[OpenPower-Firmware] [PATCH 00/16] skiroot: add secure boot support

Joel Stanley joel at jms.id.au
Tue Jun 23 17:22:26 AEST 2020 

On Tue, 16 Jun 2020 at 14:00, Klaus Heinrich Kiwi
<klaus at linux.vnet.ibm.com> wrote:
>
>
>
> On 6/15/2020 4:19 PM, Nayna Jain wrote:
> > This series is meant to add support for secure boot. The patches
> > are backported from v5.5 and higher.
> > It adds support for:
>
> Nayna,
>
>   Joel can perhaps clarify, but I believe that the format we are expecting for
> this are patches on top of op-build...
>
> That means you have to use git-format-patch to patches on top of linux-kernel
> version used by upstream op-build and place them on op-build/openpower/linux,
> and then you commit those new files to your local op-build tree and once again
> use git-format-patch or git-send-email to this list to with the additions proposed
> to upstream op-build...

To avoid confusion: the format that Nayna has sent is what we are after.

Thanks,

Joel


>
>   -Klaus
>
>
> > * ima arch specific policies for powerpc
> > * platform keyring for powerpc
> > * check against blacklist hashes
> > * sysfs interface to expose secure variables from OPAL
> > * xmon lockdown
> >
> > Christopher M. Riedl (2):
> >    powerpc/xmon: Allow listing and clearing breakpoints in read-only mode
> >    powerpc/xmon: Restrict when kernel is locked down
> >
> > Mimi Zohar (1):
> >    powerpc/ima: Indicate kernel modules appended signatures are enforced
> >
> > Nayna Jain (13):
> >    powerpc: Detect the secure boot mode of the system
> >    powerpc/ima: Add support to initialize ima policy rules
> >    powerpc: Detect the trusted boot state of the system
> >    powerpc/ima: Define trusted boot policy
> >    ima: Make process_buffer_measurement() generic
> >    certs: Add wrapper function to check blacklisted binary hash
> >    ima: Check against blacklisted hashes for files with modsig
> >    powerpc/ima: Update ima arch policy to check for blacklist
> >    powerpc/powernv: Add OPAL API interface to access secure variable
> >    powerpc: expose secure variables to userspace via sysfs
> >    x86/efi: move common keyring handler functions to new file
> >    powerpc: Load firmware trusted keys/hashes into kernel keyring
> >    powerpc/ima: fix secure boot rules in ima arch policy
> >
> >   Documentation/ABI/testing/ima_policy          |   4 +
> >   Documentation/ABI/testing/sysfs-secvar        |  46 ++++
> >   arch/powerpc/Kconfig                          |  22 ++
> >   arch/powerpc/include/asm/opal-api.h           |   5 +-
> >   arch/powerpc/include/asm/opal.h               |   7 +
> >   arch/powerpc/include/asm/secure_boot.h        |  29 ++
> >   arch/powerpc/include/asm/secvar.h             |  35 +++
> >   arch/powerpc/kernel/Makefile                  |   3 +
> >   arch/powerpc/kernel/ima_arch.c                |  78 ++++++
> >   arch/powerpc/kernel/secure_boot.c             |  50 ++++
> >   arch/powerpc/kernel/secvar-ops.c              |  17 ++
> >   arch/powerpc/kernel/secvar-sysfs.c            | 248 ++++++++++++++++++
> >   arch/powerpc/platforms/powernv/Makefile       |   1 +
> >   arch/powerpc/platforms/powernv/opal-call.c    |   3 +
> >   arch/powerpc/platforms/powernv/opal-secvar.c  | 140 ++++++++++
> >   arch/powerpc/platforms/powernv/opal.c         |   3 +
> >   arch/powerpc/xmon/xmon.c                      | 119 +++++++--
> >   certs/blacklist.c                             |   9 +
> >   include/keys/system_keyring.h                 |   6 +
> >   include/linux/ima.h                           |   3 +-
> >   include/linux/security.h                      |   2 +
> >   security/integrity/Kconfig                    |   9 +
> >   security/integrity/Makefile                   |   7 +-
> >   security/integrity/ima/ima.h                  |  11 +
> >   security/integrity/ima/ima_appraise.c         |  33 +++
> >   security/integrity/ima/ima_main.c             |  70 +++--
> >   security/integrity/ima/ima_policy.c           |  12 +-
> >   security/integrity/integrity.h                |   1 +
> >   .../platform_certs/keyring_handler.c          |  80 ++++++
> >   .../platform_certs/keyring_handler.h          |  32 +++
> >   .../integrity/platform_certs/load_powerpc.c   |  96 +++++++
> >   security/integrity/platform_certs/load_uefi.c |  67 +----
> >   security/lockdown/lockdown.c                  |   2 +
> >   33 files changed, 1130 insertions(+), 120 deletions(-)
> >   create mode 100644 Documentation/ABI/testing/sysfs-secvar
> >   create mode 100644 arch/powerpc/include/asm/secure_boot.h
> >   create mode 100644 arch/powerpc/include/asm/secvar.h
> >   create mode 100644 arch/powerpc/kernel/ima_arch.c
> >   create mode 100644 arch/powerpc/kernel/secure_boot.c
> >   create mode 100644 arch/powerpc/kernel/secvar-ops.c
> >   create mode 100644 arch/powerpc/kernel/secvar-sysfs.c
> >   create mode 100644 arch/powerpc/platforms/powernv/opal-secvar.c
> >   create mode 100644 security/integrity/platform_certs/keyring_handler.c
> >   create mode 100644 security/integrity/platform_certs/keyring_handler.h
> >   create mode 100644 security/integrity/platform_certs/load_powerpc.c
> >
>
> --
> Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>

More information about the OpenPower-Firmware mailing list