[Skiboot] [RFC PATCH v5 15/16] ultravisor: Pickup wraping key data from mambo

Ryan Grimm grimm at linux.ibm.com
Fri Feb 28 07:40:22 AEDT 2020


From: Michael Anderson <andmike at linux.ibm.com>

Signed-off-by: Michael Anderson <andmike at linux.ibm.com>
---
 external/mambo/skiboot.tcl | 77 ++++++++++++++++++++++++++++++++++++++
 include/ultravisor.h       |  2 +
 platforms/mambo/uv.c       | 39 +++++++++++++++++++
 3 files changed, 118 insertions(+)
 create mode 100644 platforms/mambo/uv.c

diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl
index 39504140..877a9385 100644
--- a/external/mambo/skiboot.tcl
+++ b/external/mambo/skiboot.tcl
@@ -95,6 +95,9 @@ mconfig net_mac MAMBO_NET_MAC 00:11:22:33:44:55
 # Net: What is the name of the tap device
 mconfig net_tapdev MAMBO_NET_TAPDEV "tap0"
 
+# TPM Wrapping Directory for key files
+mconfig wrapkey_dir WRAPKEY_DIR none
+
 # Enable (default) or disable the "speculation-policy-favor-security" setting,
 # set to 0 to disable. When enabled it causes Linux's RFI flush to be enabled.
 mconfig speculation_policy_favor_security MAMBO_SPECULATION_POLICY_FAVOR_SECURITY 1
@@ -333,6 +336,80 @@ foreach pmem_size $pmem_sizes { # PMEM_VOLATILE
     set pmem_start [pmem_node_add $pmem_root $pmem_start $pmem_size]
 }
 
+#
+# Add files to simulate TPM wrapping keys.
+# wrapping-key-policy-a
+# wrapping-key-policy-b
+# wrapping-key-passwd
+# wrapping-key-publicname
+#
+
+proc add_key_prop { k_file node p_name } {
+    set key_list [list]
+    set f [open $k_file r]
+
+    while {1} {
+        set key_byte [read $f 2]
+        if {[eof $f]} {
+            close $f
+            break
+        }
+        lappend key_list $key_byte
+    }
+
+    mysim of addprop $node byte_array $p_name $key_list
+}
+
+if { $mconf(wrapkey_dir) != "none" } {
+  set tpm_node [ mysim of addchild $root_node "tpm_sim" "" ]
+  mysim of addprop $tpm_node string "compatible" "uv,tpm_sim"
+
+  # policy-a.txt
+  if {[file exists $mconf(wrapkey_dir)/policy-a.txt]} {
+    puts "Using policy-a.txt"
+    add_key_prop $mconf(wrapkey_dir)/policy-a.txt $tpm_node "wrapping-key-policy-a"
+  } else {
+    puts "ERROR: Could not find policy-a.txt in : $mconf(wrapkey_dir)"
+    exit
+  }
+
+  # policy-b.txt
+  if {[file exists $mconf(wrapkey_dir)/policy-b.txt]} {
+    puts "Using policy-b.txt"
+    add_key_prop $mconf(wrapkey_dir)/policy-b.txt $tpm_node "wrapping-key-policy-b"
+  } else {
+    puts "ERROR: Could not find policy-b.txt in : $mconf(wrapkey_dir)"
+    exit
+  }
+
+  # wrapping-key-passwd
+  if {[file exists $mconf(wrapkey_dir)/wrapping-key-passwd.txt]} {
+    puts "Using wrapping-key-passwd.txt"
+    add_key_prop $mconf(wrapkey_dir)/wrapping-key-passwd.txt $tpm_node "wrapping-key-passwd"
+  } else {
+    puts "ERROR: Could not find wrapping-key-passwd.txt in : $mconf(wrapkey_dir)"
+    exit
+  }
+
+  # wrapping-key-publicname
+  if {[file exists $mconf(wrapkey_dir)/wrapping-key-publicname.txt]} {
+    puts "Using wrapping-key-publicname.txt"
+    add_key_prop $mconf(wrapkey_dir)/wrapping-key-publicname.txt $tpm_node "wrapping-key-publicname"
+  } else {
+    puts "ERROR: Could not find wrapping-key-publicname.txt in : $mconf(wrapkey_dir)"
+    exit
+  }
+
+  # wrapping-key-handle
+  if {[file exists $mconf(wrapkey_dir)/wrapping-key-handle.txt]} {
+    puts "Using wrapping-key-handle.txt"
+    add_key_prop $mconf(wrapkey_dir)/wrapping-key-handle.txt $tpm_node "wrapping-key-handle"
+  } else {
+    puts "ERROR: Could not find wrapping-key-handle.txt in : $mconf(wrapkey_dir)"
+    exit
+  }
+
+}
 
 # Default NVRAM is blank and will be formatted by Skiboot if no file is provided
 set fake_nvram_start $cpio_end
diff --git a/include/ultravisor.h b/include/ultravisor.h
index 347b085d..faa1d16b 100644
--- a/include/ultravisor.h
+++ b/include/ultravisor.h
@@ -24,6 +24,8 @@ int start_ultravisor(void *fdt);
 void uv_preload_image(void);
 void init_uv(void);
 
+int add_wrapping_key_mambo(void *fdt);
+
 static inline int uv_xscom_read(u64 partid, u64 pcb_addr, u64 *val)
 {
 	unsigned long retbuf[UCALL_BUFSIZE];
diff --git a/platforms/mambo/uv.c b/platforms/mambo/uv.c
new file mode 100644
index 00000000..2519d240
--- /dev/null
+++ b/platforms/mambo/uv.c
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: Apache-2.0
+/* Copyright 2016-2017 IBM Corp. */
+
+const char *wrap_key_prop_str[] = {
+	"wrapping-key-passwd",
+	"wrapping-key-publicname",
+	"wrapping-key-policy-a",
+	"wrapping-key-policy-b",
+	NULL
+};
+
+int add_wrapping_key_mambo(void *fdt)
+{
+	struct dt_node *tpm_sim_node;
+	const struct dt_property *property = NULL;
+	int i;
+
+	tpm_sim_node = dt_find_compatible_node(dt_root, NULL, "uv,tpm_sim");
+	if (!tpm_sim_node) {
+		prlog(PR_INFO, "uv,tpm_sim compatible node not found\n");
+		return OPAL_HARDWARE;
+	}
+
+	fdt_begin_node(fdt, "ibm,uv-tpm");
+	fdt_property_string(fdt, "compatible", "ibm,uv-tpm");
+
+	for (i = 0; wrap_key_prop_str[i] != NULL; i++) {
+		property = dt_find_property(tpm_sim_node, wrap_key_prop_str[i]);
+		if (property) {
+			fdt_property(fdt, wrap_key_prop_str[i],
+				property->prop,
+				property->len);
+		}
+	}
+
+	fdt_end_node(fdt);
+
+	return OPAL_SUCCESS;
+}
-- 
2.21.0



More information about the Skiboot mailing list