[PATCH 4/4] powerpc/pseries: expose authenticated variables stored in LPAR PKS

Nayna Jain nayna at linux.ibm.com
Sun Nov 6 21:07:44 UTC 2022


PowerVM Guest Secure boot feature need to expose firmware managed
secure variables for user management. These variables store keys for
grub/kernel verification and also corresponding denied list.

Expose these variables to the userpace via fwsecurityfs.

Example:

$ pwd
/sys/firmware/security/plpks/secvars

$ ls -ltrh
total 0
-rw-r--r-- 1 root root 831 Sep 12 18:34 PK
-rw-r--r-- 1 root root 831 Sep 12 18:34 KEK
-rw-r--r-- 1 root root 831 Sep 12 18:34 db

$ hexdump -C db
00000000  00 00 00 08 a1 59 c0 a5  e4 94 a7 4a 87 b5 ab 15  |.....Y.....J....|
00000010  5c 2b f0 72 3f 03 00 00  00 00 00 00 23 03 00 00  |\+.r?.......#...|
00000020  ca 18 1d 1c 01 7d eb 11  9a 71 08 94 ef 31 fb e4  |.....}...q...1..|
00000030  30 82 03 0f 30 82 01 f7  a0 03 02 01 02 02 14 22  |0...0.........."|
00000040  ab 18 2f d5 aa dd c5 ba  98 27 60 26 f1 63 89 54  |../......'`&.c.T|
00000050  4c 52 d9 30 0d 06 09 2a  86 48 86 f7 0d 01 01 0b  |LR.0...*.H......|
00000060  05 00 30 17 31 15 30 13  06 03 55 04 03 0c 0c 72  |..0.1.0...U....r|
...

Signed-off-by: Nayna Jain <nayna at linux.ibm.com>
---
 arch/powerpc/platforms/pseries/Kconfig        |  10 +
 arch/powerpc/platforms/pseries/Makefile       |   1 +
 .../platforms/pseries/fwsecurityfs_arch.c     |   8 +
 arch/powerpc/platforms/pseries/plpks.h        |   3 +
 arch/powerpc/platforms/pseries/secvars.c      | 365 ++++++++++++++++++
 5 files changed, 387 insertions(+)
 create mode 100644 arch/powerpc/platforms/pseries/secvars.c

diff --git a/arch/powerpc/platforms/pseries/Kconfig b/arch/powerpc/platforms/pseries/Kconfig
index 5fb45e601982..41c17f60dfe9 100644
--- a/arch/powerpc/platforms/pseries/Kconfig
+++ b/arch/powerpc/platforms/pseries/Kconfig
@@ -172,6 +172,16 @@ config PSERIES_FWSECURITYFS_ARCH
 
 	  If you are unsure how to use it, say N.
 
+config PSERIES_PLPKS_SECVARS
+       depends on PSERIES_PLPKS
+       select PSERIES_FWSECURITYFS_ARCH
+       tristate "Support for secvars"
+       help
+         This interface exposes authenticated variables stored in the LPAR
+         Platform KeyStore using fwsecurityfs interface.
+
+         If you are unsure how to use it, say N.
+
 config PAPR_SCM
 	depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM
 	tristate "Support for the PAPR Storage Class Memory interface"
diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile
index 2903cff26258..6833f6b02798 100644
--- a/arch/powerpc/platforms/pseries/Makefile
+++ b/arch/powerpc/platforms/pseries/Makefile
@@ -29,6 +29,7 @@ obj-$(CONFIG_PPC_SVM)		+= svm.o
 obj-$(CONFIG_FA_DUMP)		+= rtas-fadump.o
 obj-$(CONFIG_PSERIES_PLPKS) += plpks.o
 obj-$(CONFIG_PSERIES_FWSECURITYFS_ARCH) += fwsecurityfs_arch.o
+obj-$(CONFIG_PSERIES_PLPKS_SECVARS) += secvars.o
 
 obj-$(CONFIG_SUSPEND)		+= suspend.o
 obj-$(CONFIG_PPC_VAS)		+= vas.o vas-sysfs.o
diff --git a/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c b/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c
index b43bd3cf7889..1cc651ad6434 100644
--- a/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c
+++ b/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c
@@ -58,6 +58,7 @@ static int create_plpks_dir(void)
 {
 	struct dentry *config_dir;
 	struct dentry *fdentry;
+	int rc;
 
 	if (!IS_ENABLED(CONFIG_PSERIES_PLPKS) || !plpks_is_available()) {
 		pr_warn("Platform KeyStore is not available on this LPAR\n");
@@ -107,6 +108,13 @@ static int create_plpks_dir(void)
 	if (IS_ERR(fdentry))
 		pr_err("Could not create version %ld\n", PTR_ERR(fdentry));
 
