Thanks Nayna!
I'm hoping to get better public documentation for this soon as it's not
documented in a public PAPR yet.
Until then:
The values of ibm,secure-boot under PowerVM are:
0 - disabled
1 - audit mode only. This patch ignores this value for Linux, which I
think is the appropriate thing to do.
2 - enabled and enforcing
3-9 - enabled, OS-defined behaviour. In this patch we map all these
values to enabled and enforcing. Again I think this is the
appropriate thing to do.
ibm,trusted-boot isn't published by a current PowerVM LPAR but will be
published in future. (Currently, trusted boot state is inferred by the
presence or absense of a vTPM.) It's simply 1 = enabled, 0 = disabled.
As for this patch specifically, with the very small nits below,
Reviewed-by: Daniel Axtens <d...@axtens.net>
> - node = get_ppc_fw_sb_node();
> - enabled = of_property_read_bool(node, "os-secureboot-enforcing");
> + if (machine_is(powernv)) {
> + node = get_ppc_fw_sb_node();
> + enabled =
> + of_property_read_bool(node, "os-secureboot-enforcing");
> + of_node_put(node);
> + }
>
> - of_node_put(node);
> + if (machine_is(pseries)) {
Maybe this should be an else if?
> + secureboot = of_get_property(of_root, "ibm,secure-boot", NULL);
> + if (secureboot)
> + enabled = (*secureboot > 1) ? true : false;
> + }
>
> pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled");
>
> @@ -38,11 +48,20 @@ bool is_ppc_trustedboot_enabled(void)
> {
> struct device_node *node;
> bool enabled = false;
> + const u32 *trustedboot;
>
> - node = get_ppc_fw_sb_node();
> - enabled = of_property_read_bool(node, "trusted-enabled");
> + if (machine_is(powernv)) {
> + node = get_ppc_fw_sb_node();
> + enabled = of_property_read_bool(node, "trusted-enabled");
> + of_node_put(node);
> + }
>
> - of_node_put(node);
> + if (machine_is(pseries)) {
Likewise.
> + trustedboot =
> + of_get_property(of_root, "ibm,trusted-boot", NULL);
> + if (trustedboot)
> + enabled = (*trustedboot > 0) ? true : false;
Regards,
Daniel
