[Skiboot] [PATCH v4 00/11] Add Secure Variable Support

Eric Richter erichte at linux.ibm.com
Sat Oct 26 20:45:42 AEDT 2019 

This version of the patch set contains a lot of smaller under the hood
changes that have been building up over time. Many changes were
centered around reworking the information that needed to be exposed to
the kernel via the device tree. More importantly, the storage driver
now contains all the logic it was intended to have, just without
actually using the TPM.

This set is unfortunately still a bit drafty. The edk2 backend does not
properly validate updates at the moment, but the general idea of the
implementation is there. The documentation is still lacking as well,
and will likely come as a hotpatch.

Changes in V4:
 - removed ibm,secureboot version bump
 - secvar node is now a child of ibm,opal, drivers now maintain their
     own sub-nodes
 - implemented all logic requiring a tpm in the storage driver
     (but it doesn't actually use a tpm)
 - added new TPM NV high-level storage api
 - added mbedtls as a git submodule
 - added draft edk2 backend document

PREVIOUS COVER LETTER:

The previous implementation "Initial Skiboot Secure Variable Support"
tied the OPAL runtime service API too tightly to the variable processing
backend. Therefore, if the variable processing design had to be changed
or updated, so did the API. This patch set redesigns the previous set to
support a generic OPAL API, and pluggable drivers for persistent variable
storage and variable processing.

Platforms may support different storage hardware, therefore a platform
must be able to select the proper storage driver for persisting variables. 

Platforms may also select the backend used to manipulate secure variables.
The backend determines the format in which the variables are stored, and
how the variables are authenticated and updated. 

This patch set includes the base implementation to support secure
variables, and the updated OPAL runtime service API. This set also
includes draft implementations for a pnor-based storage driver, and an
edk2-derived backend driver. This backend driver depends on mbedtls-based
crypto support, which will be in a separate forthcoming patch set. The
draft implementation of the backend driver has the crypto-dependent code
commented out for sake of compilation.

Changes in V3:
 - Removed metadata field in secure variable struct, APIs, etc
 - Removed opal_secvar_get_size
 - Add probe_secvar() call to bump ibm,secureboot/compatible before
   secureboot/trustedboot initialization
 - Removed fixed-size data allocation in secvar struct to conserve space
 - Expanded documentation updates
 - Included initial implementation of secvar API unit testing
 - Minor other fixes as mentioned in individual patch descriptions

Changes in V2:
 - ibm,secureboot compatible is set to -v3
 - added secvar device tree node
 - removed opal_secvar_backend
 - added API and secvar DT node documentation
 - minor fixes/changes (see patch descriptions)

Claudio Carvalho (1):
  core/flash.c: add SECBOOT read and write support

Eric Richter (8):
  libstb/secvar: add secure variable internal abstraction
  secvar_tpmnv: add high-level tpm nv index abstraction for secvar
  libstb/secvar: add secvar api implementation
  doc: add opal secure variable documentation
  secvar/test: add rudimentary secvar API unit testing
  secvar/storage: add draft secvar storage driver for pnor-based p9
    platforms
  crypto: add mbedtls build integration via git submodule
  witherspoon: enable secvar for witherspoon platform

Nayna Jain (2):
  crypto: add out-of-tree mbedtls pkcs7 parser
  secvar/backend: add edk2 derived key updates processing