+	if (IS_ENABLED(CONFIG_PSERIES_PLPKS_SECVARS)) {
+		rc = plpks_secvars_init(plpks_dir);
+		if (rc)
+			pr_err("Secure Variables initialization failed with error %d\n", rc);
+		return rc;
+	}
+
 	return 0;
 }
 
diff --git a/arch/powerpc/platforms/pseries/plpks.h b/arch/powerpc/platforms/pseries/plpks.h
index fb483658549f..2d572fe4b522 100644
--- a/arch/powerpc/platforms/pseries/plpks.h
+++ b/arch/powerpc/platforms/pseries/plpks.h
@@ -11,6 +11,7 @@
 
 #include <linux/types.h>
 #include <linux/list.h>
+#include <linux/dcache.h>
 
 #define OSSECBOOTAUDIT 0x40000000
 #define OSSECBOOTENFORCE 0x20000000
@@ -103,4 +104,6 @@ u32 plpks_get_totalsize(void);
  */
 u32 plpks_get_usedspace(void);
 
+int plpks_secvars_init(struct dentry *parent);
+
 #endif
diff --git a/arch/powerpc/platforms/pseries/secvars.c b/arch/powerpc/platforms/pseries/secvars.c
new file mode 100644
index 000000000000..3d5a251d0571
--- /dev/null
+++ b/arch/powerpc/platforms/pseries/secvars.c
@@ -0,0 +1,365 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Expose secure(authenticated) variables for user key management.
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna at linux.ibm.com>
+ *
+ */
+
+#include <linux/fwsecurityfs.h>
+#include "plpks.h"
+
+static struct dentry *secvar_dir;
+
+static const char * const names[] = {
+	"PK",
+	"KEK",
+	"db",
+	"dbx",
+	"grubdb",
+	"sbat",
+	"moduledb",
+	"trustedcadb",
+	NULL
+};
+
+static u16 get_ucs2name(const char *name, uint8_t **ucs2_name)
+{
+	int i = 0;
+	int j = 0;
+	int namelen = 0;
+
+	namelen = strlen(name) * 2;
+
+	*ucs2_name = kzalloc(namelen, GFP_KERNEL);
+	if (!*ucs2_name)
+		return 0;
+
+	while (name[i]) {
+		(*ucs2_name)[j++] = name[i];
+		(*ucs2_name)[j++] = '\0';
+		pr_debug("ucs2name is %c\n", (*ucs2_name)[j - 2]);
+		i++;
+	}
+
+	return namelen;
+}
+
+static int validate_name(const char *name)
+{
+	int i = 0;
+
+	while (names[i]) {
+		if ((strcmp(name, names[i]) == 0))
+			return 0;
+		i++;
+	}
+	pr_err("Invalid name, allowed ones are (PK,KEK,db,dbx,grubdb,sbat,moduledb,trustedcadb)\n");
+
+	return -EINVAL;
+}
+
+static u32 get_policy(const char *name)
+{
+	if ((strcmp(name, "db") == 0) ||
+	    (strcmp(name, "dbx") == 0) ||
+	    (strcmp(name, "grubdb") == 0) ||
+	    (strcmp(name, "sbat") == 0))
+		return (WORLDREADABLE | SIGNEDUPDATE);
+	else
+		return SIGNEDUPDATE;
+}
+
+static ssize_t plpks_secvar_file_write(struct file *file,
+				       const char __user *userbuf,
+				       size_t count, loff_t *ppos)
+{
+	struct plpks_var var;
+	void *data;
+	u16 ucs2_namelen;
+	u8 *ucs2_name = NULL;
+	u64 flags;
+	ssize_t rc;
+	bool exist = true;
+	u16 datasize = count;
+	struct inode *inode = file->f_mapping->host;
+
+	if (count <= sizeof(flags))
+		return -EINVAL;
+
+	ucs2_namelen = get_ucs2name(file_dentry(file)->d_iname, &ucs2_name);
+	if (ucs2_namelen == 0)
+		return -ENOMEM;
+
+	rc = copy_from_user(&flags, userbuf, sizeof(flags));
+	if (rc)
+		return -EFAULT;
+
+	datasize = count - sizeof(flags);
+
