create mode 100644 libstb/secvar/test/data/invalidkek.h
 create mode 100644 libstb/secvar/test/data/malformedkek.h
 create mode 100644 libstb/secvar/test/data/multipleDB.h
 create mode 100644 libstb/secvar/test/data/multipleKEK.h
 create mode 100644 libstb/secvar/test/data/multiplePK.h
 create mode 100644 libstb/secvar/test/data/noPK.h
 create mode 100644 libstb/secvar/test/secvar-test-edk2-compat.c
 create mode 100644 libstb/secvar/test/secvar-test-secboot-tpm.c