From patchwork Wed Sep 16 16:21:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1365444 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Bs53Z4YW8z9sTq for ; Thu, 17 Sep 2020 02:22:34 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=linux.ibm.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=I04O+9MK; dkim-atps=neutral Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 4Bs53Z0z8rzDqXS for ; Thu, 17 Sep 2020 02:22:34 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0b-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=I04O+9MK; dkim-atps=neutral Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4Bs52h26tjzDqLw for ; Thu, 17 Sep 2020 02:21:43 +1000 (AEST) Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 08GG1TSG100128 for ; Wed, 16 Sep 2020 12:21:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding; s=pp1; bh=z5T9HPVR0oy0rwPo8B9dXF9qVhBYd3eGuvxCI0kxmKE=; b=I04O+9MKjnJytIQixL27JjxQsn1i25YvFHUtZLj9JzdcsJyVSY9nNT/bDX2Z7/E1fNdt hB7PZlFHTQz2yhi0cchP8w4o/ZqZM0kJ+gD9iWmje0EXF0JhmRQmPYdbHEwzPNujs3bF p2O4Xq15m1mw+lm092p2I4qBnPpVZxR3D8slH480n3BOcCEzn4KCGRn8wh02MtQFzPYU g7wS3nCsVjB0ZXmo7czJljffeA1dYQ+OHVTh1StpyOPqLKdEWjmeyss/Jq8l8kWdcQ7X /zShC83bTmTuh2PlllBLpjhknc3h7eZsww4KSkXu58jlc6zej155zKV2fEC+BSmnyIwf JA== Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0a-001b2d01.pphosted.com with ESMTP id 33kk596xa2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 16 Sep 2020 12:21:40 -0400 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 08GGHGHx011183 for ; Wed, 16 Sep 2020 16:21:39 GMT Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by ppma06ams.nl.ibm.com with ESMTP id 33k9ge8p26-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 16 Sep 2020 16:21:39 +0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 08GGLaEx27394312 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 16 Sep 2020 16:21:36 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3DD2711C04C; Wed, 16 Sep 2020 16:21:36 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8FD6511C052; Wed, 16 Sep 2020 16:21:35 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.160.109.67]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 16 Sep 2020 16:21:35 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Wed, 16 Sep 2020 11:21:11 -0500 Message-Id: <20200916162131.22478-1-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-16_10:2020-09-16, 2020-09-16 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 suspectscore=0 impostorscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0 mlxscore=0 bulkscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2009160114 Subject: [Skiboot] [PATCH v6 00/20] Add initial secure variable storage and backend drivers X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This is a new revision with the following changes: Patch 13, secvar/storage/secboot_tpm: - added a comment to the nv indices to clarify that they are calculated BEFORE writelock is set - added manufacturing-provisioned TPM NV public name hashes - redefine the NV indices if the above hashes are detected - restructured the init flow to accomodate the above changes Patch 17, crypto/pkcs7: - allow parsing bare SignedData blobs - mbedtls_pkcs7_parse_der now returns the data type instead of 0 on success - adjusted for feedback based on ongoing pull request - now errors if it detects multiple signers (only single is supported for now) Patch 18, secvar/backend/edk2: - fix esl validation to allow hash for dbx variable - fix unneccessary prlog in validate_cert() - fix handling of the return from pkcs7 parsing Patch 19, secvar/backend/edk2-test: - added new unit test for dbx - updated for changes in the pkcs7 parser - cleaned up test data formatting - add pkcs7 blob vs pkcs7 signed data blob test All other patches are the same as the previous v5 version. This patch set depends on the following patch sets: Improve mbedtls Infrastructure https://lists.ozlabs.org/pipermail/skiboot/2020-April/016711.html Advance TSS Infrastructure https://lists.ozlabs.org/pipermail/skiboot/2020-June/016962.html Claudio Carvalho (1): core/flash.c: add SECBOOT read and write support Eric Richter (14): libstb/secureboot: expose secureboot_enforce for later use in secvar include/secvar.h: add .lockdown() hook to secvar storage driver secvar_main: rework secvar_main error flow, make storage locking explicit secvar_util: add new helper functions secvar: overhaul secvar struct by removing static sized fields secvar/test: update API tests for new secvar struct secvar_devtree: add physical presence mode helper doc/secvar: add document detailing secvar driver API secvar/storage: add secvar storage driver for pnor-based p9 secvar/storage/fakenv: add fake tpm operations for testing secvar/test: add secboot_tpm storage driver test cases