Joel Stanley | a1fccbf | 2020-06-23 17:25:56 +0930 | [diff] [blame] | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | From: Nayna Jain <nayna@linux.ibm.com> |
| 3 | Date: Tue, 5 Nov 2019 17:00:22 -0600 |
Joel Stanley | cb9bf57 | 2020-09-29 16:18:12 +0930 | [diff] [blame] | 4 | Subject: [PATCH 02/19] powerpc: Detect the secure boot mode of the system |
Joel Stanley | a1fccbf | 2020-06-23 17:25:56 +0930 | [diff] [blame] | 5 | |
| 6 | This patch defines a function to detect the secure boot state of a |
| 7 | PowerNV system. |
| 8 | |
| 9 | The PPC_SECURE_BOOT config represents the base enablement of secure |
| 10 | boot for powerpc. |
| 11 | |
| 12 | Signed-off-by: Nayna Jain <nayna@linux.ibm.com> |
| 13 | Signed-off-by: Eric Richter <erichte@linux.ibm.com> |
| 14 | [mpe: Fold in change from Nayna to add "ibm,secureboot" to ids] |
| 15 | Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> |
| 16 | Link: https://lore.kernel.org/r/46b003b9-3225-6bf7-9101-ed6580bb748c@linux.ibm.com |
| 17 | (cherry picked from commit 1a8916ee3ac29054322cdac687d36e1b5894d272) |
| 18 | Signed-off-by: Joel Stanley <joel@jms.id.au> |
| 19 | --- |
| 20 | arch/powerpc/Kconfig | 10 ++++++++ |
| 21 | arch/powerpc/include/asm/secure_boot.h | 23 +++++++++++++++++ |
| 22 | arch/powerpc/kernel/Makefile | 2 ++ |
| 23 | arch/powerpc/kernel/secure_boot.c | 35 ++++++++++++++++++++++++++ |
| 24 | 4 files changed, 70 insertions(+) |
| 25 | create mode 100644 arch/powerpc/include/asm/secure_boot.h |
| 26 | create mode 100644 arch/powerpc/kernel/secure_boot.c |
| 27 | |
| 28 | diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig |
Joel Stanley | cb9bf57 | 2020-09-29 16:18:12 +0930 | [diff] [blame] | 29 | index ad620637cbd1..d654bdc9e4dc 100644 |
Joel Stanley | a1fccbf | 2020-06-23 17:25:56 +0930 | [diff] [blame] | 30 | --- a/arch/powerpc/Kconfig |
| 31 | +++ b/arch/powerpc/Kconfig |
Joel Stanley | cb9bf57 | 2020-09-29 16:18:12 +0930 | [diff] [blame] | 32 | @@ -935,6 +935,16 @@ config PPC_MEM_KEYS |
Joel Stanley | a1fccbf | 2020-06-23 17:25:56 +0930 | [diff] [blame] | 33 | |
| 34 | If unsure, say y. |
| 35 | |
| 36 | +config PPC_SECURE_BOOT |
| 37 | + prompt "Enable secure boot support" |
| 38 | + bool |
| 39 | + depends on PPC_POWERNV |
| 40 | + help |
| 41 | + Systems with firmware secure boot enabled need to define security |
| 42 | + policies to extend secure boot to the OS. This config allows a user |
| 43 | + to enable OS secure boot on systems that have firmware support for |
| 44 | + it. If in doubt say N. |
| 45 | + |
| 46 | endmenu |
| 47 | |
| 48 | config ISA_DMA_API |
| 49 | diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h |
| 50 | new file mode 100644 |
| 51 | index 000000000000..07d0fe0ca81f |
| 52 | --- /dev/null |
| 53 | +++ b/arch/powerpc/include/asm/secure_boot.h |
| 54 | @@ -0,0 +1,23 @@ |
| 55 | +/* SPDX-License-Identifier: GPL-2.0 */ |
| 56 | +/* |
| 57 | + * Secure boot definitions |
| 58 | + * |
| 59 | + * Copyright (C) 2019 IBM Corporation |
| 60 | + * Author: Nayna Jain |
| 61 | + */ |
| 62 | +#ifndef _ASM_POWER_SECURE_BOOT_H |
| 63 | +#define _ASM_POWER_SECURE_BOOT_H |
| 64 | + |
| 65 | +#ifdef CONFIG_PPC_SECURE_BOOT |
| 66 | + |
| 67 | +bool is_ppc_secureboot_enabled(void); |
| 68 | + |
| 69 | +#else |
| 70 | + |
| 71 | +static inline bool is_ppc_secureboot_enabled(void) |
| 72 | +{ |
| 73 | + return false; |
| 74 | +} |
| 75 | + |
| 76 | +#endif |
| 77 | +#endif |
| 78 | diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile |
| 79 | index dc0780f930d5..40170ee52178 100644 |
| 80 | --- a/arch/powerpc/kernel/Makefile |
| 81 | +++ b/arch/powerpc/kernel/Makefile |
| 82 | @@ -158,6 +158,8 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),) |
| 83 | obj-y += ucall.o |
| 84 | endif |
| 85 | |
| 86 | +obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o |
| 87 | + |
| 88 | # Disable GCOV, KCOV & sanitizers in odd or sensitive code |
| 89 | GCOV_PROFILE_prom_init.o := n |
| 90 | KCOV_INSTRUMENT_prom_init.o := n |
| 91 | diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c |
| 92 | new file mode 100644 |
| 93 | index 000000000000..583c2c4edaf0 |
| 94 | --- /dev/null |
| 95 | +++ b/arch/powerpc/kernel/secure_boot.c |
| 96 | @@ -0,0 +1,35 @@ |
| 97 | +// SPDX-License-Identifier: GPL-2.0 |
| 98 | +/* |
| 99 | + * Copyright (C) 2019 IBM Corporation |
| 100 | + * Author: Nayna Jain |
| 101 | + */ |
| 102 | +#include <linux/types.h> |
| 103 | +#include <linux/of.h> |
| 104 | +#include <asm/secure_boot.h> |
| 105 | + |
| 106 | +static struct device_node *get_ppc_fw_sb_node(void) |
| 107 | +{ |
| 108 | + static const struct of_device_id ids[] = { |
| 109 | + { .compatible = "ibm,secureboot", }, |
| 110 | + { .compatible = "ibm,secureboot-v1", }, |
| 111 | + { .compatible = "ibm,secureboot-v2", }, |
| 112 | + {}, |
| 113 | + }; |
| 114 | + |
| 115 | + return of_find_matching_node(NULL, ids); |
| 116 | +} |
| 117 | + |
| 118 | +bool is_ppc_secureboot_enabled(void) |
| 119 | +{ |
| 120 | + struct device_node *node; |
| 121 | + bool enabled = false; |
| 122 | + |
| 123 | + node = get_ppc_fw_sb_node(); |
| 124 | + enabled = of_property_read_bool(node, "os-secureboot-enforcing"); |
| 125 | + |
| 126 | + of_node_put(node); |
| 127 | + |
| 128 | + pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); |
| 129 | + |
| 130 | + return enabled; |
| 131 | +} |