[RFC PATCH v2 3/3] powerpc/pseries: expose authenticated variables stored in LPAR PKS
Nayna Jain
nayna at linux.ibm.com
Wed Jun 22 21:56:48 UTC 2022
PowerVM Guest Secure boot feature need to expose firmware managed
secure variables for user management. These variables store keys for
grub/kernel verification and also corresponding denied list.
Expose these variables to the userpace via fwsecurityfs.
Example:
Example:
# cd /sys/firmware/security/secvars
# pwd
/sys/firmware/security/secvars
# cat /tmp/PK.bin > PK
# ls -l
total 0
-rw-r--r-- 1 root root 2497 Jun 22 08:34 PK
# hexdump -C PK
00000000 00 00 00 00 00 08 00 00 a1 59 c0 a5 e4 94 a7 4a |.........Y.....J|
00000010 87 b5 ab 15 5c 2b f0 72 3f 03 00 00 00 00 00 00 |....\+.r?.......|
00000020 23 03 00 00 ca 18 1d 1c 01 7d eb 11 9a 71 08 94 |#........}...q..|
00000030 ef 31 fb e4 30 82 03 0f 30 82 01 f7 a0 03 02 01 |.1..0...0.......|
00000040 02 02 14 22 ab 18 2f d5 aa dd c5 ba 98 27 60 26 |..."../......'`&|
00000050 f1 63 89 54 4c 52 d9 30 0d 06 09 2a 86 48 86 f7 |.c.TLR.0...*.H..|
...
Signed-off-by: Nayna Jain <nayna at linux.ibm.com>
---
arch/powerpc/platforms/pseries/Kconfig | 17 ++
arch/powerpc/platforms/pseries/plpks/Makefile | 2 +
.../pseries/plpks/fwsecurityfs_arch.c | 16 ++
.../platforms/pseries/plpks/internal.h | 18 ++
.../powerpc/platforms/pseries/plpks/secvars.c | 239 ++++++++++++++++++
include/linux/fwsecurityfs.h | 4 +
6 files changed, 296 insertions(+)
create mode 100644 arch/powerpc/platforms/pseries/plpks/fwsecurityfs_arch.c
create mode 100644 arch/powerpc/platforms/pseries/plpks/internal.h
create mode 100644 arch/powerpc/platforms/pseries/plpks/secvars.c
diff --git a/arch/powerpc/platforms/pseries/Kconfig b/arch/powerpc/platforms/pseries/Kconfig
index 6c1ca487103f..9c52095e20c4 100644
--- a/arch/powerpc/platforms/pseries/Kconfig
+++ b/arch/powerpc/platforms/pseries/Kconfig
@@ -152,6 +152,23 @@ config PSERIES_PLPKS
config to enable operating system interface to hypervisor to
access this space.
+config PSERIES_FWSECURITYFS_ARCH
+ depends on FWSECURITYFS
+ bool "Support fwsecurityfs for pseries"
+ help
+ Enable fwsecuirtyfs arch specific code. This would initialize
+ the firmware security filesystem with initial platform specific
+ structure.
+
+config PSERIES_PLPKS_SECVARS
+ depends on PSERIES_PLPKS
+ select PSERIES_FWSECURITYFS_ARCH
+ tristate "Support for secvars"
+ help
+ This interface exposes authenticated variables stored in the LPAR
+ Platform KeyStore using fwsecurityfs interface.
+ If you are unsure how to use it, say N.
