[PATCH 4/4] powerpc/pseries: expose authenticated variables stored in LPAR PKS
Nayna Jain
nayna at linux.ibm.com
Sun Nov 6 21:07:44 UTC 2022
PowerVM Guest Secure boot feature need to expose firmware managed
secure variables for user management. These variables store keys for
grub/kernel verification and also corresponding denied list.
Expose these variables to the userpace via fwsecurityfs.
Example:
$ pwd
/sys/firmware/security/plpks/secvars
$ ls -ltrh
total 0
-rw-r--r-- 1 root root 831 Sep 12 18:34 PK
-rw-r--r-- 1 root root 831 Sep 12 18:34 KEK
-rw-r--r-- 1 root root 831 Sep 12 18:34 db
$ hexdump -C db
00000000 00 00 00 08 a1 59 c0 a5 e4 94 a7 4a 87 b5 ab 15 |.....Y.....J....|
00000010 5c 2b f0 72 3f 03 00 00 00 00 00 00 23 03 00 00 |\+.r?.......#...|
00000020 ca 18 1d 1c 01 7d eb 11 9a 71 08 94 ef 31 fb e4 |.....}...q...1..|
00000030 30 82 03 0f 30 82 01 f7 a0 03 02 01 02 02 14 22 |0...0.........."|
00000040 ab 18 2f d5 aa dd c5 ba 98 27 60 26 f1 63 89 54 |../......'`&.c.T|
00000050 4c 52 d9 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b |LR.0...*.H......|
00000060 05 00 30 17 31 15 30 13 06 03 55 04 03 0c 0c 72 |..0.1.0...U....r|
...
Signed-off-by: Nayna Jain <nayna at linux.ibm.com>
---
arch/powerpc/platforms/pseries/Kconfig | 10 +
arch/powerpc/platforms/pseries/Makefile | 1 +
.../platforms/pseries/fwsecurityfs_arch.c | 8 +
arch/powerpc/platforms/pseries/plpks.h | 3 +
arch/powerpc/platforms/pseries/secvars.c | 365 ++++++++++++++++++
5 files changed, 387 insertions(+)
create mode 100644 arch/powerpc/platforms/pseries/secvars.c
diff --git a/arch/powerpc/platforms/pseries/Kconfig b/arch/powerpc/platforms/pseries/Kconfig
index 5fb45e601982..41c17f60dfe9 100644
--- a/arch/powerpc/platforms/pseries/Kconfig
+++ b/arch/powerpc/platforms/pseries/Kconfig
@@ -172,6 +172,16 @@ config PSERIES_FWSECURITYFS_ARCH
If you are unsure how to use it, say N.
+config PSERIES_PLPKS_SECVARS
+ depends on PSERIES_PLPKS
+ select PSERIES_FWSECURITYFS_ARCH
+ tristate "Support for secvars"
+ help
+ This interface exposes authenticated variables stored in the LPAR
+ Platform KeyStore using fwsecurityfs interface.
+
+ If you are unsure how to use it, say N.
