[OpenPower-Firmware] [PATCH 00/16] skiroot: add secure boot support
Nayna Jain
nayna at linux.ibm.com
Tue Jun 16 05:19:56 AEST 2020
This series is meant to add support for secure boot. The patches
are backported from v5.5 and higher.
It adds support for:
* ima arch specific policies for powerpc
* platform keyring for powerpc
* check against blacklist hashes
* sysfs interface to expose secure variables from OPAL
* xmon lockdown
Christopher M. Riedl (2):
powerpc/xmon: Allow listing and clearing breakpoints in read-only mode
powerpc/xmon: Restrict when kernel is locked down
Mimi Zohar (1):
powerpc/ima: Indicate kernel modules appended signatures are enforced
Nayna Jain (13):
powerpc: Detect the secure boot mode of the system
powerpc/ima: Add support to initialize ima policy rules
powerpc: Detect the trusted boot state of the system
powerpc/ima: Define trusted boot policy
ima: Make process_buffer_measurement() generic
certs: Add wrapper function to check blacklisted binary hash
ima: Check against blacklisted hashes for files with modsig
powerpc/ima: Update ima arch policy to check for blacklist
powerpc/powernv: Add OPAL API interface to access secure variable
powerpc: expose secure variables to userspace via sysfs
x86/efi: move common keyring handler functions to new file
powerpc: Load firmware trusted keys/hashes into kernel keyring
powerpc/ima: fix secure boot rules in ima arch policy
Documentation/ABI/testing/ima_policy | 4 +
Documentation/ABI/testing/sysfs-secvar | 46 ++++
arch/powerpc/Kconfig | 22 ++
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 7 +
arch/powerpc/include/asm/secure_boot.h | 29 ++
arch/powerpc/include/asm/secvar.h | 35 +++
arch/powerpc/kernel/Makefile | 3 +
arch/powerpc/kernel/ima_arch.c | 78 ++++++
arch/powerpc/kernel/secure_boot.c | 50 ++++
arch/powerpc/kernel/secvar-ops.c | 17 ++
arch/powerpc/kernel/secvar-sysfs.c | 248 ++++++++++++++++++
arch/powerpc/platforms/powernv/Makefile | 1 +
arch/powerpc/platforms/powernv/opal-call.c | 3 +
arch/powerpc/platforms/powernv/opal-secvar.c | 140 ++++++++++
arch/powerpc/platforms/powernv/opal.c | 3 +
arch/powerpc/xmon/xmon.c | 119 +++++++--
certs/blacklist.c | 9 +
include/keys/system_keyring.h | 6 +
include/linux/ima.h | 3 +-
include/linux/security.h | 2 +
security/integrity/Kconfig | 9 +
security/integrity/Makefile | 7 +-
security/integrity/ima/ima.h | 11 +
security/integrity/ima/ima_appraise.c | 33 +++
security/integrity/ima/ima_main.c | 70 +++--
security/integrity/ima/ima_policy.c | 12 +-
security/integrity/integrity.h | 1 +
.../platform_certs/keyring_handler.c | 80 ++++++
.../platform_certs/keyring_handler.h | 32 +++
.../integrity/platform_certs/load_powerpc.c | 96 +++++++
security/integrity/platform_certs/load_uefi.c | 67 +----
security/lockdown/lockdown.c | 2 +
33 files changed, 1130 insertions(+), 120 deletions(-)
create mode 100644 Documentation/ABI/testing/sysfs-secvar
create mode 100644 arch/powerpc/include/asm/secure_boot.h
create mode 100644 arch/powerpc/include/asm/secvar.h
create mode 100644 arch/powerpc/kernel/ima_arch.c
create mode 100644 arch/powerpc/kernel/secure_boot.c
create mode 100644 arch/powerpc/kernel/secvar-ops.c
create mode 100644 arch/powerpc/kernel/secvar-sysfs.c
create mode 100644 arch/powerpc/platforms/powernv/opal-secvar.c
create mode 100644 security/integrity/platform_certs/keyring_handler.c
create mode 100644 security/integrity/platform_certs/keyring_handler.h
create mode 100644 security/integrity/platform_certs/load_powerpc.c
--
2.25.1
More information about the OpenPower-Firmware
mailing list