Message ID | 20190625220215.27134-4-erichte@linux.ibm.com |
---|---|
State | RFC |
Headers | show |
Series | Add Secure Variable Support | expand |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/apply_patch | success | Successfully applied on branch master (b904cb733750de1bb0e04e5012c391a9c3094d11) |
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot | fail | Test snowpatch/job/snowpatch-skiboot on branch master |
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot-dco | success | Signed-off-by present |
On 6/25/19 5:02 PM, Eric Richter wrote: > Platforms determine whether or not they support secure boot by implementing > a specific hook. After firmware secureboot has been initialized, if the > platform hook has been implemented, we increase the secureboot version to > "ibm,secureboot-v3" indicating secure variables are supported. The secure > variables are then initialized. > > Signed-off-by: Eric Richter <erichte@linux.ibm.com> > --- > libstb/secureboot.c | 23 +++++++++++++++++++++++ > 1 file changed, 23 insertions(+) > > diff --git a/libstb/secureboot.c b/libstb/secureboot.c > index 1578f52e..d8ed61b8 100644 > --- a/libstb/secureboot.c > +++ b/libstb/secureboot.c > @@ -75,6 +75,24 @@ bool secureboot_is_compatible(struct dt_node *node, int *version, const char **c > return false; > } > > +static int update_secureboot_compatible(void) > +{ > + struct dt_node *sb_node; > + struct dt_property *sb_compat; > + > + sb_node = dt_find_by_path(dt_root, "/ibm,secureboot/"); > + if (!sb_node) > + return 1; > + > + sb_compat = (struct dt_property*) dt_find_property(sb_node, "compatible"); > + if (!sb_compat) > + return 2; > + > + strcpy(sb_compat->prop, "ibm,secureboot-v3"); > + > + return 0; > +} > + > void secureboot_init(void) > { > struct dt_node *node; > @@ -170,6 +188,11 @@ void secureboot_init(void) > if (cvc_init()) > secureboot_enforce(); > > + if (platform.secvar_init) { > + if (update_secureboot_compatible()) > + secureboot_enforce(); > + platform.secvar_init(); > + } Turns out this is a terrible place to update the compatible property, as trustedboot_init() still expects "ibm,secureboot-v2". I have a patch in the works that will be sent with a V3 of the series that instead probes for secure variable support prior to any secure boot related initialization and increments the compatible version. Secure and trusted boot init functions will also be updated to handle -v3. > secure_init = true; > } >
diff --git a/libstb/secureboot.c b/libstb/secureboot.c index 1578f52e..d8ed61b8 100644 --- a/libstb/secureboot.c +++ b/libstb/secureboot.c @@ -75,6 +75,24 @@ bool secureboot_is_compatible(struct dt_node *node, int *version, const char **c return false; } +static int update_secureboot_compatible(void) +{ + struct dt_node *sb_node; + struct dt_property *sb_compat; + + sb_node = dt_find_by_path(dt_root, "/ibm,secureboot/"); + if (!sb_node) + return 1; + + sb_compat = (struct dt_property*) dt_find_property(sb_node, "compatible"); + if (!sb_compat) + return 2; + + strcpy(sb_compat->prop, "ibm,secureboot-v3"); + + return 0; +} + void secureboot_init(void) { struct dt_node *node; @@ -170,6 +188,11 @@ void secureboot_init(void) if (cvc_init()) secureboot_enforce(); + if (platform.secvar_init) { + if (update_secureboot_compatible()) + secureboot_enforce(); + platform.secvar_init(); + } secure_init = true; }
Platforms determine whether or not they support secure boot by implementing a specific hook. After firmware secureboot has been initialized, if the platform hook has been implemented, we increase the secureboot version to "ibm,secureboot-v3" indicating secure variables are supported. The secure variables are then initialized. Signed-off-by: Eric Richter <erichte@linux.ibm.com> --- libstb/secureboot.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)