+
config PAPR_SCM
depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM
tristate "Support for the PAPR Storage Class Memory interface"
diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile
index 2903cff26258..6833f6b02798 100644
--- a/arch/powerpc/platforms/pseries/Makefile
+++ b/arch/powerpc/platforms/pseries/Makefile
@@ -29,6 +29,7 @@ obj-$(CONFIG_PPC_SVM) += svm.o
obj-$(CONFIG_FA_DUMP) += rtas-fadump.o
obj-$(CONFIG_PSERIES_PLPKS) += plpks.o
obj-$(CONFIG_PSERIES_FWSECURITYFS_ARCH) += fwsecurityfs_arch.o
+obj-$(CONFIG_PSERIES_PLPKS_SECVARS) += secvars.o
obj-$(CONFIG_SUSPEND) += suspend.o
obj-$(CONFIG_PPC_VAS) += vas.o vas-sysfs.o
diff --git a/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c b/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c
index b43bd3cf7889..1cc651ad6434 100644
--- a/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c
+++ b/arch/powerpc/platforms/pseries/fwsecurityfs_arch.c
@@ -58,6 +58,7 @@ static int create_plpks_dir(void)
{
struct dentry *config_dir;
struct dentry *fdentry;
+ int rc;
if (!IS_ENABLED(CONFIG_PSERIES_PLPKS) || !plpks_is_available()) {
pr_warn("Platform KeyStore is not available on this LPAR\n");
@@ -107,6 +108,13 @@ static int create_plpks_dir(void)
if (IS_ERR(fdentry))
pr_err("Could not create version %ld\n", PTR_ERR(fdentry));
+ if (IS_ENABLED(CONFIG_PSERIES_PLPKS_SECVARS)) {
+ rc = plpks_secvars_init(plpks_dir);
+ if (rc)
+ pr_err("Secure Variables initialization failed with error %d\n", rc);
+ return rc;
+ }
+
return 0;
}
diff --git a/arch/powerpc/platforms/pseries/plpks.h b/arch/powerpc/platforms/pseries/plpks.h
index fb483658549f..2d572fe4b522 100644
--- a/arch/powerpc/platforms/pseries/plpks.h
+++ b/arch/powerpc/platforms/pseries/plpks.h
@@ -11,6 +11,7 @@
#include <linux/types.h>
#include <linux/list.h>
+#include <linux/dcache.h>
#define OSSECBOOTAUDIT 0x40000000
#define OSSECBOOTENFORCE 0x20000000
@@ -103,4 +104,6 @@ u32 plpks_get_totalsize(void);
*/
u32 plpks_get_usedspace(void);
+int plpks_secvars_init(struct dentry *parent);
+
#endif
diff --git a/arch/powerpc/platforms/pseries/secvars.c b/arch/powerpc/platforms/pseries/secvars.c
new file mode 100644
index 000000000000..3d5a251d0571
--- /dev/null
+++ b/arch/powerpc/platforms/pseries/secvars.c
@@ -0,0 +1,365 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Expose secure(authenticated) variables for user key management.
+ * Copyright (C) 2022 IBM Corporation
+ * Author: Nayna Jain <nayna at linux.ibm.com>
+ *
+ */
+
+#include <linux/fwsecurityfs.h>
+#include "plpks.h"
+
+static struct dentry *secvar_dir;
+
+static const char * const names[] = {
+ "PK",
+ "KEK",
+ "db",
+ "dbx",
+ "grubdb",
+ "sbat",
+ "moduledb",
+ "trustedcadb",
+ NULL
+};
+
+static u16 get_ucs2name(const char *name, uint8_t **ucs2_name)
+{
+ int i = 0;
+ int j = 0;
+ int namelen = 0;
+
+ namelen = strlen(name) * 2;
+
+ *ucs2_name = kzalloc(namelen, GFP_KERNEL);
+ if (!*ucs2_name)
+ return 0;
+
+ while (name[i]) {
+ (*ucs2_name)[j++] = name[i];
+ (*ucs2_name)[j++] = '\0';
+ pr_debug("ucs2name is %c\n", (*ucs2_name)[j - 2]);
+ i++;
+ }
+
+ return namelen;
+}
+
+static int validate_name(const char *name)
+{
+ int i = 0;
+
+ while (names[i]) {
+ if ((strcmp(name, names[i]) == 0))
+ return 0;
+ i++;
+ }
+ pr_err("Invalid name, allowed ones are (PK,KEK,db,dbx,grubdb,sbat,moduledb,trustedcadb)\n");
