[Skiboot] [PATCH v5 00/20] Add initial secure variable storage and backend drivers
Eric Richter
erichte at linux.ibm.com
Sat Jun 13 06:24:54 AEST 2020
This is a larger update to the secvar driver set that includes more core secvar
changes.
Changes include:
- removal of struct secvar_node, and...
- removal of static sized data fields in struct secvar.
- rename of .lock() hook to .lockdown()
- storage driver serialization has been overhauled:
- no longer relies on a bulk memcpy() of a struct
- handles endianness
- unified writing logic between TPM/PNOR
- edk2 driver improvements:
- reduces redundant calls/allocations
- cleanup/simplification of helper functions
- incremental signature hash calculation
- better handling of timestamp
- even more comment style fixes
NOTE: This set depends on the "Improve mbedtls infrastructure" and
"Advance TSS infrastructure" patch sets.
Claudio Carvalho (1):
core/flash.c: add SECBOOT read and write support
Eric Richter (14):
libstb/secureboot: expose secureboot_enforce for later use in secvar
include/secvar.h: add .lockdown() hook to secvar storage driver
secvar_main: rework secvar_main error flow, make storage locking
explicit
secvar_util: add new helper functions
secvar: overhaul secvar struct by removing static sized fields
secvar/test: update API tests for new secvar struct
secvar_devtree: add physical presence mode helper
doc/secvar: add document detailing secvar driver API
secvar/storage: add secvar storage driver for pnor-based p9
secvar/storage/fakenv: add fake tpm operations for testing
secvar/test: add secboot_tpm storage driver test cases
secvar/storage: add utility tool to generate NV public name hashes
secvar/test: add edk2-compat driver test and test data
witherspoon: enable secvar for witherspoon platform
Nayna Jain (5):
libstb/secureboot: OS Secure Boot is enabled only if FW secureboot is
enabled
secvar: change backend hook interface to take in bank references
hdata/spira: add physical presence flags
crypto: add out-of-tree mbedtls pkcs7 parser
secvar/backend: add edk2 derived key updates processing
core/flash.c | 126 +++
core/init.c | 2 +-
doc/device-tree/ibm,secureboot.rst | 17 +
doc/secvar/driver-api.rst | 312 +++++++
doc/secvar/edk2.rst | 49 ++
doc/secvar/secboot_tpm.rst | 175 ++++
hdata/spira.c | 11 +
hdata/spira.h | 7 +-
include/secvar.h | 31 +-
include/skiboot.h | 3 +
libstb/crypto/Makefile.inc | 4 +-
libstb/crypto/mbedtls-config.h | 1 +
libstb/crypto/pkcs7/Makefile.inc | 12 +
libstb/crypto/pkcs7/pkcs7.c | 521 ++++++++++++
libstb/crypto/pkcs7/pkcs7.h | 152 ++++
libstb/secureboot.c | 7 +-
libstb/secureboot.h | 2 +
libstb/secvar/backend/Makefile.inc | 4 +-
libstb/secvar/backend/edk2-compat-process.c | 724 +++++++++++++++++
libstb/secvar/backend/edk2-compat-process.h | 62 ++
libstb/secvar/backend/edk2-compat-reset.c | 115 +++
libstb/secvar/backend/edk2-compat-reset.h | 24 +
libstb/secvar/backend/edk2-compat.c | 282 +++++++
libstb/secvar/backend/edk2.h | 243 ++++++
libstb/secvar/secvar.h | 29 +-
libstb/secvar/secvar_api.c | 68 +-
libstb/secvar/secvar_devtree.c | 15 +
libstb/secvar/secvar_devtree.h | 2 +
libstb/secvar/secvar_main.c | 89 +-
libstb/secvar/secvar_util.c | 108 ++-
libstb/secvar/storage/Makefile.inc | 11 +-
libstb/secvar/storage/fakenv_ops.c | 175 ++++
libstb/secvar/storage/gen_tpmnv_public_name.c | 107 +++
libstb/secvar/storage/secboot_tpm.c | 657 +++++++++++++++
libstb/secvar/storage/secboot_tpm.h | 61 ++
libstb/secvar/storage/tpmnv_ops.c | 15 +
libstb/secvar/test/Makefile.check | 10 +-
libstb/secvar/test/data/KEK.h | 170 ++++
libstb/secvar/test/data/PK1.h | 170 ++++
libstb/secvar/test/data/edk2_test_data.h | 764 ++++++++++++++++++
libstb/secvar/test/data/multipleDB.h | 246 ++++++
libstb/secvar/test/data/multipleKEK.h | 236 ++++++
libstb/secvar/test/data/multiplePK.h | 236 ++++++
libstb/secvar/test/data/noPK.h | 102 +++
libstb/secvar/test/secvar-test-edk2-compat.c | 235 ++++++
libstb/secvar/test/secvar-test-enqueue.c | 6 +-
libstb/secvar/test/secvar-test-getvar.c | 21 +-
libstb/secvar/test/secvar-test-nextvar.c | 26 +-
libstb/secvar/test/secvar-test-secboot-tpm.c | 143 ++++
libstb/secvar/test/secvar_common_test.c | 2 +
platforms/astbmc/witherspoon.c | 7 +
51 files changed, 6445 insertions(+), 152 deletions(-)
create mode 100644 doc/secvar/driver-api.rst
create mode 100644 doc/secvar/edk2.rst
create mode 100644 doc/secvar/secboot_tpm.rst
create mode 100644 libstb/crypto/pkcs7/Makefile.inc
create mode 100644 libstb/crypto/pkcs7/pkcs7.c
create mode 100644 libstb/crypto/pkcs7/pkcs7.h
create mode 100644 libstb/secvar/backend/edk2-compat-process.c
create mode 100644 libstb/secvar/backend/edk2-compat-process.h
create mode 100644 libstb/secvar/backend/edk2-compat-reset.c
create mode 100644 libstb/secvar/backend/edk2-compat-reset.h
create mode 100644 libstb/secvar/backend/edk2-compat.c
create mode 100644 libstb/secvar/backend/edk2.h
create mode 100644 libstb/secvar/storage/fakenv_ops.c
create mode 100644 libstb/secvar/storage/gen_tpmnv_public_name.c
create mode 100644 libstb/secvar/storage/secboot_tpm.c
create mode 100644 libstb/secvar/storage/secboot_tpm.h
create mode 100644 libstb/secvar/storage/tpmnv_ops.c
create mode 100644 libstb/secvar/test/data/KEK.h
create mode 100644 libstb/secvar/test/data/PK1.h
create mode 100644 libstb/secvar/test/data/edk2_test_data.h
create mode 100644 libstb/secvar/test/data/multipleDB.h
create mode 100644 libstb/secvar/test/data/multipleKEK.h
create mode 100644 libstb/secvar/test/data/multiplePK.h
create mode 100644 libstb/secvar/test/data/noPK.h
create mode 100644 libstb/secvar/test/secvar-test-edk2-compat.c
create mode 100644 libstb/secvar/test/secvar-test-secboot-tpm.c
--
2.27.0
More information about the Skiboot
mailing list