[Skiboot] [PATCH v3 00/15] Add initial secure variable storage and backend drivers
Eric Richter
erichte at linux.ibm.com
Wed Apr 1 11:34:11 AEDT 2020
This is the "completed" version of the secvar drivers needed to support
secure variables (and thus, OS secure boot).
Major changes since v2 include:
- feature-completing each of the drivers
- internal reviews of the code flow (to ensure proper errors, etc)
- internal code quality reviews
- addressing feedback from the previous set
- removal of previous TPMNV abstraction
NOTE: This set depends on TSS changes implemented in Mauro's forthcoming set.
Patches 1 through 7 address changes in base secureboot/secvar behavior
that came up during reviews. In particular, secvar_main has seen changes
to its flow, to accomodate better error handling. These are not reliant
on the TSS changes or secvar drivers, and can be considered an
independent set if necessary.
Patches 9 and 13 implement the initial pair of drivers for secure
variable support.
Patch 10 implements a TPM NV simulation, which is NOT enabled by
default. This is intended for testing purposes on unsupported (no-TPM)
hardware, or tests in userspace.
Patch 15 enables the secvar drivers for witherspoon platforms, other
platforms should implement a similar change.
Aside from code reviews, we'd appreciate any feedback on what could be
commented or documented better. Now that the code effort has been
completed and (relatively) stable, documentation is our next focus.
Claudio Carvalho (1):
core/flash.c: add SECBOOT read and write support
Eric Richter (9):
secvar_devtree: add physical presence mode helper
secvar_main: increase error verbosity, restyle all comments
secvar_main: rework secvar_main error flow, make storage locking
explicit
secvar_util: add new helper functions
secvar/storage: add secvar storage driver for pnor-based p9
secvar/storage/fakenv: add fake tpm operations for testing
secvar/test: add secboot_tpm storage driver test cases
secvar/test: add edk2-compat driver test and test data
witherspoon: enable secvar for witherspoon platform
Nayna Jain (5):
secureboot.c: OS Secure Boot is enabled only if FW secureboot is
enabled
hdata/spira: add physical presence flags
secvar: change backend hook interface to take in bank references
crypto: add out-of-tree mbedtls pkcs7 parser
secvar/backend: add edk2 derived key updates processing
core/flash.c | 130 ++++
core/init.c | 2 +-
doc/secvar/edk2.rst | 49 ++
hdata/spira.c | 11 +
hdata/spira.h | 7 +-
include/platform.h | 4 +
include/secvar.h | 22 +-
libstb/crypto/Makefile.inc | 4 +-
libstb/crypto/mbedtls-config.h | 1 +
libstb/crypto/pkcs7/Makefile.inc | 12 +
libstb/crypto/pkcs7/pkcs7.c | 508 ++++++++++++
libstb/crypto/pkcs7/pkcs7.h | 151 ++++
libstb/secureboot.c | 5 +
libstb/secureboot.h | 1 +
libstb/secvar/backend/Makefile.inc | 4 +-
libstb/secvar/backend/edk2-compat-process.c | 703 +++++++++++++++++
libstb/secvar/backend/edk2-compat-process.h | 61 ++
libstb/secvar/backend/edk2-compat-reset.c | 115 +++
libstb/secvar/backend/edk2-compat-reset.h | 24 +
libstb/secvar/backend/edk2-compat.c | 255 +++++++
libstb/secvar/backend/edk2.h | 243 ++++++
libstb/secvar/secvar.h | 6 +
libstb/secvar/secvar_devtree.c | 15 +
libstb/secvar/secvar_devtree.h | 2 +
libstb/secvar/secvar_main.c | 73 +-
libstb/secvar/secvar_util.c | 63 +-
libstb/secvar/storage/Makefile.inc | 8 +-
libstb/secvar/storage/fakenv_ops.c | 175 +++++
libstb/secvar/storage/secboot_tpm.c | 625 +++++++++++++++
libstb/secvar/storage/secboot_tpm.h | 61 ++
libstb/secvar/storage/tpmnv_ops.c | 15 +
libstb/secvar/test/Makefile.check | 10 +-
libstb/secvar/test/data/KEK.h | 170 +++++
libstb/secvar/test/data/PK1.h | 170 +++++
libstb/secvar/test/data/edk2_test_data.h | 764 +++++++++++++++++++
libstb/secvar/test/data/multipleDB.h | 246 ++++++
libstb/secvar/test/data/multipleKEK.h | 236 ++++++
libstb/secvar/test/data/multiplePK.h | 236 ++++++
libstb/secvar/test/data/noPK.h | 102 +++
libstb/secvar/test/secvar-test-edk2-compat.c | 297 +++++++
libstb/secvar/test/secvar-test-secboot-tpm.c | 154 ++++
libstb/secvar/test/secvar_common_test.c | 2 +
platforms/astbmc/witherspoon.c | 8 +
43 files changed, 5713 insertions(+), 37 deletions(-)
create mode 100644 doc/secvar/edk2.rst
create mode 100644 libstb/crypto/pkcs7/Makefile.inc
create mode 100644 libstb/crypto/pkcs7/pkcs7.c
create mode 100644 libstb/crypto/pkcs7/pkcs7.h
create mode 100644 libstb/secvar/backend/edk2-compat-process.c
create mode 100644 libstb/secvar/backend/edk2-compat-process.h
create mode 100644 libstb/secvar/backend/edk2-compat-reset.c
create mode 100644 libstb/secvar/backend/edk2-compat-reset.h
create mode 100644 libstb/secvar/backend/edk2-compat.c
create mode 100644 libstb/secvar/backend/edk2.h
create mode 100644 libstb/secvar/storage/fakenv_ops.c
create mode 100644 libstb/secvar/storage/secboot_tpm.c
create mode 100644 libstb/secvar/storage/secboot_tpm.h
create mode 100644 libstb/secvar/storage/tpmnv_ops.c
create mode 100644 libstb/secvar/test/data/KEK.h
create mode 100644 libstb/secvar/test/data/PK1.h
create mode 100644 libstb/secvar/test/data/edk2_test_data.h
create mode 100644 libstb/secvar/test/data/multipleDB.h
create mode 100644 libstb/secvar/test/data/multipleKEK.h
create mode 100644 libstb/secvar/test/data/multiplePK.h
create mode 100644 libstb/secvar/test/data/noPK.h
create mode 100644 libstb/secvar/test/secvar-test-edk2-compat.c
create mode 100644 libstb/secvar/test/secvar-test-secboot-tpm.c
--
2.21.1
More information about the Skiboot
mailing list