+
+ return -EINVAL;
+}
+
+static u32 get_policy(const char *name)
+{
+ if ((strcmp(name, "db") == 0) ||
+ (strcmp(name, "dbx") == 0) ||
+ (strcmp(name, "grubdb") == 0) ||
+ (strcmp(name, "sbat") == 0))
+ return (WORLDREADABLE | SIGNEDUPDATE);
+ else
+ return SIGNEDUPDATE;
+}
+
+static ssize_t plpks_secvar_file_write(struct file *file,
+ const char __user *userbuf,
+ size_t count, loff_t *ppos)
+{
+ struct plpks_var var;
+ void *data;
+ u16 ucs2_namelen;
+ u8 *ucs2_name = NULL;
+ u64 flags;
+ ssize_t rc;
+ bool exist = true;
+ u16 datasize = count;
+ struct inode *inode = file->f_mapping->host;
+
+ if (count <= sizeof(flags))
+ return -EINVAL;
+
+ ucs2_namelen = get_ucs2name(file_dentry(file)->d_iname, &ucs2_name);
+ if (ucs2_namelen == 0)
+ return -ENOMEM;
+
+ rc = copy_from_user(&flags, userbuf, sizeof(flags));
+ if (rc)
+ return -EFAULT;
+
+ datasize = count - sizeof(flags);
+
+ data = memdup_user(userbuf + sizeof(flags), datasize);
+ if (IS_ERR(data))
+ return PTR_ERR(data);
+
+ var.component = NULL;
+ var.name = ucs2_name;
+ var.namelen = ucs2_namelen;
+ var.os = PLPKS_VAR_LINUX;
+ var.datalen = 0;
+ var.data = NULL;
+
+ /* If PKS variable doesn't exist, it implies first time creation */
+ rc = plpks_read_os_var(&var);
+ if (rc) {
+ if (rc == -ENOENT) {
+ exist = false;
+ } else {
+ pr_err("Reading variable %s failed with error %ld\n",
+ file_dentry(file)->d_iname, rc);
+ goto out;
+ }
+ }
+
+ var.datalen = datasize;
+ var.data = data;
+ var.policy = get_policy(file_dentry(file)->d_iname);
+ rc = plpks_signed_update_var(var, flags);
+ if (rc) {
+ pr_err("Update of the variable %s failed with error %ld\n",
+ file_dentry(file)->d_iname, rc);
+ if (!exist)
+ fwsecurityfs_remove_file(file_dentry(file));
+ goto out;
+ }
+
+ /* Read variable again to get updated size of the object */
+ var.datalen = 0;
+ var.data = NULL;
+ rc = plpks_read_os_var(&var);
+ if (rc)
+ pr_err("Error updating file size\n");
+
+ inode_lock(inode);
+ i_size_write(inode, var.datalen);
+ inode->i_mtime = current_time(inode);
+ inode_unlock(inode);
+
+ rc = count;
+out:
+ kfree(data);
+ kfree(ucs2_name);
+
+ return rc;
+}
+
+static ssize_t __secvar_os_file_read(char *name, char **out, u32 *outlen)
+{
+ struct plpks_var var;
+ int rc;
+ u8 *ucs2_name = NULL;
+ u16 ucs2_namelen;
+
+ ucs2_namelen = get_ucs2name(name, &ucs2_name);
+ if (ucs2_namelen == 0)
+ return -ENOMEM;
+
+ var.component = NULL;
+ var.name = ucs2_name;
+ var.namelen = ucs2_namelen;
+ var.os = PLPKS_VAR_LINUX;
+ var.datalen = 0;
+ var.data = NULL;
+ rc = plpks_read_os_var(&var);
+ if (rc) {
+ pr_err("Error %d reading object %s from firmware\n", rc, name);
+ kfree(ucs2_name);
+ return rc;
+ }
+
+ *outlen = sizeof(var.policy) + var.datalen;
+ *out = kzalloc(*outlen, GFP_KERNEL);
+ if (!*out) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
+ memcpy(*out, &var.policy, sizeof(var.policy));
+
+ memcpy(*out + sizeof(var.policy), var.data, var.datalen);
+
+err:
+ kfree(ucs2_name);
+ kfree(var.data);
+ return rc;
+}
+
+static ssize_t __secvar_fw_file_read(char *name, char **out, u32 *outlen)
+{
+ struct plpks_var var;
+ int rc;
+
+ var.component = NULL;
+ var.name = name;
+ var.namelen = strlen(name);
+ var.datalen = 0;
+ var.data = NULL;
+ rc = plpks_read_fw_var(&var);
+ if (rc) {
+ if (rc == -ENOENT) {
+ var.datalen = 1;