+
config PAPR_SCM
depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM
tristate "Support for the PAPR Storage Class Memory interface"
diff --git a/arch/powerpc/platforms/pseries/plpks/Makefile b/arch/powerpc/platforms/pseries/plpks/Makefile
index e651ace920db..ff3d4b4cd3d7 100644
--- a/arch/powerpc/platforms/pseries/plpks/Makefile
+++ b/arch/powerpc/platforms/pseries/plpks/Makefile
@@ -5,3 +5,5 @@
#
obj-$(CONFIG_PSERIES_PLPKS) += plpks.o
+obj-$(CONFIG_PSERIES_FWSECURITYFS_ARCH) += fwsecurityfs_arch.o
+obj-$(CONFIG_PSERIES_PLPKS_SECVARS) += secvars.o
diff --git a/arch/powerpc/platforms/pseries/plpks/fwsecurityfs_arch.c b/arch/powerpc/platforms/pseries/plpks/fwsecurityfs_arch.c
new file mode 100644
index 000000000000..6ccdfe4000a6
--- /dev/null
+++ b/arch/powerpc/platforms/pseries/plpks/fwsecurityfs_arch.c
@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * POWER LPAR Platform KeyStore (PLPKS)
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna at linux.ibm.com>
+ *
+ */
+
+#include <linux/fwsecurityfs.h>
+
+#include "internal.h"
+
+int arch_fwsecurity_init(void)
+{
+ return plpks_secvars_init();
+}
diff --git a/arch/powerpc/platforms/pseries/plpks/internal.h b/arch/powerpc/platforms/pseries/plpks/internal.h
new file mode 100644
index 000000000000..6061ffd37677
--- /dev/null
+++ b/arch/powerpc/platforms/pseries/plpks/internal.h
@@ -0,0 +1,18 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna at linux.ibm.com>
+ *
+ */
+#ifndef PKS_FWSEC_INTERNAL
+#define PKS_FWSEC_INTERNAL
+
+#ifdef CONFIG_PSERIES_PLPKS_SECVARS
+int plpks_secvars_init(void);
+#else
+int plpks_secvars_init(void)
+{
+ return 0;
+}
+#endif
+#endif
diff --git a/arch/powerpc/platforms/pseries/plpks/secvars.c b/arch/powerpc/platforms/pseries/plpks/secvars.c
new file mode 100644
index 000000000000..8852cb8f2f3c
--- /dev/null
+++ b/arch/powerpc/platforms/pseries/plpks/secvars.c
@@ -0,0 +1,239 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * POWER LPAR Platform KeyStore (PLPKS)
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna at linux.ibm.com>
+ *
+ */
+
+#include <linux/fs.h>
+#include <linux/fs_context.h>
+#include <linux/mount.h>
+#include <linux/pagemap.h>
+#include <linux/init.h>
+#include <linux/namei.h>
+#include <linux/ctype.h>
+#include <linux/fwsecurityfs.h>
+#include <asm/plpks.h>
+
+#include "internal.h"
+
+static struct dentry *secvar_dir;
+
+static const char * const names[] = {
+ "PK",
+ "KEK",
+ "db",
+ "dbx",
+ "grubdb",
+ "sbat",
+ "moduledb",
+ "trustedcadb",
+ NULL
+};
+
+static int validate_name(char *name)
+{
+ int i = 0;
+
+ while (names[i] != NULL) {
+ if ((strlen(names[i]) == strlen(name))
+ && (strncmp(name, names[i], strlen(names[i])) == 0))
+ return 0;
+ i++;
+ }
+ pr_err("Invalid name, allowed ones are (dbx,grubdb,sbat,moduledb,trustedcadb)\n");
+
+ return -EINVAL;
+}
+
+static u32 get_policy(char *name)
+{
+ if ((strncmp(name, "PK", 2) == 0)
+ || (strncmp(name, "KEK", 3) == 0)
+ || (strncmp(name, "db", 2) == 0)
+ || (strncmp(name, "dbx", 3) == 0)
+ || (strncmp(name, "grubdb", 6) == 0)
+ || (strncmp(name, "sbat", 4) == 0))
+ return (WORLDREADABLE & SIGNEDUPDATE);
+ else
+ return SIGNEDUPDATE;
+}
+
+static ssize_t plpks_secvar_file_write(struct file *file,
+ const char __user *userbuf,
+ size_t count, loff_t *ppos)
+{
+ struct plpks_var var;
+ void *data;
+ struct inode *inode = file->f_mapping->host;
+ u16 datasize = count;
+ ssize_t bytes;
+
+ data = memdup_user(userbuf, datasize);
+ if (IS_ERR(data))
+ return PTR_ERR(data);
+
+ var.component = NULL;
+ var.name = file->f_path.dentry->d_iname;
+ var.namelen = strlen(var.name);
+ var.policy = get_policy(var.name);
+ var.datalen = datasize;
+ var.data = data;
+ bytes = plpks_signed_update_var(var);
+
+ if (bytes) {
