[Skiboot] [RFC 2/6] doc: add opal secvar documentation
Stewart Smith
stewart at linux.ibm.com
Tue Apr 2 17:28:39 AEDT 2019
Eric Richter <erichte at linux.ibm.com> writes:
> This patch contains all the relevant documentation for the secure variable
> support in OPAL. This may be split and squashed with their relevant
> implementations in the future, but kept separate for now.
>
> Notably missing at the moment is the documentation for the SECBOOT PNOR
> partition usage, which will be included in a future revision.
Several thousand internet points for writing any documentation at all :)
>
> Signed-off-by: Eric Richter <erichte at linux.ibm.com>
> ---
> doc/opal-api/opal-secvar.rst | 199 +++++++++++++++++++++++++++++++++++
> 1 file changed, 199 insertions(+)
> create mode 100644 doc/opal-api/opal-secvar.rst
>
> diff --git a/doc/opal-api/opal-secvar.rst b/doc/opal-api/opal-secvar.rst
> new file mode 100644
> index 00000000..fd66e5e2
> --- /dev/null
> +++ b/doc/opal-api/opal-secvar.rst
An overview of the API would probably fit in well here, I think I am
getting most of the "How does this work" based on our previous
discussions rather than docs.
> @@ -0,0 +1,199 @@
> +OPAL_SECVAR_GET
> +===============
> +::
> +
> + #define OPAL_SECVAR_GET 170
> +
> +``OPAL_SECVAR_GET`` call retrieves a data blob associated with the supplied
> +name and vendor guid.
> +
> +Parameters
> +----------
> +::
> +
> + uint64_t k_name
> + uint64_t k_vendor
> + uint64_t k_attributes
> + uint64_t k_data_size
> + uint64_t k_data
These should have types and not just uint64_t
> +
> +``k_name``
> + the name of the requested variable as a 16-bit char
UCS-2 or UTF-16?
> +
> +``k_vendor``
> + the vendor guid of the requested variable
GUID should probably be defined somewhere.
> +
> +``k_attributes``
> + optional bitfield reference to be set by OPAL for attributes
> +related to the variable data
> +
> +``k_data_size``
> + reference to the size of the ``k_data`` buffer. OPAL sets this if
> +the buffer size is insufficient for the requested variable
> +
> +``k_data``
> + return buffer to store the data blob of the requested variable if
> +a match was found
is a NULL permitted? as in, finding out how big the variable is by
passing NULL for addr and getting the data size back?
> +
> +Return Values
> +-------------
> +
> +``OPAL_SUCCESS``
> + data from the requested variable was copied successfully, or
> +``k_data`` was set to NULL and the ``k_data_size`` was set to the
> +requested variable's size
> +
> +``OPAL_PARAMETER``
> + ``k_name``, ``k_vendor`` or ``k_data_size`` are invalid buffers,
> +contain invalid values
> +
> +``OPAL_EMPTY``
> + no variable with the supplied ``k_name`` and ``k_vendor`` was found
> +
> +``OPAL_PARTIAL``
> + the buffer size provided in ``k_data_size`` is too small for the
> +requested variable
> +
> +``OPAL_HARDWARE``
> + secure variable support is disabled
What about
#define OPAL_UNSUPPORTED -7
instead?
> +
> +OPAL_SECVAR_GET_NEXT
> +====================
> +::
> +
> + #define OPAL_SECVAR_GET_NEXT 171
> +
> +``OPAL_SECVAR_GET_NEXT`` returns the name and vendor guid of the next
> +variable in the secure variable bank in sequence.
> +
> +Parameters
> +----------
> +::
> +
> + uint64_t k_name_size
> + uint64_t k_name
> + uint64_t k_vendor
> +
> +``k_name_size``
> + size of the ``k_name`` buffer. OPAL sets this to the size of the
> +next variable in sequence
> +
> +``k_name``
> + name of the previous variable or empty. The name of the next
> +variable in sequence will be copied to ``k_name``
> +
> +``k_vendor``
> + vendor guid of the previous variable or empty. The vendor of the
> +next vendor in sequence will be copied to ``k_vendor``
> +
> +Return Values
> +-------------
> +
> +``OPAL_SUCCESS``
> + the name and vendor of the next variable in sequence was copied
> +successfully
> +
> +``OPAL_PARAMETER``
> + ``k_name`` or ``k_vendor`` are invalid buffers, or were not found.
> +``k_name_size`` is an invalid value. A variable matching
> +the supplied non-empty ``k_name`` and ``k_vendor`` was not found
> +
> +``OPAL_EMPTY``
> + end of list reached
> +
> +``OPAL_PARTIAL``
> + the size specified in ``k_name_size`` is insufficient for the next
> +variable's name size
> +
> +``OPAL_HARDWARE``
> + secure variable support is disabled
> +
> +OPAL_SECVAR_ENQUEUE
> +===================
> +::
> +
> + #define OPAL_SECVAR_ENQUEUE 172
> +
> +``OPAL_SECVAR_ENQUEUE`` call appends the supplied variable data to the
> +queue for processing on next boot.
> +
> +Parameters
> +----------
> +::
> +
> + uint64_t k_name
> + uint64_t k_vendor
> + uint64_t k_attributes
> + uint64_t k_data_size
> + uint64_t k_data
> +
> +``k_name``
> + the name of the submitted variable as a 16-bit char
> +
> +``k_vendor``
> + the vendor guid of the submitted variable
> +
> +``k_attributes``
> + bitfield of attributes
> +
> +``k_data_size``
> + size of the buffer to copy from ``k_data``
> +
> +``k_data``
> + blob of data to be stored
> +
> +Return Values
> +-------------
> +
> +``OPAL_SUCCESS``
> + the variable was appended to the update queue bank successfully
> +
> +``OPAL_PARAMETER``
> + ``k_name``, ``k_vendor`` or ``k_data`` are invalid buffers.
> +``k_name`` is empty. ``k_data_size`` is an invalid value.
> +
> +``OPAL_NO_MEM``
> + OPAL was unable to allocate memory for the variable
> +
> +``OPAL_UNSUPPORTED``
> + ``k_data_size`` was set to zero, implying an empty ``k_data`` buffer
> +(may be used for variable deletion in the future)
> +
> +``OPAL_HARDWARE``
> + secure variable support is disabled
> +
> +OPAL_SECVAR_INFO
> +================
> +::
> +
> + #define OPAL_SECVAR_INFO 173
> +
> +``OPAL_SECVAR_INFO`` returns size information about the variable
> +storage. Not currently implemented.
> +
> +Parameters
> +----------
> +::
> +
> + uint64_t k_attributes
> + uint64_t k_storage_space
> + uint64_t k_remaining_space
> + uint64_t k_max_variable_size
> +
> +``k_attributes``
> + TODO
> +
> +``k_storage_space``
> + maximum storage space in bytes
> +
> +``k_remaining_space``
> + remaining storage space in bytes
> +
> +``k_max_variable_size``
> + maximum acceptable size for a data blob
> +
> +Return Values
> +-------------
> +
> +``OPAL_UNSUPPORTED``
> + Runtime service is currently a stub, not currently implemented.
> --
> 2.17.2
>
> _______________________________________________
> Skiboot mailing list
> Skiboot at lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/skiboot
>
--
Stewart Smith
OPAL Architect, IBM.
More information about the Skiboot
mailing list