+ var.data = kzalloc(var.datalen, GFP_KERNEL);
+ rc = 0;
+ } else {
+ pr_err("Error %d reading object %s from firmware\n",
+ rc, name);
+ return rc;
+ }
+ }
+
+ *outlen = var.datalen;
+ *out = kzalloc(*outlen, GFP_KERNEL);
+ if (!*out) {
+ kfree(var.data);
+ return -ENOMEM;
+ }
+
+ memcpy(*out, var.data, var.datalen);
+
+ kfree(var.data);
+ return 0;
+}
+
+static ssize_t plpks_secvar_file_read(struct file *file, char __user *userbuf,
+ size_t count, loff_t *ppos)
+{
+ int rc;
+ char *out = NULL;
+ u32 outlen;
+ char *fname = file_dentry(file)->d_iname;
+
+ if (strcmp(fname, "SB_VERSION") == 0)
+ rc = __secvar_fw_file_read(fname, &out, &outlen);
+ else
+ rc = __secvar_os_file_read(fname, &out, &outlen);
+ if (!rc)
+ rc = simple_read_from_buffer(userbuf, count, ppos,
+ out, outlen);
+
+ kfree(out);
+
+ return rc;
+}
+
+static const struct file_operations plpks_secvar_file_operations = {
+ .open = simple_open,
+ .read = plpks_secvar_file_read,
+ .write = plpks_secvar_file_write,
+ .llseek = no_llseek,
+};
+
+static int plpks_secvar_create(struct user_namespace *mnt_userns,
+ struct inode *dir, struct dentry *dentry,
+ umode_t mode, bool excl)
+{
+ const char *varname;
+ struct dentry *ldentry;
+ int rc;
+
+ varname = dentry->d_name.name;
+
+ rc = validate_name(varname);
+ if (rc)
+ goto out;
+
+ ldentry = fwsecurityfs_create_file(varname, S_IFREG | 0644, 0,
+ secvar_dir, dentry, NULL,
+ &plpks_secvar_file_operations);
+ if (IS_ERR(ldentry)) {
+ rc = PTR_ERR(ldentry);
+ pr_err("Creation of variable %s failed with error %d\n",
+ varname, rc);
+ }
+
+out:
+ return rc;
+}
+
+static const struct inode_operations plpks_secvar_dir_inode_operations = {
+ .lookup = simple_lookup,
+ .create = plpks_secvar_create,
+};
+
+static int plpks_fill_secvars(void)
+{
+ struct plpks_var var;
+ int rc = 0;
+ int i = 0;
+ u8 *ucs2_name = NULL;
+ u16 ucs2_namelen;
+ struct dentry *dentry;
+
+ dentry = fwsecurityfs_create_file("SB_VERSION", S_IFREG | 0444, 1,
+ secvar_dir, NULL, NULL,
+ &plpks_secvar_file_operations);
+ if (IS_ERR(dentry)) {
+ rc = PTR_ERR(dentry);
+ pr_err("Creation of variable SB_VERSION failed with error %d\n", rc);
+ return rc;
+ }
+
+ while (names[i]) {
+ ucs2_namelen = get_ucs2name(names[i], &ucs2_name);
+ if (ucs2_namelen == 0) {
+ i++;
+ continue;
+ }
+
+ i++;
+ var.component = NULL;
+ var.name = ucs2_name;
+ var.namelen = ucs2_namelen;
+ var.os = PLPKS_VAR_LINUX;
+ var.datalen = 0;
+ var.data = NULL;
+ rc = plpks_read_os_var(&var);
+ kfree(ucs2_name);
+ if (rc) {
+ rc = 0;
+ continue;
+ }
+
+ dentry = fwsecurityfs_create_file(names[i - 1], S_IFREG | 0644,
+ var.datalen, secvar_dir,
+ NULL, NULL,
+ &plpks_secvar_file_operations);
+
+ kfree(var.data);
+ if (IS_ERR(dentry)) {
+ rc = PTR_ERR(dentry);
+ pr_err("Creation of variable %s failed with error %d\n",
+ names[i - 1], rc);
+ break;
+ }
+ }
+
+ return rc;
+};
+
+int plpks_secvars_init(struct dentry *parent)
+{
+ int rc;
+
+ secvar_dir = fwsecurityfs_create_dir("secvars", S_IFDIR | 0755, parent,
+ &plpks_secvar_dir_inode_operations);
+ if (IS_ERR(secvar_dir)) {
+ rc = PTR_ERR(secvar_dir);
+ pr_err("Unable to create secvars dir: %d\n", rc);
+ return rc;
+ }
+
+ rc = plpks_fill_secvars();
+ if (rc)
+ pr_err("Filling secvars failed %d\n", rc);
+
+ return rc;
+};
--
2.31.1
More information about the Linux-security-module-archive
mailing list