+ pr_err("Update of the variable failed with error %ld\n", bytes);
+ goto out;
+ }
+
+ inode_lock(inode);
+ i_size_write(inode, datasize);
+ inode->i_mtime = current_time(inode);
+ inode_unlock(inode);
+
+ bytes = count;
+out:
+ kfree(data);
+
+ return bytes;
+
+}
+
+static ssize_t plpks_secvar_file_read(struct file *file, char __user *userbuf,
+ size_t count, loff_t *ppos)
+{
+ struct plpks_var var;
+ char *out;
+ u32 outlen;
+ int rc;
+ size_t size;
+
+ var.name = file->f_path.dentry->d_iname;
+ var.namelen = strlen(var.name);
+ var.component = NULL;
+ rc = plpks_read_os_var(&var);
+ if (rc) {
+ pr_err("Error reading object %d\n", rc);
+ return rc;
+ }
+
+ outlen = sizeof(var.policy) + var.datalen;
+ out = kzalloc(outlen, GFP_KERNEL);
+ memcpy(out, &var.policy, sizeof(var.policy));
+
+ memcpy(out + sizeof(var.policy), var.data, var.datalen);
+
+ size = simple_read_from_buffer(userbuf, count, ppos,
+ out, outlen);
+ kfree(out);
+ return size;
+}
+
+
+static const struct file_operations plpks_secvar_file_operations = {
+ .open = simple_open,
+ .read = plpks_secvar_file_read,
+ .write = plpks_secvar_file_write,
+ .llseek = no_llseek,
+};
+
+static int plpks_secvar_create(struct user_namespace *mnt_userns, struct inode *dir,
+ struct dentry *dentry, umode_t mode, bool excl)
+{
+ int namelen, i = 0;
+ char *varname;
+ int rc = 0;
+
+ namelen = dentry->d_name.len;
+
+ varname = kzalloc(namelen + 1, GFP_KERNEL);
+ if (!varname)
+ return -ENOMEM;
+
+ for (i = 0; i < namelen; i++)
+ varname[i] = dentry->d_name.name[i];
+ varname[i] = '\0';
+
+ rc = validate_name(varname);
+ if (rc)
+ goto out;
+
+ rc = validate_name(varname);
+ if (rc)
+ goto out;
+
+ rc = fwsecurityfs_create_file(varname, S_IFREG|0644, 0, secvar_dir,
+ dentry, &plpks_secvar_file_operations);
+ if (rc)
+ pr_err("Error creating file\n");
+
+out:
+ kfree(varname);
+
+ return rc;
+}
+
+static const struct inode_operations plpks_secvar_dir_inode_operations = {
+ .lookup = simple_lookup,
+ .create = plpks_secvar_create,
+};
+
+static int plpks_fill_secvars(struct super_block *sb)
+{
+ struct plpks_var *var = NULL;
+ int err;
+ int i = 0;
+
+ while (names[i] != NULL) {
+ var = kzalloc(sizeof(struct plpks_var), GFP_KERNEL);
+ var->name = (char *)names[i];
+ var->namelen = strlen(names[i]);
+ pr_debug("name is %s\n", var->name);
+ var->component = NULL;
+ i++;
+ err = plpks_read_os_var(var);
+ if (err) {
+ kfree(var);
+ continue;
+ }
+
+ err = fwsecurityfs_create_file(var->name, S_IFREG|0644,
+ var->datalen, secvar_dir,
+ NULL,
+ &plpks_secvar_file_operations);
+
+ kfree(var);
+ if (err) {
+ pr_err("Error creating file\n");
+ break;
+ }
+ }
+ return err;
+};
+
+int plpks_secvars_init(void)
+{
+ int error;
+
+ struct super_block *sb;
+
+ secvar_dir = fwsecurityfs_create_dir("secvars", S_IFDIR | 0755, NULL,
+ &plpks_secvar_dir_inode_operations);
+ if (IS_ERR(secvar_dir)) {
+ int ret = PTR_ERR(secvar_dir);
+
+ if (ret != -ENODEV)
+ pr_err("Unable to create integrity sysfs dir: %d\n",
+ ret);
+ secvar_dir = NULL;
+ return ret;
+ }
+
+ sb = fwsecurityfs_get_superblock();
+ error = plpks_fill_secvars(sb);
+ if (error)
+ pr_err("Filling secvars failed\n");
+
+ return 0;
+};
diff --git a/include/linux/fwsecurityfs.h b/include/linux/fwsecurityfs.h
index c079ce939f42..d5fd51aa6322 100644
--- a/include/linux/fwsecurityfs.h
+++ b/include/linux/fwsecurityfs.h
@@ -21,9 +21,13 @@ struct dentry *fwsecurityfs_create_dir(const char *name, umode_t mode,
const struct inode_operations *iops);
int fwsecurityfs_remove_dir(struct dentry *dentry);
+#ifdef CONFIG_PSERIES_FWSECURITYFS_ARCH
+int arch_fwsecurity_init(void);
+#else
static int arch_fwsecurity_init(void)
{
return 0;
}
+#endif
#endif /* _FWSECURITYFS_H_ */
--
2.27.0
More information about the Linux-security-module-archive
mailing list