 .gitmodules                                   |   4 +
 Makefile.main                                 |   1 +
 ccan/list/list.h                              |  38 ++
 core/flash.c                                  | 130 ++++
 core/init.c                                   |   4 +
 doc/device-tree/ibm,secureboot.rst            |  10 +
 doc/device-tree/secvar.rst                    |  84 +++
 doc/opal-api/opal-secvar.rst                  | 192 ++++++
 doc/secvar/edk2.rst                           |  49 ++
 include/opal-api.h                            |   5 +-
 include/platform.h                            |   6 +
 include/secvar.h                              |  45 ++
 libstb/Makefile.inc                           |   6 +-
 libstb/crypto/Makefile.inc                    |  22 +
 libstb/crypto/mbedtls                         |   1 +
 libstb/crypto/mbedtls-config.h                |  98 ++++
 libstb/crypto/pkcs7/Makefile.inc              |  10 +
 libstb/crypto/pkcs7/pkcs7.c                   | 476 +++++++++++++++
 libstb/crypto/pkcs7/pkcs7.h                   | 176 ++++++
 libstb/secvar/Makefile.inc                    |  14 +
 libstb/secvar/backend/Makefile.inc            |  13 +
 .../secvar/backend/edk2-compat/edk2-compat.c  | 555 ++++++++++++++++++
 libstb/secvar/backend/edk2-compat/edk2.h      | 249 ++++++++
 libstb/secvar/secvar.h                        |  60 ++
 libstb/secvar/secvar_api.c                    | 158 +++++
 libstb/secvar/secvar_devtree.c                | 136 +++++
 libstb/secvar/secvar_devtree.h                |  15 +
 libstb/secvar/secvar_main.c                   |  89 +++
 libstb/secvar/secvar_tpmnv.c                  | 167 ++++++
 libstb/secvar/secvar_tpmnv.h                  |  11 +
 libstb/secvar/secvar_util.c                   | 106 ++++
 libstb/secvar/storage/Makefile.inc            |  11 +
 libstb/secvar/storage/secboot_tpm.c           | 309 ++++++++++
 libstb/secvar/test/Makefile.check             |  46 ++
 libstb/secvar/test/secvar-test-enqueue.c      | 160 +++++
 libstb/secvar/test/secvar-test-getvar.c       | 112 ++++
 libstb/secvar/test/secvar-test-nextvar.c      | 132 +++++
 libstb/secvar/test/secvar-test-secboot-tpm.c  | 134 +++++
 libstb/secvar/test/secvar-test-void.c         |  24 +
 libstb/secvar/test/secvar_api_test.c          |  92 +++
 libstb/secvar/test/secvar_common_test.c       |  64 ++
 platforms/astbmc/witherspoon.c                |   7 +
 42 files changed, 4019 insertions(+), 2 deletions(-)
 create mode 100644 .gitmodules
 create mode 100644 doc/device-tree/secvar.rst
 create mode 100644 doc/opal-api/opal-secvar.rst
 create mode 100644 doc/secvar/edk2.rst
 create mode 100644 include/secvar.h
 create mode 100644 libstb/crypto/Makefile.inc
 create mode 160000 libstb/crypto/mbedtls
 create mode 100644 libstb/crypto/mbedtls-config.h
 create mode 100644 libstb/crypto/pkcs7/Makefile.inc
 create mode 100644 libstb/crypto/pkcs7/pkcs7.c
 create mode 100644 libstb/crypto/pkcs7/pkcs7.h
 create mode 100644 libstb/secvar/Makefile.inc
 create mode 100644 libstb/secvar/backend/Makefile.inc
 create mode 100644 libstb/secvar/backend/edk2-compat/edk2-compat.c
 create mode 100644 libstb/secvar/backend/edk2-compat/edk2.h
 create mode 100644 libstb/secvar/secvar.h
 create mode 100644 libstb/secvar/secvar_api.c
 create mode 100644 libstb/secvar/secvar_devtree.c
 create mode 100644 libstb/secvar/secvar_devtree.h
 create mode 100644 libstb/secvar/secvar_main.c
 create mode 100644 libstb/secvar/secvar_tpmnv.c
 create mode 100644 libstb/secvar/secvar_tpmnv.h
 create mode 100644 libstb/secvar/secvar_util.c
 create mode 100644 libstb/secvar/storage/Makefile.inc
 create mode 100644 libstb/secvar/storage/secboot_tpm.c
 create mode 100644 libstb/secvar/test/Makefile.check
 create mode 100644 libstb/secvar/test/secvar-test-enqueue.c
 create mode 100644 libstb/secvar/test/secvar-test-getvar.c
 create mode 100644 libstb/secvar/test/secvar-test-nextvar.c
 create mode 100644 libstb/secvar/test/secvar-test-secboot-tpm.c
 create mode 100644 libstb/secvar/test/secvar-test-void.c
 create mode 100644 libstb/secvar/test/secvar_api_test.c
 create mode 100644 libstb/secvar/test/secvar_common_test.c

-- 
2.21.0

More information about the Skiboot mailing list