[Skiboot] [PATCH v2 00/12] Add initial secure variable storage and backend drivers

Eric Richter erichte at linux.ibm.com
Mon Jan 20 13:36:48 AEDT 2020


This version of the patch set now has a mostly feature complete pair of
drivers to manage secure boot keys, and an enabling patch for
witherspoon platforms.

Most notably, this new set now includes a TSS library, and utilizes
the TPM NV index for storage, as opposed to the previous set's
simulation using PNOR. The PNOR simulation has also been included for
testing and review purposes.

This set can be tested using the following preconfigured op-build tree
containing all the patches and configuration required to enable secure
boot:

https://github.com/naynajain/op-build/tree/op-build-stb-v1

To test without a TPM, see patch 12's description and commented out
code.


PREVIOUS COVER LETTER:

This patch set adds the first set of storage and backend drivers for the
secure variable implementation. Included also is a patch to add support
for secure variables on witherspoon platforms.

As both drivers may need to utilize the single TPM NV index reserved for
secure boot, patch 1 includes a small abstraction to allow drivers to play
nice and share the space without stepping on each other. Future revisions
of this set will include a TSS implementation to interact with a physical
TPM. For now, it uses PNOR to simulate the TPM NV space.

The secboot_tpm storage driver uses the SECBOOT partition in PNOR to
store the variables, and a TPM NV index to store a hash of the variables
for checking data integrity. As this uses the TPM NV abstraction, it
currently uses PNOR space instead of actual TPM NV, and thus should not
yet be considered actually secure.

The edk2-compat driver processes updates using an edk2-like format
and key hierarchy. As this depends heavily on crypto support (specifically
RSA 2048, x509, sha256, and pkcs7) this set includes mbedtls as a git
submodule, and a mbedtls-styled pkcs7 parser.

Claudio Carvalho (1):
  core/flash.c: add SECBOOT read and write support

Eric Richter (8):
  crypto: add mbedtls build integration via git submodule
  libstb: add ibmtpm20tss library via submodule
  libstb/tss2: add skiboot wrappers for TSS commands
  secvar_tpmnv: add high-level tpm nv index abstraction for secvar
  secvar/storage: add secvar storage driver for pnor-based p9 platforms
  secvar/test: add edk2-compat driver test and test data
  secvar_util.c: add dealloc_secvar helper to match alloc_secvar
  witherspoon: enable secvar for witherspoon platform

Mauro S. M. Rodrigues (1):
  libstb: Register TPM chip for further use within TSS

Nayna Jain (2):
  crypto: add out-of-tree mbedtls pkcs7 parser
  secvar/backend: add edk2 derived key updates processing

