openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch - premsjha/op-build - Gitiles

 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Tue, 5 Nov 2019 17:02:07 -0600
 Subject: [PATCH 04/18] powerpc: Detect the trusted boot state of the system

 While secure boot permits only properly verified signed kernels to be
 booted, trusted boot calculates the file hash of the kernel image and
 stores the measurement prior to boot, that can be subsequently
 compared against good known values via attestation services.

 This patch reads the trusted boot state of a PowerNV system. The state
 is used to conditionally enable additional measurement rules in the
 IMA arch-specific policies.

 Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
 Signed-off-by: Eric Richter <erichte@linux.ibm.com>
 Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
 Link: https://lore.kernel.org/r/e9eeee6b-b9bf-1e41-2954-61dbd6fbfbcf@linux.ibm.com
 (cherry picked from commit 2702809a4a1ab414d75c00936cda70ea77c8234e)
 Signed-off-by: Joel Stanley <joel@jms.id.au>
 ---
  arch/powerpc/include/asm/secure_boot.h |  6 ++++++
  arch/powerpc/kernel/secure_boot.c      | 15 +++++++++++++++
  2 files changed, 21 insertions(+)

 diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h
 index 07d0fe0ca81f..a2ff556916c6 100644
 --- a/arch/powerpc/include/asm/secure_boot.h
 +++ b/arch/powerpc/include/asm/secure_boot.h
 @@ -11,6 +11,7 @@
  #ifdef CONFIG_PPC_SECURE_BOOT

  bool is_ppc_secureboot_enabled(void);
 +bool is_ppc_trustedboot_enabled(void);

  #else

 @@ -19,5 +20,10 @@ static inline bool is_ppc_secureboot_enabled(void)
  	return false;
  }

 +static inline bool is_ppc_trustedboot_enabled(void)
 +{
 +	return false;
 +}
 +
  #endif
  #endif
 diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
 index 583c2c4edaf0..4b982324d368 100644
 --- a/arch/powerpc/kernel/secure_boot.c
 +++ b/arch/powerpc/kernel/secure_boot.c
 @@ -33,3 +33,18 @@ bool is_ppc_secureboot_enabled(void)

  	return enabled;
  }
 +
 +bool is_ppc_trustedboot_enabled(void)
 +{
 +	struct device_node *node;
 +	bool enabled = false;
 +
 +	node = get_ppc_fw_sb_node();
 +	enabled = of_property_read_bool(node, "trusted-enabled");
 +
 +	of_node_put(node);
 +
 +	pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled");
 +
 +	return enabled;
 +}
	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	From: Nayna Jain <nayna@linux.ibm.com>
	Date: Tue, 5 Nov 2019 17:02:07 -0600
	Subject: [PATCH 04/18] powerpc: Detect the trusted boot state of the system

	While secure boot permits only properly verified signed kernels to be
	booted, trusted boot calculates the file hash of the kernel image and
	stores the measurement prior to boot, that can be subsequently
	compared against good known values via attestation services.

	This patch reads the trusted boot state of a PowerNV system. The state
	is used to conditionally enable additional measurement rules in the
	IMA arch-specific policies.

	Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
	Signed-off-by: Eric Richter <erichte@linux.ibm.com>
	Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
	Link: https://lore.kernel.org/r/e9eeee6b-b9bf-1e41-2954-61dbd6fbfbcf@linux.ibm.com
	(cherry picked from commit 2702809a4a1ab414d75c00936cda70ea77c8234e)
	Signed-off-by: Joel Stanley <joel@jms.id.au>
	---
	arch/powerpc/include/asm/secure_boot.h \| 6 ++++++
	arch/powerpc/kernel/secure_boot.c \| 15 +++++++++++++++
	2 files changed, 21 insertions(+)

	diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h
	index 07d0fe0ca81f..a2ff556916c6 100644
	--- a/arch/powerpc/include/asm/secure_boot.h
	+++ b/arch/powerpc/include/asm/secure_boot.h
	@@ -11,6 +11,7 @@
	#ifdef CONFIG_PPC_SECURE_BOOT

	bool is_ppc_secureboot_enabled(void);
	+bool is_ppc_trustedboot_enabled(void);

	#else

	@@ -19,5 +20,10 @@ static inline bool is_ppc_secureboot_enabled(void)
	return false;
	}

	+static inline bool is_ppc_trustedboot_enabled(void)
	+{
	+ return false;
	+}
	+
	#endif
	#endif
	diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
	index 583c2c4edaf0..4b982324d368 100644
	--- a/arch/powerpc/kernel/secure_boot.c
	+++ b/arch/powerpc/kernel/secure_boot.c
	@@ -33,3 +33,18 @@ bool is_ppc_secureboot_enabled(void)

	return enabled;
	}
	+
	+bool is_ppc_trustedboot_enabled(void)
	+{
	+ struct device_node *node;
	+ bool enabled = false;
	+
	+ node = get_ppc_fw_sb_node();
	+ enabled = of_property_read_bool(node, "trusted-enabled");
	+
	+ of_node_put(node);
	+
	+ pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled");
	+
	+ return enabled;
	+}