[Skiboot] [PATCH v2] libstb/stb.c: ignore the secure mode flag unless forced in NVRAM

Stewart Smith stewart at linux.vnet.ibm.com
Wed Oct 26 16:17:35 AEDT 2016


From: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>

For this stage in Trusted Boot development, we are wishing to not
force Secure Mode through the whole firmware boot process, but we
are wanting to be able to test it (classic chicken and egg problem with
build infrastructure).

We disabled secure mode if the secure-enabled devtree property is
read from the device tree *IF* we aren't overriding it through NVRAM.
Seeing as we can only increase (not decrease) what we're checking through
the NVRAM variable, it is safe.

The NVRAM setting is force-secure-mode=true in the ibm,skiboot partition.

However, if you want to force secure mode even if Hostboot has *not* set
the secure-enabled proprety in the device tree, set force-secure-mode
to "always".

There is also a force-trusted-mode NVRAM setting to force trusted mode
even if Hostboot has not enabled it int the device tree.

To indicate to Linux that we haven't gone through the whole firmware
process in secure mode, we replace the 'secure-enabled' property with
'partial-secure-enabled', to indicate that only part of the firmware
boot process has gone through secure mode.

Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
[stewart at linux.vnet.ibm.com: add NVRAM flag, modify commit message]
Signed-off-by: Stewart Smith <stewart at linux.vnet.ibm.com>
---

Changes in v2:
* add property for trusted boot
* rejig NVRAM to be initialized before libstb so we can read NVRAM.

 core/init.c  |  6 +++---
 libstb/stb.c | 24 +++++++++++++++++++++---
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/core/init.c b/core/init.c
index 7d75fd28d04c..9557f4769a93 100644
--- a/core/init.c
+++ b/core/init.c
@@ -889,6 +889,9 @@ void __noreturn __nomcount main_cpu_entry(const void *fdt)
 	if (platform.init)
 		platform.init();
 
+	/* Read in NVRAM and set it up */
+	nvram_init();
+
 	/* Secure/Trusted Boot init. We look for /ibm,secureboot in DT */
 	stb_init();
 
@@ -901,9 +904,6 @@ void __noreturn __nomcount main_cpu_entry(const void *fdt)
 
 	op_display(OP_LOG, OP_MOD_INIT, 0x0002);
 
-	/* Read in NVRAM and set it up */
-	nvram_init();
-
 	phb3_preload_vpd();
 	phb3_preload_capp_ucode();
 	start_preload_kernel();
diff --git a/libstb/stb.c b/libstb/stb.c
index 8c8f3803145f..4dc28a958e11 100644
--- a/libstb/stb.c
+++ b/libstb/stb.c
@@ -19,6 +19,7 @@
 #include <platform.h>
 #include <string.h>
 #include <stdio.h>
+#include <nvram.h>
 #include "stb.h"
 #include "status_codes.h"
 #include "container.h"
@@ -100,7 +101,7 @@ static void sb_enforce(void)
 
 void stb_init(void)
 {
-	const struct dt_node *ibm_secureboot;
+	struct dt_node *ibm_secureboot;
 	/*
 	 * The ibm,secureboot device tree properties are documented in
 	 * 'doc/device-tree/ibm,secureboot.rst'
@@ -117,8 +118,21 @@ void stb_init(void)
 #else
 	secure_mode = dt_has_node_property(ibm_secureboot, "secure-enabled",
 					   NULL);
-	prlog(PR_NOTICE, "STB: secure mode %s\n",
-	      secure_mode ? "on" : "off");
+
+	if (nvram_query_eq("force-secure-mode", "always")) {
+		prlog(PR_NOTICE, "STB: secure mode on (FORCED by nvram)\n");
+		secure_mode = true;
+	} else if (nvram_query_eq("force-secure-mode", "true")) {
+		prlog(PR_NOTICE, "STB: secure mode %s\n",
+		      (secure_mode) ? "on, *not* partial" : "off");
+	} else if (secure_mode) {
+		prlog(PR_NOTICE, "STB: secure mode on (but not enforced, core secure mode only)\n");
+		dt_check_del_prop(ibm_secureboot, "secure-enabled");
+		dt_add_property(ibm_secureboot, "partial-secure-enabled", NULL, 0);
+		secure_mode = false;
+	} else {
+		prlog(PR_NOTICE, "STB: secure mode off\n");
+	}
 #endif
 
 #ifdef STB_FORCE_TRUSTED_MODE
@@ -127,6 +141,10 @@ void stb_init(void)
 #else
 	trusted_mode = dt_has_node_property(ibm_secureboot, "trusted-enabled",
 					    NULL);
+	if (nvram_query_eq("force-trusted-mode", "true")) {
+		prlog(PR_NOTICE, "STB: trusted mode ON (from NVRAM)\n");
+		trusted_mode = true;
+	}
 	prlog(PR_NOTICE, "STB: trusted mode %s\n",
 	      trusted_mode ? "on" : "off");
 #endif
-- 
2.1.4



More information about the Skiboot mailing list