| Joel Stanley | a1fccbf | 2020-06-23 17:25:56 +0930 | [diff] [blame] | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | From: Nayna Jain <nayna@linux.ibm.com> |
| 3 | Date: Tue, 5 Nov 2019 17:02:07 -0600 |
| 4 | Subject: [PATCH 04/18] powerpc: Detect the trusted boot state of the system |
| 5 | |
| 6 | While secure boot permits only properly verified signed kernels to be |
| 7 | booted, trusted boot calculates the file hash of the kernel image and |
| 8 | stores the measurement prior to boot, that can be subsequently |
| 9 | compared against good known values via attestation services. |
| 10 | |
| 11 | This patch reads the trusted boot state of a PowerNV system. The state |
| 12 | is used to conditionally enable additional measurement rules in the |
| 13 | IMA arch-specific policies. |
| 14 | |
| 15 | Signed-off-by: Nayna Jain <nayna@linux.ibm.com> |
| 16 | Signed-off-by: Eric Richter <erichte@linux.ibm.com> |
| 17 | Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> |
| 18 | Link: https://lore.kernel.org/r/e9eeee6b-b9bf-1e41-2954-61dbd6fbfbcf@linux.ibm.com |
| 19 | (cherry picked from commit 2702809a4a1ab414d75c00936cda70ea77c8234e) |
| 20 | Signed-off-by: Joel Stanley <joel@jms.id.au> |
| 21 | --- |
| 22 | arch/powerpc/include/asm/secure_boot.h | 6 ++++++ |
| 23 | arch/powerpc/kernel/secure_boot.c | 15 +++++++++++++++ |
| 24 | 2 files changed, 21 insertions(+) |
| 25 | |
| 26 | diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h |
| 27 | index 07d0fe0ca81f..a2ff556916c6 100644 |
| 28 | --- a/arch/powerpc/include/asm/secure_boot.h |
| 29 | +++ b/arch/powerpc/include/asm/secure_boot.h |
| 30 | @@ -11,6 +11,7 @@ |
| 31 | #ifdef CONFIG_PPC_SECURE_BOOT |
| 32 | |
| 33 | bool is_ppc_secureboot_enabled(void); |
| 34 | +bool is_ppc_trustedboot_enabled(void); |
| 35 | |
| 36 | #else |
| 37 | |
| 38 | @@ -19,5 +20,10 @@ static inline bool is_ppc_secureboot_enabled(void) |
| 39 | return false; |
| 40 | } |
| 41 | |
| 42 | +static inline bool is_ppc_trustedboot_enabled(void) |
| 43 | +{ |
| 44 | + return false; |
| 45 | +} |
| 46 | + |
| 47 | #endif |
| 48 | #endif |
| 49 | diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c |
| 50 | index 583c2c4edaf0..4b982324d368 100644 |
| 51 | --- a/arch/powerpc/kernel/secure_boot.c |
| 52 | +++ b/arch/powerpc/kernel/secure_boot.c |
| 53 | @@ -33,3 +33,18 @@ bool is_ppc_secureboot_enabled(void) |
| 54 | |
| 55 | return enabled; |
| 56 | } |
| 57 | + |
| 58 | +bool is_ppc_trustedboot_enabled(void) |
| 59 | +{ |
| 60 | + struct device_node *node; |
| 61 | + bool enabled = false; |
| 62 | + |
| 63 | + node = get_ppc_fw_sb_node(); |
| 64 | + enabled = of_property_read_bool(node, "trusted-enabled"); |
| 65 | + |
| 66 | + of_node_put(node); |
| 67 | + |
| 68 | + pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled"); |
| 69 | + |
| 70 | + return enabled; |
| 71 | +} |