[Skiboot] [PATCH 0/7] Add initial secure variable storage and backend drivers
Eric Richter
erichte at linux.ibm.com
Wed Dec 4 11:06:43 AEDT 2019
This patch set adds the first set of storage and backend drivers for the
secure variable implementation. Included also is a patch to add support
for secure variables on witherspoon platforms.
As both drivers may need to utilize the single TPM NV index reserved for
secure boot, patch 1 includes a small abstraction to allow drivers to play
nice and share the space without stepping on each other. Future revisions
of this set will include a TSS implementation to interact with a physical
TPM. For now, it uses PNOR to simulate the TPM NV space.
The secboot_tpm storage driver uses the SECBOOT partition in PNOR to
store the variables, and a TPM NV index to store a hash of the variables
for checking data integrity. As this uses the TPM NV abstraction, it
currently uses PNOR space instead of actual TPM NV, and thus should not
yet be considered actually secure.
The edk2-compat driver processes updates using an edk2-like format
and key hierarchy. As this depends heavily on crypto support (specifically
RSA 2048, x509, sha256, and pkcs7) this set includes mbedtls as a git
submodule, and a mbedtls-styled pkcs7 parser.
Claudio Carvalho (1):
core/flash.c: add SECBOOT read and write support
Eric Richter (4):
secvar_tpmnv: add high-level tpm nv index abstraction for secvar
secvar/storage: add secvar storage driver for pnor-based p9 platforms
crypto: add mbedtls build integration via git submodule
witherspoon: enable secvar for witherspoon platform
Nayna Jain (2):
crypto: add out-of-tree mbedtls pkcs7 parser
secvar/backend: add edk2 derived key updates processing
.gitmodules | 4 +
Makefile.main | 1 +
core/flash.c | 130 ++++
doc/secvar/edk2.rst | 49 ++
include/platform.h | 4 +
include/secvar.h | 2 +
libstb/Makefile.inc | 5 +-
libstb/crypto/Makefile.inc | 22 +
libstb/crypto/mbedtls | 1 +
libstb/crypto/mbedtls-config.h | 98 +++
libstb/crypto/pkcs7/Makefile.inc | 10 +
libstb/crypto/pkcs7/pkcs7.c | 476 ++++++++++++
libstb/crypto/pkcs7/pkcs7.h | 176 +++++
libstb/secvar/Makefile.inc | 3 +-
libstb/secvar/backend/Makefile.inc | 4 +-
libstb/secvar/backend/edk2-compat.c | 667 ++++++++++++++++
libstb/secvar/backend/edk2.h | 243 ++++++
libstb/secvar/secvar_tpmnv.c | 204 +++++
libstb/secvar/secvar_tpmnv.h | 13 +
libstb/secvar/storage/Makefile.inc | 4 +-
libstb/secvar/storage/secboot_tpm.c | 293 +++++++
libstb/secvar/test/Makefile.check | 6 +-
libstb/secvar/test/edk2_test_data.h | 764 +++++++++++++++++++
libstb/secvar/test/secvar-test-edk2-compat.c | 260 +++++++
libstb/secvar/test/secvar-test-secboot-tpm.c | 134 ++++
libstb/secvar/test/secvar_common_test.c | 2 +
platforms/astbmc/witherspoon.c | 7 +
27 files changed, 3573 insertions(+), 9 deletions(-)
create mode 100644 .gitmodules
create mode 100644 doc/secvar/edk2.rst
create mode 100644 libstb/crypto/Makefile.inc
create mode 160000 libstb/crypto/mbedtls
create mode 100644 libstb/crypto/mbedtls-config.h
create mode 100644 libstb/crypto/pkcs7/Makefile.inc
create mode 100644 libstb/crypto/pkcs7/pkcs7.c
create mode 100644 libstb/crypto/pkcs7/pkcs7.h
create mode 100644 libstb/secvar/backend/edk2-compat.c
create mode 100644 libstb/secvar/backend/edk2.h
create mode 100644 libstb/secvar/secvar_tpmnv.c
create mode 100644 libstb/secvar/secvar_tpmnv.h
create mode 100644 libstb/secvar/storage/secboot_tpm.c
create mode 100644 libstb/secvar/test/edk2_test_data.h
create mode 100644 libstb/secvar/test/secvar-test-edk2-compat.c
create mode 100644 libstb/secvar/test/secvar-test-secboot-tpm.c
--
2.21.0
More information about the Skiboot
mailing list