+	data = memdup_user(userbuf + sizeof(flags), datasize);
+	if (IS_ERR(data))
+		return PTR_ERR(data);
+
+	var.component = NULL;
+	var.name = ucs2_name;
+	var.namelen = ucs2_namelen;
+	var.os = PLPKS_VAR_LINUX;
+	var.datalen = 0;
+	var.data = NULL;
+
+	/* If PKS variable doesn't exist, it implies first time creation */
+	rc = plpks_read_os_var(&var);
+	if (rc) {
+		if (rc == -ENOENT) {
+			exist = false;
+		} else {
+			pr_err("Reading variable %s failed with error %ld\n",
+			       file_dentry(file)->d_iname, rc);
+			goto out;
+		}
+	}
+
+	var.datalen = datasize;
+	var.data = data;
+	var.policy = get_policy(file_dentry(file)->d_iname);
+	rc = plpks_signed_update_var(var, flags);
+	if (rc) {
+		pr_err("Update of the variable %s failed with error %ld\n",
+		       file_dentry(file)->d_iname, rc);
+		if (!exist)
+			fwsecurityfs_remove_file(file_dentry(file));
+		goto out;
+	}
+
+	/* Read variable again to get updated size of the object */
+	var.datalen = 0;
+	var.data = NULL;
+	rc = plpks_read_os_var(&var);
+	if (rc)
+		pr_err("Error updating file size\n");
+
+	inode_lock(inode);
+	i_size_write(inode, var.datalen);
+	inode->i_mtime = current_time(inode);
+	inode_unlock(inode);
+
+	rc = count;
+out:
+	kfree(data);
+	kfree(ucs2_name);
+
+	return rc;
+}
+
+static ssize_t __secvar_os_file_read(char *name, char **out, u32 *outlen)
+{
+	struct plpks_var var;
+	int rc;
+	u8 *ucs2_name = NULL;
+	u16 ucs2_namelen;
+
+	ucs2_namelen = get_ucs2name(name, &ucs2_name);
+	if (ucs2_namelen == 0)
+		return -ENOMEM;
+
+	var.component = NULL;
+	var.name = ucs2_name;
+	var.namelen = ucs2_namelen;
+	var.os = PLPKS_VAR_LINUX;
+	var.datalen = 0;
+	var.data = NULL;
+	rc = plpks_read_os_var(&var);
+	if (rc) {
+		pr_err("Error %d reading object %s from firmware\n", rc, name);
+		kfree(ucs2_name);
+		return rc;
+	}
+
+	*outlen = sizeof(var.policy) + var.datalen;
+	*out = kzalloc(*outlen, GFP_KERNEL);
+	if (!*out) {
+		rc = -ENOMEM;
+		goto err;
+	}
+
+	memcpy(*out, &var.policy, sizeof(var.policy));
+
+	memcpy(*out + sizeof(var.policy), var.data, var.datalen);
+
+err:
+	kfree(ucs2_name);
+	kfree(var.data);
+	return rc;
+}
+
+static ssize_t __secvar_fw_file_read(char *name, char **out, u32 *outlen)
+{
+	struct plpks_var var;
+	int rc;
+
+	var.component = NULL;
+	var.name = name;
+	var.namelen = strlen(name);
+	var.datalen = 0;
+	var.data = NULL;
+	rc = plpks_read_fw_var(&var);
+	if (rc) {
+		if (rc == -ENOENT) {
+			var.datalen = 1;
+			var.data = kzalloc(var.datalen, GFP_KERNEL);
+			rc = 0;
+		} else {
+			pr_err("Error %d reading object %s from firmware\n",
+			       rc, name);
+			return rc;
+		}
+	}
+
+	*outlen = var.datalen;
+	*out = kzalloc(*outlen, GFP_KERNEL);
+	if (!*out) {
+		kfree(var.data);
+		return -ENOMEM;
+	}
+
+	memcpy(*out, var.data, var.datalen);
+
+	kfree(var.data);
+	return 0;
+}
+
+static ssize_t plpks_secvar_file_read(struct file *file, char __user *userbuf,
+				      size_t count, loff_t *ppos)
+{
+	int rc;
+	char *out = NULL;
+	u32 outlen;
