This patch set is part of a series that implements secure boot on PowerNV systems[1]. The original series had been split into two patchsets: 1. powerpc: enable ima arch specific policies[2] 2. powerpc/powernv: expose secure variables to userspace, which is this patchset. Since there are major changes in this patchset compared to the previous one[1], I am posting it as new series rather than v2. As part of PowerNV secure boot support, NV OS verification keys are stored and controlled by OPAL as secure variables. However, to allow users to manage these keys, the secure variables need to be exposed to userspace. OPAL provides the runtime services for the kernel to be able to access the secure variables[3]. This patchset defines the kernel interface for the OPAL APIs. These APIs are used by the hooks, which expose these variables to userspace for reading/writing. In order to reuse the existing tools, we currently use the efi hooks to expose the secure variables via sysfs. Keeping the usability and maintainability in mind, we are starting with this scheme as simple sysfs implementation. We expect to refine it over time as we incorporate the feedback. The patchset makes substantial reuse of drivers/firmware/efi/efivars.c and drivers/firmware/efi/vars.c, however because POWER platforms do not use EFI, a new config, POWER_SECVAR_SYSFS, is defined to enable this sysfs interface in POWER. This patchset has a pre-requisiste of other OPAL APIs which are posted as part of ima arch specific patches[2]. [1]https://patchwork.kernel.org/cover/10882149/ [2]https://lkml.org/lkml/2019/6/11/868 [3]https://patchwork.ozlabs.org/project/skiboot/list/?series=112868 Claudio Carvalho (1): powerpc/powernv: add OPAL APIs for secure variables Nayna Jain (1): powerpc: expose secure variables via sysfs arch/powerpc/Kconfig | 2 + arch/powerpc/include/asm/opal-api.h | 3 + arch/powerpc/include/asm/opal-secvar.h | 9 + arch/powerpc/include/asm/opal.h | 8 + arch/powerpc/platforms/powernv/opal-call.c | 3 + arch/powerpc/platforms/powernv/opal-secvar.c | 60 +++- drivers/firmware/Makefile | 1 + drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/powerpc/Kconfig | 12 + drivers/firmware/powerpc/Makefile | 3 + drivers/firmware/powerpc/efi_error.c | 46 +++ drivers/firmware/powerpc/secvar.c | 326 +++++++++++++++++++ 12 files changed, 473 insertions(+), 2 deletions(-) create mode 100644 drivers/firmware/powerpc/Kconfig create mode 100644 drivers/firmware/powerpc/Makefile create mode 100644 drivers/firmware/powerpc/efi_error.c create mode 100644 drivers/firmware/powerpc/secvar.c -- 2.20.1