secvar/storage: add utility tool to generate NV public name hashes secvar/test: add edk2-compat driver test and test data witherspoon: enable secvar for witherspoon platform Nayna Jain (5): libstb/secureboot: OS Secure Boot is enabled only if FW secureboot is enabled secvar: change backend hook interface to take in bank references hdata/spira: add physical presence flags crypto: add out-of-tree mbedtls pkcs7 parser secvar/backend: add edk2 derived key updates processing core/flash.c | 126 +++ core/init.c | 2 +- doc/device-tree/ibm,secureboot.rst | 17 + doc/secvar/driver-api.rst | 312 +++++++ doc/secvar/edk2.rst | 49 ++ doc/secvar/secboot_tpm.rst | 175 ++++ hdata/spira.c | 11 + hdata/spira.h | 7 +- include/secvar.h | 31 +- include/skiboot.h | 3 + libstb/crypto/Makefile.inc | 4 +- libstb/crypto/mbedtls-config.h | 1 + libstb/crypto/mbedtls/include/mbedtls/oid.h | 11 + libstb/crypto/pkcs7/Makefile.inc | 12 + libstb/crypto/pkcs7/pkcs7.c | 596 ++++++++++++++ libstb/crypto/pkcs7/pkcs7.h | 225 ++++++ libstb/secureboot.c | 7 +- libstb/secureboot.h | 2 + libstb/secvar/backend/Makefile.inc | 4 +- libstb/secvar/backend/edk2-compat-process.c | 762 ++++++++++++++++++ libstb/secvar/backend/edk2-compat-process.h | 63 ++ libstb/secvar/backend/edk2-compat-reset.c | 115 +++ libstb/secvar/backend/edk2-compat-reset.h | 24 + libstb/secvar/backend/edk2-compat.c | 282 +++++++ libstb/secvar/backend/edk2.h | 251 ++++++ libstb/secvar/secvar.h | 29 +- libstb/secvar/secvar_api.c | 68 +- libstb/secvar/secvar_devtree.c | 15 + libstb/secvar/secvar_devtree.h | 2 + libstb/secvar/secvar_main.c | 89 +- libstb/secvar/secvar_util.c | 108 ++- libstb/secvar/storage/Makefile.inc | 11 +- libstb/secvar/storage/fakenv_ops.c | 175 ++++ libstb/secvar/storage/gen_tpmnv_public_name.c | 107 +++ libstb/secvar/storage/secboot_tpm.c | 737 +++++++++++++++++ libstb/secvar/storage/secboot_tpm.h | 61 ++ libstb/secvar/storage/tpmnv_ops.c | 15 + libstb/secvar/test/Makefile.check | 11 +- libstb/secvar/test/data/KEK.h | 161 ++++ libstb/secvar/test/data/OldTSKEK.h | 161 ++++ libstb/secvar/test/data/PK.h | 161 ++++ libstb/secvar/test/data/db.h | 161 ++++ libstb/secvar/test/data/dbsigneddata.h | 160 ++++ libstb/secvar/test/data/dbx.h | 102 +++ libstb/secvar/test/data/dbxmalformed.h | 105 +++ libstb/secvar/test/data/dbxsha512.h | 104 +++ libstb/secvar/test/data/invalidkek.h | 161 ++++ libstb/secvar/test/data/malformedkek.h | 102 +++ libstb/secvar/test/data/multipleDB.h | 225 ++++++ libstb/secvar/test/data/multipleKEK.h | 225 ++++++ libstb/secvar/test/data/multiplePK.h | 224 +++++ libstb/secvar/test/data/noPK.h | 98 +++ libstb/secvar/test/secvar-test-edk2-compat.c | 291 +++++++ libstb/secvar/test/secvar-test-enqueue.c | 6 +- libstb/secvar/test/secvar-test-getvar.c | 21 +- libstb/secvar/test/secvar-test-nextvar.c | 26 +- libstb/secvar/test/secvar-test-secboot-tpm.c | 143 ++++ libstb/secvar/test/secvar_common_test.c | 2 + platforms/astbmc/witherspoon.c | 7 + 59 files changed, 7014 insertions(+), 152 deletions(-) create mode 100644 doc/secvar/driver-api.rst create mode 100644 doc/secvar/edk2.rst create mode 100644 doc/secvar/secboot_tpm.rst create mode 100644 libstb/crypto/pkcs7/Makefile.inc create mode 100644 libstb/crypto/pkcs7/pkcs7.c create mode 100644 libstb/crypto/pkcs7/pkcs7.h create mode 100644 libstb/secvar/backend/edk2-compat-process.c create mode 100644 libstb/secvar/backend/edk2-compat-process.h create mode 100644 libstb/secvar/backend/edk2-compat-reset.c create mode 100644 libstb/secvar/backend/edk2-compat-reset.h create mode 100644 libstb/secvar/backend/edk2-compat.c create mode 100644 libstb/secvar/backend/edk2.h create mode 100644 libstb/secvar/storage/fakenv_ops.c create mode 100644 libstb/secvar/storage/gen_tpmnv_public_name.c create mode 100644 libstb/secvar/storage/secboot_tpm.c create mode 100644 libstb/secvar/storage/secboot_tpm.h create mode 100644 libstb/secvar/storage/tpmnv_ops.c create mode 100644 libstb/secvar/test/data/KEK.h create mode 100644 libstb/secvar/test/data/OldTSKEK.h create mode 100644 libstb/secvar/test/data/PK.h create mode 100644 libstb/secvar/test/data/db.h create mode 100644 libstb/secvar/test/data/dbsigneddata.h create mode 100644 libstb/secvar/test/data/dbx.h create mode 100644 libstb/secvar/test/data/dbxmalformed.h create mode 100644 libstb/secvar/test/data/dbxsha512.h create mode 100644 libstb/secvar/test/data/invalidkek.h create mode 100644 libstb/secvar/test/data/malformedkek.h create mode 100644 libstb/secvar/test/data/multipleDB.h create mode 100644 libstb/secvar/test/data/multipleKEK.h create mode 100644 libstb/secvar/test/data/multiplePK.h create mode 100644 libstb/secvar/test/data/noPK.h create mode 100644 libstb/secvar/test/secvar-test-edk2-compat.c create mode 100644 libstb/secvar/test/secvar-test-secboot-tpm.c