+	char *fname = file_dentry(file)->d_iname;
+
+	if (strcmp(fname, "SB_VERSION") == 0)
+		rc = __secvar_fw_file_read(fname, &out, &outlen);
+	else
+		rc = __secvar_os_file_read(fname, &out, &outlen);
+	if (!rc)
+		rc = simple_read_from_buffer(userbuf, count, ppos,
+					     out, outlen);
+
+	kfree(out);
+
+	return rc;
+}
+
+static const struct file_operations plpks_secvar_file_operations = {
+	.open   = simple_open,
+	.read   = plpks_secvar_file_read,
+	.write  = plpks_secvar_file_write,
+	.llseek = no_llseek,
+};
+
+static int plpks_secvar_create(struct user_namespace *mnt_userns,
+			       struct inode *dir, struct dentry *dentry,
+			       umode_t mode, bool excl)
+{
+	const char *varname;
+	struct dentry *ldentry;
+	int rc;
+
+	varname = dentry->d_name.name;
+
+	rc = validate_name(varname);
+	if (rc)
+		goto out;
+
+	ldentry = fwsecurityfs_create_file(varname, S_IFREG | 0644, 0,
+					   secvar_dir, dentry, NULL,
+					   &plpks_secvar_file_operations);
+	if (IS_ERR(ldentry)) {
+		rc = PTR_ERR(ldentry);
+		pr_err("Creation of variable %s failed with error %d\n",
+		       varname, rc);
+	}
+
+out:
+	return rc;
+}
+
+static const struct inode_operations plpks_secvar_dir_inode_operations = {
+	.lookup = simple_lookup,
+	.create = plpks_secvar_create,
+};
+
+static int plpks_fill_secvars(void)
+{
+	struct plpks_var var;
+	int rc = 0;
+	int i = 0;
+	u8 *ucs2_name = NULL;
+	u16 ucs2_namelen;
+	struct dentry *dentry;
+
+	dentry = fwsecurityfs_create_file("SB_VERSION", S_IFREG | 0444, 1,
+					  secvar_dir, NULL, NULL,
+					  &plpks_secvar_file_operations);
+	if (IS_ERR(dentry)) {
+		rc = PTR_ERR(dentry);
+		pr_err("Creation of variable SB_VERSION failed with error %d\n", rc);
+		return rc;
+	}
+
+	while (names[i]) {
+		ucs2_namelen = get_ucs2name(names[i], &ucs2_name);
+		if (ucs2_namelen == 0) {
+			i++;
+			continue;
+		}
+
+		i++;
+		var.component = NULL;
+		var.name = ucs2_name;
+		var.namelen = ucs2_namelen;
+		var.os = PLPKS_VAR_LINUX;
+		var.datalen = 0;
+		var.data = NULL;
+		rc = plpks_read_os_var(&var);
+		kfree(ucs2_name);
+		if (rc) {
+			rc = 0;
+			continue;
+		}
+
+		dentry = fwsecurityfs_create_file(names[i - 1], S_IFREG | 0644,
+						  var.datalen, secvar_dir,
+						  NULL, NULL,
+						  &plpks_secvar_file_operations);
+
+		kfree(var.data);
+		if (IS_ERR(dentry)) {
+			rc = PTR_ERR(dentry);
+			pr_err("Creation of variable %s failed with error %d\n",
+			       names[i - 1], rc);
+			break;
+		}
+	}
+
+	return rc;
+};
+
+int plpks_secvars_init(struct dentry *parent)
+{
+	int rc;
+
+	secvar_dir = fwsecurityfs_create_dir("secvars", S_IFDIR | 0755, parent,
+					     &plpks_secvar_dir_inode_operations);
+	if (IS_ERR(secvar_dir)) {
+		rc = PTR_ERR(secvar_dir);
+		pr_err("Unable to create secvars dir: %d\n", rc);
+		return rc;
+	}
+
+	rc = plpks_fill_secvars();
+	if (rc)
+		pr_err("Filling secvars failed %d\n", rc);
+
+	return rc;
+};
-- 
2.31.1



More information about the Linux-security-module-archive mailing list