Secure boot on POWER defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
The PPC_SECURE_BOOT config represents the base enablement of secureboot
on POWER.
Signed-off-by: Nayna Jain <na...@linux.ibm.com>
---
arch/powerpc/Kconfig | 11 +++++
arch/powerpc/include/asm/secboot.h | 27 ++++++++++++
arch/powerpc/kernel/Makefile | 2 +
arch/powerpc/kernel/secboot.c | 71 ++++++++++++++++++++++++++++++
4 files changed, 111 insertions(+)
create mode 100644 arch/powerpc/include/asm/secboot.h
create mode 100644 arch/powerpc/kernel/secboot.c
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 77f6ebf97113..c902a39124dc 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -912,6 +912,17 @@ config PPC_MEM_KEYS
If unsure, say y.
+config PPC_SECURE_BOOT
+ prompt "Enable PowerPC Secure Boot"
+ bool
+ default n
+ depends on PPC64
+ help
+ Linux on POWER with firmware secure boot enabled needs to define
+ security policies to extend secure boot to the OS.This config
+ allows user to enable OS Secure Boot on PowerPC systems that
+ have firmware secure boot support.
+
endmenu
config ISA_DMA_API
diff --git a/arch/powerpc/include/asm/secboot.h
b/arch/powerpc/include/asm/secboot.h
new file mode 100644
index 000000000000..e726261bb00b
--- /dev/null
+++ b/arch/powerpc/include/asm/secboot.h
@@ -0,0 +1,27 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * PowerPC secure boot definitions
+ *
+ * Copyright (C) 2019 IBM Corporation
+ * Author: Nayna Jain <na...@linux.ibm.com>
+ *
+ */
+#ifndef POWERPC_SECBOOT_H
+#define POWERPC_SECBOOT_H
+
+#ifdef CONFIG_PPC_SECURE_BOOT
+extern struct device_node *is_powerpc_secvar_supported(void);
+extern bool get_powerpc_secureboot(void);
+#else
+static inline struct device_node *is_powerpc_secvar_supported(void)
+{
+ return NULL;
+}
+
+static inline bool get_powerpc_secureboot(void)
+{
+ return false;
+}
+
+#endif
+#endif
diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
index ea0c69236789..d310ebb4e526 100644
--- a/arch/powerpc/kernel/Makefile
+++ b/arch/powerpc/kernel/Makefile
@@ -157,6 +157,8 @@ endif
obj-$(CONFIG_EPAPR_PARAVIRT) += epapr_paravirt.o epapr_hcalls.o
obj-$(CONFIG_KVM_GUEST) += kvm.o kvm_emul.o
+obj-$(CONFIG_PPC_SECURE_BOOT) += secboot.o
+
# Disable GCOV, KCOV & sanitizers in odd or sensitive code
GCOV_PROFILE_prom_init.o := n
KCOV_INSTRUMENT_prom_init.o := n
diff --git a/arch/powerpc/kernel/secboot.c b/arch/powerpc/kernel/secboot.c
new file mode 100644
index 000000000000..5ea0d52d64ef
--- /dev/null
+++ b/arch/powerpc/kernel/secboot.c
@@ -0,0 +1,71 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2019 IBM Corporation
+ * Author: Nayna Jain <na...@linux.ibm.com>
+ *
+ * secboot.c
+ * - util function to get powerpc secboot state
+ */
+#include <linux/types.h>
+#include <linux/of.h>
+#include <asm/secboot.h>
+
+struct device_node *is_powerpc_secvar_supported(void)
+{
+ struct device_node *np;
+ int status;
+
+ np = of_find_node_by_name(NULL, "ibm,secureboot");
+ if (!np) {
+ pr_info("secureboot node is not found\n");
+ return NULL;
+ }
+
+ status = of_device_is_compatible(np, "ibm,secureboot-v3");
+ if (!status) {
+ pr_info("Secure variables are not supported by this
firmware\n");
+ return NULL;
+ }
+
+ return np;
+}
+
+bool get_powerpc_secureboot(void)
+{
+ struct device_node *np;
+ struct device_node *secvar_np;
+ const u64 *psecboot;
+ u64 secboot = 0;
+
+ np = is_powerpc_secvar_supported();
+ if (!np)
+ goto disabled;
+
+ /* Fail-safe for any failure related to secvar */
+ secvar_np = of_get_child_by_name(np, "secvar");
+ if (!secvar_np) {
+ pr_err("Expected secure variables support, fail-safe\n");
+ goto enabled;
+ }
+
+ if (!of_device_is_available(secvar_np)) {
+ pr_err("Secure variables support is in error state,
fail-safe\n");
+ goto enabled;
+ }
+
+ psecboot = of_get_property(secvar_np, "secure-mode", NULL);
+ if (!psecboot)
+ goto enabled;
+
+ secboot = be64_to_cpup((__be64 *)psecboot);
+ if (!(secboot & (~0x0)))
+ goto disabled;
+
+enabled:
+ pr_info("secureboot mode enabled\n");
+ return true;
+
+disabled:
+ pr_info("secureboot mode disabled\n");
+ return false;
+}
--
2.20.1