 .gitmodules                                  |   8 +
 core/flash.c                                 | 130 +++
 doc/secvar/edk2.rst                          |  49 ++
 include/platform.h                           |   4 +
 include/secvar.h                             |   2 +
 libstb/Makefile.inc                          |   9 +-
 libstb/crypto/Makefile.inc                   |  46 +
 libstb/crypto/mbedtls                        |   1 +
 libstb/crypto/mbedtls-config.h               | 100 +++
 libstb/crypto/pkcs7/Makefile.inc             |  12 +
 libstb/crypto/pkcs7/pkcs7.c                  | 505 +++++++++++
 libstb/crypto/pkcs7/pkcs7.h                  | 178 ++++
 libstb/drivers/tpm_i2c_nuvoton.c             |   2 +
 libstb/mbedtls/Makefile.inc                  |  11 -
 libstb/mbedtls/sha512.c                      | 480 ----------
 libstb/mbedtls/sha512.h                      | 141 ---
 libstb/secvar/Makefile.inc                   |   3 +-
 libstb/secvar/backend/Makefile.inc           |   4 +-
 libstb/secvar/backend/edk2-compat.c          | 877 +++++++++++++++++++
 libstb/secvar/backend/edk2.h                 | 243 +++++
 libstb/secvar/secvar.h                       |   1 +
 libstb/secvar/secvar_tpmnv.c                 | 265 ++++++
 libstb/secvar/secvar_tpmnv.h                 |  16 +
 libstb/secvar/secvar_util.c                  |  10 +
 libstb/secvar/storage/Makefile.inc           |   4 +-
 libstb/secvar/storage/secboot_tpm.c          | 267 ++++++
 libstb/secvar/storage/secboot_tpm.h          |  26 +
 libstb/secvar/test/Makefile.check            |   8 +-
 libstb/secvar/test/data/KEK.h                | 170 ++++
 libstb/secvar/test/data/PK1.h                | 170 ++++
 libstb/secvar/test/data/edk2_test_data.h     | 764 ++++++++++++++++
 libstb/secvar/test/data/multipleDB.h         | 246 ++++++
 libstb/secvar/test/data/multipleKEK.h        | 236 +++++
 libstb/secvar/test/data/multiplePK.h         | 236 +++++
 libstb/secvar/test/data/noPK.h               | 102 +++
 libstb/secvar/test/secvar-test-edk2-compat.c | 394 +++++++++
 libstb/secvar/test/secvar-test-secboot-tpm.c | 142 +++
 libstb/secvar/test/secvar_common_test.c      |   2 +
 libstb/tpm_chip.h                            |  19 +-
 libstb/tss2/Makefile.inc                     |  39 +
 libstb/tss2/ibmtpm20tss                      |   1 +
 libstb/tss2/netinet/in.h                     |  13 +
 libstb/tss2/tpm2.c                           |  38 +
 libstb/tss2/tpm2.h                           |  49 ++
 libstb/tss2/tssskiboot.c                     | 527 +++++++++++
 libstb/tss2/tssskiboot.h                     |  62 ++
 platforms/astbmc/witherspoon.c               |  13 +
 47 files changed, 5964 insertions(+), 661 deletions(-)
 create mode 100644 .gitmodules
 create mode 100644 doc/secvar/edk2.rst
 create mode 100644 libstb/crypto/Makefile.inc
 create mode 160000 libstb/crypto/mbedtls
 create mode 100644 libstb/crypto/mbedtls-config.h
 create mode 100644 libstb/crypto/pkcs7/Makefile.inc
 create mode 100644 libstb/crypto/pkcs7/pkcs7.c
 create mode 100644 libstb/crypto/pkcs7/pkcs7.h
 delete mode 100644 libstb/mbedtls/Makefile.inc
 delete mode 100644 libstb/mbedtls/sha512.c
 delete mode 100644 libstb/mbedtls/sha512.h
 create mode 100644 libstb/secvar/backend/edk2-compat.c
 create mode 100644 libstb/secvar/backend/edk2.h
 create mode 100644 libstb/secvar/secvar_tpmnv.c
 create mode 100644 libstb/secvar/secvar_tpmnv.h
 create mode 100644 libstb/secvar/storage/secboot_tpm.c
 create mode 100644 libstb/secvar/storage/secboot_tpm.h
 create mode 100644 libstb/secvar/test/data/KEK.h
 create mode 100644 libstb/secvar/test/data/PK1.h
 create mode 100644 libstb/secvar/test/data/edk2_test_data.h
 create mode 100644 libstb/secvar/test/data/multipleDB.h
 create mode 100644 libstb/secvar/test/data/multipleKEK.h
 create mode 100644 libstb/secvar/test/data/multiplePK.h
 create mode 100644 libstb/secvar/test/data/noPK.h
 create mode 100644 libstb/secvar/test/secvar-test-edk2-compat.c
 create mode 100644 libstb/secvar/test/secvar-test-secboot-tpm.c
 create mode 100644 libstb/tss2/Makefile.inc
 create mode 160000 libstb/tss2/ibmtpm20tss
 create mode 100644 libstb/tss2/netinet/in.h
 create mode 100644 libstb/tss2/tpm2.c
 create mode 100644 libstb/tss2/tpm2.h
 create mode 100644 libstb/tss2/tssskiboot.c
 create mode 100644 libstb/tss2/tssskiboot.h

-- 
2.21.0



More information about the Skiboot mailing list