[Skiboot] [RFC PATCH v5 15/16] ultravisor: Pickup wraping key data from mambo
Ryan Grimm
grimm at linux.ibm.com
Fri Feb 28 07:40:22 AEDT 2020
From: Michael Anderson <andmike at linux.ibm.com>
Signed-off-by: Michael Anderson <andmike at linux.ibm.com>
---
external/mambo/skiboot.tcl | 77 ++++++++++++++++++++++++++++++++++++++
include/ultravisor.h | 2 +
platforms/mambo/uv.c | 39 +++++++++++++++++++
3 files changed, 118 insertions(+)
create mode 100644 platforms/mambo/uv.c
diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl
index 39504140..877a9385 100644
--- a/external/mambo/skiboot.tcl
+++ b/external/mambo/skiboot.tcl
@@ -95,6 +95,9 @@ mconfig net_mac MAMBO_NET_MAC 00:11:22:33:44:55
# Net: What is the name of the tap device
mconfig net_tapdev MAMBO_NET_TAPDEV "tap0"
+# TPM Wrapping Directory for key files
+mconfig wrapkey_dir WRAPKEY_DIR none
+
# Enable (default) or disable the "speculation-policy-favor-security" setting,
# set to 0 to disable. When enabled it causes Linux's RFI flush to be enabled.
mconfig speculation_policy_favor_security MAMBO_SPECULATION_POLICY_FAVOR_SECURITY 1
@@ -333,6 +336,80 @@ foreach pmem_size $pmem_sizes { # PMEM_VOLATILE
set pmem_start [pmem_node_add $pmem_root $pmem_start $pmem_size]
}
+#
+# Add files to simulate TPM wrapping keys.
+# wrapping-key-policy-a
+# wrapping-key-policy-b
+# wrapping-key-passwd
+# wrapping-key-publicname
+#
+
+proc add_key_prop { k_file node p_name } {
+ set key_list [list]
+ set f [open $k_file r]
+
+ while {1} {
+ set key_byte [read $f 2]
+ if {[eof $f]} {
+ close $f
+ break
+ }
+ lappend key_list $key_byte
+ }
+
+ mysim of addprop $node byte_array $p_name $key_list
+}
+
+if { $mconf(wrapkey_dir) != "none" } {
+ set tpm_node [ mysim of addchild $root_node "tpm_sim" "" ]
+ mysim of addprop $tpm_node string "compatible" "uv,tpm_sim"
+
+ # policy-a.txt
+ if {[file exists $mconf(wrapkey_dir)/policy-a.txt]} {
+ puts "Using policy-a.txt"
+ add_key_prop $mconf(wrapkey_dir)/policy-a.txt $tpm_node "wrapping-key-policy-a"
+ } else {
+ puts "ERROR: Could not find policy-a.txt in : $mconf(wrapkey_dir)"
+ exit
+ }
+
+ # policy-b.txt
+ if {[file exists $mconf(wrapkey_dir)/policy-b.txt]} {
+ puts "Using policy-b.txt"
+ add_key_prop $mconf(wrapkey_dir)/policy-b.txt $tpm_node "wrapping-key-policy-b"
+ } else {
+ puts "ERROR: Could not find policy-b.txt in : $mconf(wrapkey_dir)"
+ exit
+ }
+
+ # wrapping-key-passwd
+ if {[file exists $mconf(wrapkey_dir)/wrapping-key-passwd.txt]} {
+ puts "Using wrapping-key-passwd.txt"
+ add_key_prop $mconf(wrapkey_dir)/wrapping-key-passwd.txt $tpm_node "wrapping-key-passwd"
+ } else {
+ puts "ERROR: Could not find wrapping-key-passwd.txt in : $mconf(wrapkey_dir)"
+ exit
+ }
+
+ # wrapping-key-publicname
+ if {[file exists $mconf(wrapkey_dir)/wrapping-key-publicname.txt]} {
+ puts "Using wrapping-key-publicname.txt"
+ add_key_prop $mconf(wrapkey_dir)/wrapping-key-publicname.txt $tpm_node "wrapping-key-publicname"
+ } else {
+ puts "ERROR: Could not find wrapping-key-publicname.txt in : $mconf(wrapkey_dir)"
+ exit
+ }
+
+ # wrapping-key-handle
+ if {[file exists $mconf(wrapkey_dir)/wrapping-key-handle.txt]} {
+ puts "Using wrapping-key-handle.txt"
+ add_key_prop $mconf(wrapkey_dir)/wrapping-key-handle.txt $tpm_node "wrapping-key-handle"
+ } else {
+ puts "ERROR: Could not find wrapping-key-handle.txt in : $mconf(wrapkey_dir)"
+ exit
+ }
+
+}
# Default NVRAM is blank and will be formatted by Skiboot if no file is provided
set fake_nvram_start $cpio_end
diff --git a/include/ultravisor.h b/include/ultravisor.h
index 347b085d..faa1d16b 100644
--- a/include/ultravisor.h
+++ b/include/ultravisor.h
@@ -24,6 +24,8 @@ int start_ultravisor(void *fdt);
void uv_preload_image(void);
void init_uv(void);
+int add_wrapping_key_mambo(void *fdt);
+
static inline int uv_xscom_read(u64 partid, u64 pcb_addr, u64 *val)
{
unsigned long retbuf[UCALL_BUFSIZE];
diff --git a/platforms/mambo/uv.c b/platforms/mambo/uv.c
new file mode 100644
index 00000000..2519d240
--- /dev/null
+++ b/platforms/mambo/uv.c
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: Apache-2.0
+/* Copyright 2016-2017 IBM Corp. */
+
+const char *wrap_key_prop_str[] = {
+ "wrapping-key-passwd",
+ "wrapping-key-publicname",
+ "wrapping-key-policy-a",
+ "wrapping-key-policy-b",
+ NULL
+};
+
+int add_wrapping_key_mambo(void *fdt)
+{
+ struct dt_node *tpm_sim_node;
+ const struct dt_property *property = NULL;
+ int i;
+
+ tpm_sim_node = dt_find_compatible_node(dt_root, NULL, "uv,tpm_sim");
+ if (!tpm_sim_node) {
+ prlog(PR_INFO, "uv,tpm_sim compatible node not found\n");
+ return OPAL_HARDWARE;
+ }
+
+ fdt_begin_node(fdt, "ibm,uv-tpm");
+ fdt_property_string(fdt, "compatible", "ibm,uv-tpm");
+
+ for (i = 0; wrap_key_prop_str[i] != NULL; i++) {
+ property = dt_find_property(tpm_sim_node, wrap_key_prop_str[i]);
+ if (property) {
+ fdt_property(fdt, wrap_key_prop_str[i],
+ property->prop,
+ property->len);
+ }
+ }
+
+ fdt_end_node(fdt);
+
+ return OPAL_SUCCESS;
+}
--
2.21.0
More information about the Skiboot
mailing list