[PATCH v4 2/3] powerpc/secvar: Expose secvars relevant to the key management mode
R Nageswara Sastry
rnsastry at linux.ibm.com
Fri Jul 4 18:42:49 AEST 2025
On 11/06/25 2:49 AM, Srish Srinivasan wrote:
> The PLPKS enabled PowerVM LPAR sysfs exposes all of the secure boot
> secvars irrespective of the key management mode.
>
> The PowerVM LPAR supports static and dynamic key management for secure
> boot. The key management option can be updated in the management
> console. The secvars PK, trustedcadb, and moduledb can be consumed both
> in the static and dynamic key management modes for the loading of signed
> third-party kernel modules. However, other secvars i.e. KEK, grubdb,
> grubdbx, sbat, db and dbx, which are used to verify the grub and kernel
> images, are consumed only in the dynamic key management mode.
>
> Expose only PK, trustedcadb, and moduledb in the static key management
> mode.
>
> Co-developed-by: Souradeep <soura at imap.linux.ibm.com>
> Signed-off-by: Souradeep <soura at imap.linux.ibm.com>
> Signed-off-by: Srish Srinivasan <ssrish at linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>
> Reviewed-by: Stefan Berger <stefanb at linux.ibm.com>
> Reviewed-by: Nayna Jain <nayna at linux.ibm.com>
> Reviewed-by: Andrew Donnellan <ajd at linux.ibm.com>
Tested-by: R Nageswara Sastry <rnsastry at linux.ibm.com>
With the following scenarios:
1. With and with out secure boot by enabling keystore_signed_updates and
keystore_kbytes
2. With Dynamic Key Guest Secure Boot
3. With Static Key Guest Secure Boot
> ---
> Documentation/ABI/testing/sysfs-secvar | 7 +++++
> arch/powerpc/platforms/pseries/plpks-secvar.c | 28 ++++++++++++++++---
> 2 files changed, 31 insertions(+), 4 deletions(-)
>
> diff --git a/Documentation/ABI/testing/sysfs-secvar b/Documentation/ABI/testing/sysfs-secvar
> index f001a4f4bd2e..1016967a730f 100644
> --- a/Documentation/ABI/testing/sysfs-secvar
> +++ b/Documentation/ABI/testing/sysfs-secvar
> @@ -38,6 +38,13 @@ Description: Each secure variable is represented as a directory named as
> representation. The data and size can be determined by reading
> their respective attribute files.
>
> + Only secvars relevant to the key management mode are exposed.
> + Only in the dynamic key management mode should the user have
> + access (read and write) to the secure boot secvars db, dbx,
> + grubdb, grubdbx, and sbat. These secvars are not consumed in the
> + static key management mode. PK, trustedcadb and moduledb are the
> + secvars common to both static and dynamic key management modes.
> +
> What: /sys/firmware/secvar/vars/<variable_name>/size
> Date: August 2019
> Contact: Nayna Jain <nayna at linux.ibm.com>
> diff --git a/arch/powerpc/platforms/pseries/plpks-secvar.c b/arch/powerpc/platforms/pseries/plpks-secvar.c
> index 767e5e8c6990..f9e9cc40c9d0 100644
> --- a/arch/powerpc/platforms/pseries/plpks-secvar.c
> +++ b/arch/powerpc/platforms/pseries/plpks-secvar.c
> @@ -59,7 +59,14 @@ static u32 get_policy(const char *name)
> return PLPKS_SIGNEDUPDATE;
> }
>
> -static const char * const plpks_var_names[] = {
> +static const char * const plpks_var_names_static[] = {
> + "PK",
> + "moduledb",
> + "trustedcadb",
> + NULL,
> +};
> +
> +static const char * const plpks_var_names_dynamic[] = {
> "PK",
> "KEK",
> "db",
> @@ -213,21 +220,34 @@ static int plpks_max_size(u64 *max_size)
> return 0;
> }
>
> +static const struct secvar_operations plpks_secvar_ops_static = {
> + .get = plpks_get_variable,
> + .set = plpks_set_variable,
> + .format = plpks_secvar_format,
> + .max_size = plpks_max_size,
> + .config_attrs = config_attrs,
> + .var_names = plpks_var_names_static,
> +};
>
> -static const struct secvar_operations plpks_secvar_ops = {
> +static const struct secvar_operations plpks_secvar_ops_dynamic = {
> .get = plpks_get_variable,
> .set = plpks_set_variable,
> .format = plpks_secvar_format,
> .max_size = plpks_max_size,
> .config_attrs = config_attrs,
> - .var_names = plpks_var_names,
> + .var_names = plpks_var_names_dynamic,
> };
>
> static int plpks_secvar_init(void)
> {
> + u8 mode;
> +
> if (!plpks_is_available())
> return -ENODEV;
>
> - return set_secvar_ops(&plpks_secvar_ops);
> + mode = plpks_get_sb_keymgmt_mode();
> + if (mode)
> + return set_secvar_ops(&plpks_secvar_ops_dynamic);
> + return set_secvar_ops(&plpks_secvar_ops_static);
> }
> machine_device_initcall(pseries, plpks_secvar_init);
--
Thanks and Regards
R.Nageswara Sastry
More information about the Linuxppc-dev
mailing list