[Skiboot] [PATCH v3 0/5] Add Secure Variable Support

Eric Richter erichte at linux.ibm.com
Wed Sep 4 07:34:11 AEST 2019

This version of the patch set contains numerous changes to the API and
core secure variable functionality. However, the implementations for the
backend and storage drivers have not changed significantly since last
posting. In interest of getting feedback on the changes in core
implementation, they have been temporarily removed from this set.

The full context of this code (including test patches) can be found at
this git repo:


and a op-build tree with a custom config to utilize these patches and
the requisite kernel patches can be found here:
(use witherspoon_sp_defconfig to test)


Changes in V3:
 - Removed metadata field in secure variable struct, APIs, etc
 - Removed opal_secvar_get_size
 - Add probe_secvar() call to bump ibm,secureboot/compatible before
   secureboot/trustedboot initialization
 - Removed fixed-size data allocation in secvar struct to conserve space
 - Expanded documentation updates
 - Included initial implementation of secvar API unit testing
 - Minor other fixes as mentioned in individual patch descriptions


The previous implementation "Initial Skiboot Secure Variable Support"
tied the OPAL runtime service API too tightly to the variable processing
backend. Therefore, if the variable processing design had to be changed
or updated, so did the API. This patch set redesigns the previous set to
support a generic OPAL API, and pluggable drivers for persistent variable
storage and variable processing.

Platforms may support different storage hardware, therefore a platform
must be able to select the proper storage driver for persisting variables. 

Platforms may also select the backend used to manipulate secure variables.
The backend determines the format in which the variables are stored, and
how the variables are authenticated and updated. 

This patch set includes the base implementation to support secure
variables, and the updated OPAL runtime service API. This set also
includes draft implementations for a pnor-based storage driver, and an
edk2-derived backend driver. This backend driver depends on mbedtls-based
crypto support, which will be in a separate forthcoming patch set. The
draft implementation of the backend driver has the crypto-dependent code
commented out for sake of compilation.

Changes in V2:
 - ibm,secureboot compatible is set to -v3
 - added secvar device tree node
 - removed opal_secvar_backend
 - added API and secvar DT node documentation
 - minor fixes/changes (see patch descriptions)

Eric Richter (5):
  libstb/secvar: add secure variable internal abstraction
  libstb: add support for ibm,secureboot-v3 and initialize secure
    variables if supported by the platform
  libstb/secvar: add secvar api implementation
  doc: add opal secure variable documentation
  secvar/test: add rudimentary secvar API unit testing

 ccan/list/list.h                         |  38 +++++
 core/init.c                              |   4 +
 doc/device-tree/ibm,secureboot.rst       |  10 ++
 doc/device-tree/secvar.rst               |  84 ++++++++++
 doc/opal-api/opal-secvar.rst             | 188 +++++++++++++++++++++++
 include/opal-api.h                       |   5 +-
 include/platform.h                       |   2 +
 include/secvar.h                         |  46 ++++++
 libstb/Makefile.inc                      |   3 +-
 libstb/cvc.c                             |   2 +-
 libstb/secureboot.c                      |   7 +-
 libstb/secureboot.h                      |   1 +
 libstb/secvar/Makefile.inc               |  14 ++
 libstb/secvar/backend/Makefile.inc       |  11 ++
 libstb/secvar/secvar.h                   |  61 ++++++++
 libstb/secvar/secvar_api.c               | 158 +++++++++++++++++++
 libstb/secvar/secvar_main.c              | 160 +++++++++++++++++++
 libstb/secvar/secvar_util.c              |  70 +++++++++
 libstb/secvar/storage/Makefile.inc       |  11 ++
 libstb/secvar/test/Makefile.check        |  46 ++++++
 libstb/secvar/test/secvar-test-enqueue.c | 158 +++++++++++++++++++
 libstb/secvar/test/secvar-test-getvar.c  | 110 +++++++++++++
 libstb/secvar/test/secvar-test-nextvar.c | 132 ++++++++++++++++
 libstb/secvar/test/secvar-test-void.c    |  24 +++
 libstb/secvar/test/secvar_api_test.c     |  92 +++++++++++
 libstb/secvar/test/secvar_common_test.c  |  63 ++++++++
 26 files changed, 1496 insertions(+), 4 deletions(-)
 create mode 100644 doc/device-tree/secvar.rst
 create mode 100644 doc/opal-api/opal-secvar.rst
 create mode 100644 include/secvar.h
 create mode 100644 libstb/secvar/Makefile.inc
 create mode 100644 libstb/secvar/backend/Makefile.inc
 create mode 100644 libstb/secvar/secvar.h
 create mode 100644 libstb/secvar/secvar_api.c
 create mode 100644 libstb/secvar/secvar_main.c
 create mode 100644 libstb/secvar/secvar_util.c
 create mode 100644 libstb/secvar/storage/Makefile.inc
 create mode 100644 libstb/secvar/test/Makefile.check
 create mode 100644 libstb/secvar/test/secvar-test-enqueue.c
 create mode 100644 libstb/secvar/test/secvar-test-getvar.c
 create mode 100644 libstb/secvar/test/secvar-test-nextvar.c
 create mode 100644 libstb/secvar/test/secvar-test-void.c
 create mode 100644 libstb/secvar/test/secvar_api_test.c
 create mode 100644 libstb/secvar/test/secvar_common_test.c


More information about the Skiboot mailing list