[PATCH v4 2/3] powerpc/secvar: Expose secvars relevant to the key management mode

R Nageswara Sastry rnsastry at linux.ibm.com
Fri Jul 4 18:42:49 AEST 2025 

On 11/06/25 2:49 AM, Srish Srinivasan wrote:
> The PLPKS enabled PowerVM LPAR sysfs exposes all of the secure boot
> secvars irrespective of the key management mode.
>
> The PowerVM LPAR supports static and dynamic key management for secure
> boot. The key management option can be updated in the management
> console. The secvars PK, trustedcadb, and moduledb can be consumed both
> in the static and dynamic key management modes for the loading of signed
> third-party kernel modules. However, other secvars i.e. KEK, grubdb,
> grubdbx, sbat, db and dbx, which are used to verify the grub and kernel
> images, are consumed only in the dynamic key management mode.
>
> Expose only PK, trustedcadb, and moduledb in the static key management
> mode.
>
> Co-developed-by: Souradeep <soura at imap.linux.ibm.com>
> Signed-off-by: Souradeep <soura at imap.linux.ibm.com>
> Signed-off-by: Srish Srinivasan <ssrish at linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>
> Reviewed-by: Stefan Berger <stefanb at linux.ibm.com>
> Reviewed-by: Nayna Jain <nayna at linux.ibm.com>
> Reviewed-by: Andrew Donnellan <ajd at linux.ibm.com>
Tested-by: R Nageswara Sastry <rnsastry at linux.ibm.com>
With the following scenarios:
1. With and with out secure boot by enabling keystore_signed_updates and 
keystore_kbytes
2. With Dynamic Key Guest Secure Boot
3. With Static Key Guest Secure Boot
> ---
>   Documentation/ABI/testing/sysfs-secvar        |  7 +++++
>   arch/powerpc/platforms/pseries/plpks-secvar.c | 28 ++++++++++++++++---
>   2 files changed, 31 insertions(+), 4 deletions(-)
>
> diff --git a/Documentation/ABI/testing/sysfs-secvar b/Documentation/ABI/testing/sysfs-secvar
> index f001a4f4bd2e..1016967a730f 100644
> --- a/Documentation/ABI/testing/sysfs-secvar
> +++ b/Documentation/ABI/testing/sysfs-secvar
> @@ -38,6 +38,13 @@ Description:	Each secure variable is represented as a directory named as
>   		representation. The data and size can be determined by reading
>   		their respective attribute files.
>   
> +		Only secvars relevant to the key management mode are exposed.
> +		Only in the dynamic key management mode should the user have
> +		access (read and write) to the secure boot secvars db, dbx,
> +		grubdb, grubdbx, and sbat. These secvars are not consumed in the
> +		static key management mode. PK, trustedcadb and moduledb are the
> +		secvars common to both static and dynamic key management modes.
> +
>   What:		/sys/firmware/secvar/vars/<variable_name>/size
>   Date:		August 2019
>   Contact:	Nayna Jain <nayna at linux.ibm.com>
> diff --git a/arch/powerpc/platforms/pseries/plpks-secvar.c b/arch/powerpc/platforms/pseries/plpks-secvar.c
> index 767e5e8c6990..f9e9cc40c9d0 100644
> --- a/arch/powerpc/platforms/pseries/plpks-secvar.c
> +++ b/arch/powerpc/platforms/pseries/plpks-secvar.c
> @@ -59,7 +59,14 @@ static u32 get_policy(const char *name)
>   		return PLPKS_SIGNEDUPDATE;
>   }
>   
> -static const char * const plpks_var_names[] = {
> +static const char * const plpks_var_names_static[] = {
> +	"PK",
> +	"moduledb",
> +	"trustedcadb",
> +	NULL,
> +};
> +
> +static const char * const plpks_var_names_dynamic[] = {
>   	"PK",
>   	"KEK",
>   	"db",
> @@ -213,21 +220,34 @@ static int plpks_max_size(u64 *max_size)
>   	return 0;
>   }
>   
> +static const struct secvar_operations plpks_secvar_ops_static = {
> +	.get = plpks_get_variable,
> +	.set = plpks_set_variable,
> +	.format = plpks_secvar_format,
> +	.max_size = plpks_max_size,
> +	.config_attrs = config_attrs,
> +	.var_names = plpks_var_names_static,
> +};
>   
> -static const struct secvar_operations plpks_secvar_ops = {
> +static const struct secvar_operations plpks_secvar_ops_dynamic = {
>   	.get = plpks_get_variable,
>   	.set = plpks_set_variable,
>   	.format = plpks_secvar_format,
>   	.max_size = plpks_max_size,
>   	.config_attrs = config_attrs,
> -	.var_names = plpks_var_names,
> +	.var_names = plpks_var_names_dynamic,
>   };
>   
>   static int plpks_secvar_init(void)
>   {
> +	u8 mode;
> +
>   	if (!plpks_is_available())
>   		return -ENODEV;
>   
> -	return set_secvar_ops(&plpks_secvar_ops);
> +	mode = plpks_get_sb_keymgmt_mode();
> +	if (mode)
> +		return set_secvar_ops(&plpks_secvar_ops_dynamic);
> +	return set_secvar_ops(&plpks_secvar_ops_static);
>   }
>   machine_device_initcall(pseries, plpks_secvar_init);

-- 
Thanks and Regards
R.Nageswara Sastry

More information about the Linuxppc-dev mailing list