[v4,07/18] hdata/spira: add physical presence flags

Message ID	20200511213152.24952-8-erichte@linux.ibm.com
State	Changes Requested
Headers	show Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> From: Eric Richter <erichte@linux.ibm.com> To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:41 -0500 Message-Id: <20200511213152.24952-8-erichte@linux.ibm.com> In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 Subject: [Skiboot] [PATCH v4 07/18] hdata/spira: add physical presence flags Precedence: list Cc: nayna@linux.ibm.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
Series	Add initial secure variable storage and backend drivers \| expand [v4,00/18] Add initial secure variable storage and backend drivers [v4,01/18] libstb/secureboot: use platform.terminate instead of hard abort [v4,02/18] libstb/secureboot: OS Secure Boot is enabled only if FW secureboot is enabled [v4,03/18] secvar_main: increase error verbosity, restyle all comments [v4,04/18] secvar_main: rework secvar_main error flow, make storage locking explicit [v4,05/18] secvar: change backend hook interface to take in bank references [v4,06/18] secvar_util: add new helper functions [v4,07/18] hdata/spira: add physical presence flags [v4,08/18] secvar_devtree: add physical presence mode helper [v4,09/18] core/flash.c: add SECBOOT read and write support [v4,10/18] doc/secvar: add document detailing secvar driver API [v4,11/18] secvar/storage: add secvar storage driver for pnor-based p9 [v4,12/18] secvar/storage/fakenv: add fake tpm operations for testing [v4,13/18] secvar/test: add secboot_tpm storage driver test cases [RFC,v4,14/18] secvar/storage: add utility tool to generate NV public name hashes [v4,15/18] crypto: add out-of-tree mbedtls pkcs7 parser [v4,16/18] secvar/backend: add edk2 derived key updates processing [v4,17/18] secvar/test: add edk2-compat driver test and test data [v4,18/18] witherspoon: enable secvar for witherspoon platform

Message ID

20200511213152.24952-8-erichte@linux.ibm.com

State

Changes Requested

Headers

From: Eric Richter <erichte@linux.ibm.com>
To: skiboot@lists.ozlabs.org
Date: Mon, 11 May 2020 16:31:41 -0500
Message-Id: <20200511213152.24952-8-erichte@linux.ibm.com>
In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com>
References: <20200511213152.24952-1-erichte@linux.ibm.com>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH v4 07/18] hdata/spira: add physical presence flags
Precedence: list
Cc: nayna@linux.ibm.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Series

Add initial secure variable storage and backend drivers | expand

Checks

Context	Check	Description
snowpatch_ozlabs/apply_patch	success	Successfully applied on branch master (0f1937ef40fca0c3212a9dff1010b832a24fb063)
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot	success	Test snowpatch/job/snowpatch-skiboot on branch master
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot-dco	success	Signed-off-by present

Context

Check

Description

snowpatch_ozlabs/apply_patch

success

Successfully applied on branch master (0f1937ef40fca0c3212a9dff1010b832a24fb063)

snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot

success

Test snowpatch/job/snowpatch-skiboot on branch master

snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot-dco

success

Signed-off-by present

Commit Message

Eric Richter May 11, 2020, 9:31 p.m. UTC

From: Nayna Jain <nayna@linux.ibm.com>

This patch reads the hdata bits to check for physical presence
assertion, and creates device tree entries to be consumed later in the
boot.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
---
 hdata/spira.c | 11 +++++++++++
 hdata/spira.h |  7 ++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/hdata/spira.c b/hdata/spira.c
index 35d6109d..deb2dea4 100644
--- a/hdata/spira.c
+++ b/hdata/spira.c
@@ -921,6 +921,7 @@  static void dt_init_secureboot_node(const struct iplparams_sysparams *sysparams)
 	struct dt_node *node;
 	u16 sys_sec_setting;
 	u16 hw_key_hash_size;
+	u16 host_fw_key_clear;
 
 	node = dt_new(dt_root, "ibm,secureboot");
 	assert(node);
@@ -933,6 +934,16 @@  static void dt_init_secureboot_node(const struct iplparams_sysparams *sysparams)
 		dt_add_property(node, "secure-enabled", NULL, 0);
 	if (sys_sec_setting & SEC_HASHES_EXTENDED_TO_TPM)
 		dt_add_property(node, "trusted-enabled", NULL, 0);
+	if (sys_sec_setting & PHYSICAL_PRESENCE_ASSERTED)
+		dt_add_property(node, "physical-presence-asserted", NULL, 0);
+
+	host_fw_key_clear = be16_to_cpu(sysparams->host_fw_key_clear);
+	if (host_fw_key_clear & KEY_CLEAR_OS_KEYS)
+		dt_add_property(node, "clear-os-keys", NULL, 0);
+	if (host_fw_key_clear & KEY_CLEAR_MFG)
+		dt_add_property(node, "clear-mfg-keys", NULL, 0);
+	if (host_fw_key_clear & KEY_CLEAR_ALL)
+		dt_add_property(node, "clear-all-keys", NULL, 0);
 
 	hw_key_hash_size = be16_to_cpu(sysparams->hw_key_hash_size);
 
diff --git a/hdata/spira.h b/hdata/spira.h
index ffe53942..f7a1b823 100644
--- a/hdata/spira.h
+++ b/hdata/spira.h
@@ -364,10 +364,15 @@  struct iplparams_sysparams {
 	__be16		hv_disp_wheel;		/* >= 0x58 */
 	__be32		nest_freq_mhz;		/* >= 0x5b */
 	uint8_t		split_core_mode;	/* >= 0x5c */
-	uint8_t		reserved[3];
+	uint8_t		reserved[1];
+#define KEY_CLEAR_ALL     PPC_BIT16(0)
+#define KEY_CLEAR_OS_KEYS PPC_BIT16(1)
+#define KEY_CLEAR_MFG     PPC_BIT16(7)
+	__be16          host_fw_key_clear;
 	uint8_t		sys_vendor[64];		/* >= 0x5f */
 #define SEC_CONTAINER_SIG_CHECKING PPC_BIT16(0)
 #define SEC_HASHES_EXTENDED_TO_TPM PPC_BIT16(1)
+#define PHYSICAL_PRESENCE_ASSERTED PPC_BIT16(3)
 	__be16		sys_sec_setting;	/* >= 0x60 */
 	__be16		tpm_config_bit;		/* >= 0x60 */
 	__be16		tpm_drawer;		/* >= 0x60 */

[v4,07/18] hdata/spira: add physical presence flags

Checks

Commit Message

Patch