On 10/30/19 10:31 PM, Mimi Zohar wrote: > From: Nayna Jain <nayna@xxxxxxxxxxxxx> > > This patch defines a function to detect the secure boot state of a > PowerNV system. > > The PPC_SECURE_BOOT config represents the base enablement of secure boot > for powerpc. > > Signed-off-by: Nayna Jain <nayna@xxxxxxxxxxxxx> > --- > arch/powerpc/Kconfig | 10 ++++++++++ > arch/powerpc/include/asm/secure_boot.h | 23 +++++++++++++++++++++++ > arch/powerpc/kernel/Makefile | 2 ++ > arch/powerpc/kernel/secure_boot.c | 32 ++++++++++++++++++++++++++++++++ > 4 files changed, 67 insertions(+) > create mode 100644 arch/powerpc/include/asm/secure_boot.h > create mode 100644 arch/powerpc/kernel/secure_boot.c > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index 3e56c9c2f16e..56ea0019b616 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -934,6 +934,16 @@ config PPC_MEM_KEYS > > If unsure, say y. > > +config PPC_SECURE_BOOT > + prompt "Enable secure boot support" > + bool > + depends on PPC_POWERNV > + help > + Systems with firmware secure boot enabled need to define security > + policies to extend secure boot to the OS. This config allows a user > + to enable OS secure boot on systems that have firmware support for > + it. If in doubt say N. > + > endmenu > > config ISA_DMA_API > diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h > new file mode 100644 > index 000000000000..07d0fe0ca81f > --- /dev/null > +++ b/arch/powerpc/include/asm/secure_boot.h > @@ -0,0 +1,23 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* > + * Secure boot definitions > + * > + * Copyright (C) 2019 IBM Corporation > + * Author: Nayna Jain > + */ > +#ifndef _ASM_POWER_SECURE_BOOT_H > +#define _ASM_POWER_SECURE_BOOT_H > + > +#ifdef CONFIG_PPC_SECURE_BOOT > + > +bool is_ppc_secureboot_enabled(void); > + > +#else > + > +static inline bool is_ppc_secureboot_enabled(void) > +{ > + return false; > +} > + > +#endif > +#endif > diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile > index a7ca8fe62368..e2a54fa240ac 100644 > --- a/arch/powerpc/kernel/Makefile > +++ b/arch/powerpc/kernel/Makefile > @@ -161,6 +161,8 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),) > obj-y += ucall.o > endif > > +obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o > + > # Disable GCOV, KCOV & sanitizers in odd or sensitive code > GCOV_PROFILE_prom_init.o := n > KCOV_INSTRUMENT_prom_init.o := n > diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c > new file mode 100644 > index 000000000000..63dc82c50862 > --- /dev/null > +++ b/arch/powerpc/kernel/secure_boot.c > @@ -0,0 +1,32 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Copyright (C) 2019 IBM Corporation > + * Author: Nayna Jain > + */ > +#include <linux/types.h> > +#include <linux/of.h> > +#include <asm/secure_boot.h> > + > +bool is_ppc_secureboot_enabled(void) > +{ > + struct device_node *node; > + bool enabled = false; > + > + node = of_find_compatible_node(NULL, NULL, "ibm,secvar-v1"); Per skiboot changes, should instead look for "ibm,secureboot". Updated set can be found here: https://patchwork.ozlabs.org/project/skiboot/list/?series=140626 > + if (!of_device_is_available(node)) { > + pr_err("Cannot find secure variable node in device tree; failing to secure state\n"); The default value for "enabled" is false, so it's actually failing insecure. Although, the print is probably unnecessary. > + goto out; > + } > + > + /* > + * secureboot is enabled if os-secure-enforcing property exists, > + * else disabled. > + */ > + enabled = of_property_read_bool(node, "os-secure-enforcing"); Property has been renamed to "os-secureboot-enforcing". > +> +out: > + of_node_put(node); > + > + pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); > + return enabled; > +} >