| Message ID | 1571508377-23603-4-git-send-email-nayna@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | powerpc: Enabling IMA arch specific secure boot policies | expand |
On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote: > While secure boot permits only properly verified signed kernels to be > booted, trusted boot takes a measurement of the kernel image prior to > boot that can be subsequently compared against good known values via > attestation services. > Instead of "takes a measurement", either "stores a measurement" or "calculates the file hash of the kernel image and stores the measurement prior to boot, that". > This patch reads the trusted boot state of a PowerNV system. The state > is used to conditionally enable additional measurement rules in the IMA > arch-specific policies. > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > --- > arch/powerpc/include/asm/secure_boot.h | 6 ++++++ > arch/powerpc/kernel/secure_boot.c | 24 ++++++++++++++++++++++++ > 2 files changed, 30 insertions(+) > > diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h > index 07d0fe0ca81f..a2ff556916c6 100644 > --- a/arch/powerpc/include/asm/secure_boot.h > +++ b/arch/powerpc/include/asm/secure_boot.h > > diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c > index 99bba7915629..9753470ab08a 100644 > --- a/arch/powerpc/kernel/secure_boot.c > +++ b/arch/powerpc/kernel/secure_boot.c > @@ -7,6 +7,17 @@ > #include <linux/of.h> > #include <asm/secure_boot.h> > > +static struct device_node *get_ppc_fw_sb_node(void) > +{ > + static const struct of_device_id ids[] = { > + { .compatible = "ibm,secureboot-v1", }, > + { .compatible = "ibm,secureboot-v2", }, > + {}, > + }; > + scripts/checkpatch.pl is complaining that secureboot-v1, secureboot-v2 are not documented in the device tree bindings. Mimi
Nayna Jain <nayna@linux.ibm.com> writes: > diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c > index 99bba7915629..9753470ab08a 100644 > --- a/arch/powerpc/kernel/secure_boot.c > +++ b/arch/powerpc/kernel/secure_boot.c > @@ -28,3 +39,16 @@ bool is_ppc_secureboot_enabled(void) > pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); > return enabled; > } > + > +bool is_ppc_trustedboot_enabled(void) > +{ > + struct device_node *node; > + bool enabled = false; > + > + node = get_ppc_fw_sb_node(); > + enabled = of_property_read_bool(node, "trusted-enabled"); Also here you need: of_node_put(node); > + > + pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled"); > + > + return enabled; > +} cheers
diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h index 07d0fe0ca81f..a2ff556916c6 100644 --- a/arch/powerpc/include/asm/secure_boot.h +++ b/arch/powerpc/include/asm/secure_boot.h @@ -11,6 +11,7 @@ #ifdef CONFIG_PPC_SECURE_BOOT bool is_ppc_secureboot_enabled(void); +bool is_ppc_trustedboot_enabled(void); #else @@ -19,5 +20,10 @@ static inline bool is_ppc_secureboot_enabled(void) return false; } +static inline bool is_ppc_trustedboot_enabled(void) +{ + return false; +} + #endif #endif diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c index 99bba7915629..9753470ab08a 100644 --- a/arch/powerpc/kernel/secure_boot.c +++ b/arch/powerpc/kernel/secure_boot.c @@ -7,6 +7,17 @@ #include <linux/of.h> #include <asm/secure_boot.h> +static struct device_node *get_ppc_fw_sb_node(void) +{ + static const struct of_device_id ids[] = { + { .compatible = "ibm,secureboot-v1", }, + { .compatible = "ibm,secureboot-v2", }, + {}, + }; + + return of_find_matching_node(NULL, ids); +} + bool is_ppc_secureboot_enabled(void) { struct device_node *node; @@ -28,3 +39,16 @@ bool is_ppc_secureboot_enabled(void) pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); return enabled; } + +bool is_ppc_trustedboot_enabled(void) +{ + struct device_node *node; + bool enabled = false; + + node = get_ppc_fw_sb_node(); + enabled = of_property_read_bool(node, "trusted-enabled"); + + pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled"); + + return enabled; +}
While secure boot permits only properly verified signed kernels to be booted, trusted boot takes a measurement of the kernel image prior to boot that can be subsequently compared against good known values via attestation services. This patch reads the trusted boot state of a PowerNV system. The state is used to conditionally enable additional measurement rules in the IMA arch-specific policies. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- arch/powerpc/include/asm/secure_boot.h | 6 ++++++ arch/powerpc/kernel/secure_boot.c | 24 ++++++++++++++++++++++++ 2 files changed, 30 insertions(+)