Hello,
On Wed, May 21, 2025 at 04:27:58PM +0530, Srish Srinivasan wrote:
> The PLPKS enabled PowerVM LPAR sysfs exposes all of the secure boot
> secvars irrespective of the key management mode.
>
> The PowerVM LPAR supports static and dynamic key management for secure
> boot. The key management option can be updated in the management
> console. Only in the dynamic key mode can the user modify the secure
> boot secvars db, dbx, grubdb, grubdbx, and sbat, which are exposed via
> the sysfs interface. But the sysfs interface exposes these secvars even
> in the static key mode. This could lead to errors when reading them or
> writing to them in the static key mode.
would it cause an error when reading these variables or only when
writing them?
Thanks
Michal
>
> Expose only PK, trustedcadb, and moduledb in the static key mode to
> enable loading of signed third-party kernel modules.
>
> Co-developed-by: Souradeep <so...@imap.linux.ibm.com>
> Signed-off-by: Souradeep <so...@imap.linux.ibm.com>
> Signed-off-by: Srish Srinivasan <ssr...@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zo...@linux.ibm.com>
> Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
> Reviewed-by: Nayna Jain <na...@linux.ibm.com>
> Reviewed-by: Andrew Donnellan <a...@linux.ibm.com>
> ---
> Documentation/ABI/testing/sysfs-secvar | 6 ++++
> arch/powerpc/platforms/pseries/plpks-secvar.c | 28 ++++++++++++++++---
> 2 files changed, 30 insertions(+), 4 deletions(-)
>
> diff --git a/Documentation/ABI/testing/sysfs-secvar
> b/Documentation/ABI/testing/sysfs-secvar
> index 45281888e520..948df3446a03 100644
> --- a/Documentation/ABI/testing/sysfs-secvar
> +++ b/Documentation/ABI/testing/sysfs-secvar
> @@ -37,6 +37,12 @@ Description: Each secure variable is represented as
> a directory named as
> representation. The data and size can be determined by reading
> their respective attribute files.
>
> + Only secvars relevant to the key management mode are exposed.
> + Only in the dynamic key mode can the user modify the secure boot
> + secvars db, dbx, grubdb, grubdbx, and sbat. PK, trustedcadb and
> + moduledb are the secvars common to both static and dynamic key
> + management modes.
> +
> What: /sys/firmware/secvar/vars/<variable_name>/size
> Date: August 2019
> Contact: Nayna Jain <na...@linux.ibm.com>
> diff --git a/arch/powerpc/platforms/pseries/plpks-secvar.c
> b/arch/powerpc/platforms/pseries/plpks-secvar.c
> index 767e5e8c6990..f9e9cc40c9d0 100644
> --- a/arch/powerpc/platforms/pseries/plpks-secvar.c
> +++ b/arch/powerpc/platforms/pseries/plpks-secvar.c
> @@ -59,7 +59,14 @@ static u32 get_policy(const char *name)
> return PLPKS_SIGNEDUPDATE;
> }
>
> -static const char * const plpks_var_names[] = {
> +static const char * const plpks_var_names_static[] = {
> + "PK",
> + "moduledb",
> + "trustedcadb",
> + NULL,
> +};
> +
> +static const char * const plpks_var_names_dynamic[] = {
> "PK",
> "KEK",
> "db",
> @@ -213,21 +220,34 @@ static int plpks_max_size(u64 *max_size)
> return 0;
> }
>
> +static const struct secvar_operations plpks_secvar_ops_static = {
> + .get = plpks_get_variable,
> + .set = plpks_set_variable,
> + .format = plpks_secvar_format,
> + .max_size = plpks_max_size,
> + .config_attrs = config_attrs,
> + .var_names = plpks_var_names_static,
> +};
>
> -static const struct secvar_operations plpks_secvar_ops = {
> +static const struct secvar_operations plpks_secvar_ops_dynamic = {
> .get = plpks_get_variable,
> .set = plpks_set_variable,
> .format = plpks_secvar_format,
> .max_size = plpks_max_size,
> .config_attrs = config_attrs,
> - .var_names = plpks_var_names,
> + .var_names = plpks_var_names_dynamic,
> };
>
> static int plpks_secvar_init(void)
> {
> + u8 mode;
> +
> if (!plpks_is_available())
> return -ENODEV;
>
> - return set_secvar_ops(&plpks_secvar_ops);
> + mode = plpks_get_sb_keymgmt_mode();
> + if (mode)
> + return set_secvar_ops(&plpks_secvar_ops_dynamic);
> + return set_secvar_ops(&plpks_secvar_ops_static);
> }
> machine_device_initcall(pseries, plpks_secvar_init);
> --
> 2.47.1
>
>
