[OpenPower-Firmware] [PATCH 00/16] skiroot: add secure boot support

Klaus Heinrich Kiwi klaus at linux.vnet.ibm.com
Wed Jun 17 00:00:06 AEST 2020 


On 6/15/2020 4:19 PM, Nayna Jain wrote:
> This series is meant to add support for secure boot. The patches
> are backported from v5.5 and higher.
> It adds support for:

Nayna,

  Joel can perhaps clarify, but I believe that the format we are expecting for
this are patches on top of op-build...

That means you have to use git-format-patch to patches on top of linux-kernel
version used by upstream op-build and place them on op-build/openpower/linux,
and then you commit those new files to your local op-build tree and once again
use git-format-patch or git-send-email to this list to with the additions proposed
to upstream op-build...

  -Klaus


> * ima arch specific policies for powerpc
> * platform keyring for powerpc
> * check against blacklist hashes
> * sysfs interface to expose secure variables from OPAL
> * xmon lockdown
> 
> Christopher M. Riedl (2):
>    powerpc/xmon: Allow listing and clearing breakpoints in read-only mode
>    powerpc/xmon: Restrict when kernel is locked down
> 
> Mimi Zohar (1):
>    powerpc/ima: Indicate kernel modules appended signatures are enforced
> 
> Nayna Jain (13):
>    powerpc: Detect the secure boot mode of the system
>    powerpc/ima: Add support to initialize ima policy rules
>    powerpc: Detect the trusted boot state of the system
>    powerpc/ima: Define trusted boot policy
>    ima: Make process_buffer_measurement() generic
>    certs: Add wrapper function to check blacklisted binary hash
>    ima: Check against blacklisted hashes for files with modsig
>    powerpc/ima: Update ima arch policy to check for blacklist
>    powerpc/powernv: Add OPAL API interface to access secure variable
>    powerpc: expose secure variables to userspace via sysfs
>    x86/efi: move common keyring handler functions to new file
>    powerpc: Load firmware trusted keys/hashes into kernel keyring
>    powerpc/ima: fix secure boot rules in ima arch policy
> 
>   Documentation/ABI/testing/ima_policy          |   4 +
>   Documentation/ABI/testing/sysfs-secvar        |  46 ++++
>   arch/powerpc/Kconfig                          |  22 ++
>   arch/powerpc/include/asm/opal-api.h           |   5 +-
>   arch/powerpc/include/asm/opal.h               |   7 +
>   arch/powerpc/include/asm/secure_boot.h        |  29 ++
>   arch/powerpc/include/asm/secvar.h             |  35 +++
>   arch/powerpc/kernel/Makefile                  |   3 +
>   arch/powerpc/kernel/ima_arch.c                |  78 ++++++
>   arch/powerpc/kernel/secure_boot.c             |  50 ++++
>   arch/powerpc/kernel/secvar-ops.c              |  17 ++
>   arch/powerpc/kernel/secvar-sysfs.c            | 248 ++++++++++++++++++
>   arch/powerpc/platforms/powernv/Makefile       |   1 +
>   arch/powerpc/platforms/powernv/opal-call.c    |   3 +
>   arch/powerpc/platforms/powernv/opal-secvar.c  | 140 ++++++++++
>   arch/powerpc/platforms/powernv/opal.c         |   3 +
>   arch/powerpc/xmon/xmon.c                      | 119 +++++++--
>   certs/blacklist.c                             |   9 +
>   include/keys/system_keyring.h                 |   6 +
>   include/linux/ima.h                           |   3 +-
>   include/linux/security.h                      |   2 +
>   security/integrity/Kconfig                    |   9 +
>   security/integrity/Makefile                   |   7 +-
>   security/integrity/ima/ima.h                  |  11 +
>   security/integrity/ima/ima_appraise.c         |  33 +++
>   security/integrity/ima/ima_main.c             |  70 +++--
>   security/integrity/ima/ima_policy.c           |  12 +-
>   security/integrity/integrity.h                |   1 +
>   .../platform_certs/keyring_handler.c          |  80 ++++++
>   .../platform_certs/keyring_handler.h          |  32 +++
>   .../integrity/platform_certs/load_powerpc.c   |  96 +++++++
>   security/integrity/platform_certs/load_uefi.c |  67 +----
>   security/lockdown/lockdown.c                  |   2 +
>   33 files changed, 1130 insertions(+), 120 deletions(-)
>   create mode 100644 Documentation/ABI/testing/sysfs-secvar
>   create mode 100644 arch/powerpc/include/asm/secure_boot.h
>   create mode 100644 arch/powerpc/include/asm/secvar.h
>   create mode 100644 arch/powerpc/kernel/ima_arch.c
>   create mode 100644 arch/powerpc/kernel/secure_boot.c
>   create mode 100644 arch/powerpc/kernel/secvar-ops.c
>   create mode 100644 arch/powerpc/kernel/secvar-sysfs.c
>   create mode 100644 arch/powerpc/platforms/powernv/opal-secvar.c
>   create mode 100644 security/integrity/platform_certs/keyring_handler.c
>   create mode 100644 security/integrity/platform_certs/keyring_handler.h
>   create mode 100644 security/integrity/platform_certs/load_powerpc.c
> 

-- 
Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>

More information about the OpenPower-Firmware mailing list