On Thu Jun 8, 2023 at 3:04 PM EEST, Nayna Jain wrote:
> On PowerVM guest, variable data is prefixed with 8 bytes of timestamp.
> Extract ESL by stripping off the timestamp before passing to ESL parser.
>
> Fixes: 4b3e71e9a34c ("integrity/powerpc: Support loading keys from PLPKS")
> Cc: stable@xxxxxxxxxxxxxxxx # v6.3
> Signed-off-by: Nayna Jain <nayna@xxxxxxxxxxxxx>
> ---
> Changelog:
> v2: Fixed feedback from Jarkko
> * added CC to stable
> * moved *data declaration to same line as *db,*dbx
> Renamed extract_data() macro to extract_esl() for clarity
> .../integrity/platform_certs/load_powerpc.c | 40 ++++++++++++-------
> 1 file changed, 26 insertions(+), 14 deletions(-)
>
> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
> index b9de70b90826..170789dc63d2 100644
> --- a/security/integrity/platform_certs/load_powerpc.c
> +++ b/security/integrity/platform_certs/load_powerpc.c
> @@ -15,6 +15,9 @@
> #include "keyring_handler.h"
> #include "../integrity.h"
>
> +#define extract_esl(db, data, size, offset) \
> + do { db = data + offset; size = size - offset; } while (0)
> +
> /*
> * Get a certificate list blob from the named secure variable.
> *
> @@ -55,8 +58,9 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size)
> */
> static int __init load_powerpc_certs(void)
> {
> - void *db = NULL, *dbx = NULL;
> - u64 dbsize = 0, dbxsize = 0;
> + void *db = NULL, *dbx = NULL, *data = NULL;
> + u64 dsize = 0;
> + u64 offset = 0;
> int rc = 0;
> ssize_t len;
> char buf[32];
> @@ -74,38 +78,46 @@ static int __init load_powerpc_certs(void)
> return -ENODEV;
> }
>
> + if (strcmp("ibm,plpks-sb-v1", buf) == 0)
> + /* PLPKS authenticated variables ESL data is prefixed with 8 bytes of timestamp */
> + offset = 8;
> +
> /*
> * Get db, and dbx. They might not exist, so it isn't an error if we
> * can't get them.
> */
> - db = get_cert_list("db", 3, &dbsize);
> - if (!db) {
> + data = get_cert_list("db", 3, &dsize);
> + if (!data) {
> pr_info("Couldn't get db list from firmware\n");
> - } else if (IS_ERR(db)) {
> - rc = PTR_ERR(db);
> + } else if (IS_ERR(data)) {
> + rc = PTR_ERR(data);
> pr_err("Error reading db from firmware: %d\n", rc);
> return rc;
> } else {
> - rc = parse_efi_signature_list("powerpc:db", db, dbsize,
> + extract_esl(db, data, dsize, offset);
> +
> + rc = parse_efi_signature_list("powerpc:db", db, dsize,
> get_handler_for_db);
> if (rc)
> pr_err("Couldn't parse db signatures: %d\n", rc);
> - kfree(db);
> + kfree(data);
> }
>
> - dbx = get_cert_list("dbx", 4, &dbxsize);
> - if (!dbx) {
> + data = get_cert_list("dbx", 4, &dsize);
> + if (!data) {
> pr_info("Couldn't get dbx list from firmware\n");
> - } else if (IS_ERR(dbx)) {
> - rc = PTR_ERR(dbx);
> + } else if (IS_ERR(data)) {
> + rc = PTR_ERR(data);
> pr_err("Error reading dbx from firmware: %d\n", rc);
> return rc;
> } else {
> - rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize,
> + extract_esl(dbx, data, dsize, offset);
> +
> + rc = parse_efi_signature_list("powerpc:dbx", dbx, dsize,
> get_handler_for_dbx);
> if (rc)
> pr_err("Couldn't parse dbx signatures: %d\n", rc);
> - kfree(dbx);
> + kfree(data);
> }
>
> return rc;
> --
> 2.31.1
Acked-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
BR, Jarkko
