[Skiboot] [PATCH v5 02/20] libstb/secureboot: OS Secure Boot is enabled only if FW secureboot is enabled

Eric Richter erichte at linux.ibm.com
Sat Jun 13 06:24:56 AEST 2020


From: Nayna Jain <nayna at linux.ibm.com>

OS Secure Boot establishes a chain of trust from firmware to the OS.
However, OS Secure Boot can only be secure if the chain of trust
beneath it - from hardware to firmware - has been established by
Firmware Secure Boot. This patch ensures that OS Secure Boot is enabled
only if Firmware Secure Boot is enabled.

Signed-off-by: Nayna Jain <nayna at linux.ibm.com>
Signed-off-by: Eric Richter <erichte at linux.ibm.com>
---
 core/init.c         | 2 +-
 libstb/secureboot.c | 5 +++++
 libstb/secureboot.h | 1 +
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/core/init.c b/core/init.c
index 63e3f97a..892b4740 100644
--- a/core/init.c
+++ b/core/init.c
@@ -1263,7 +1263,7 @@ void __noreturn __nomcount main_cpu_entry(const void *fdt)
 	trustedboot_init();
 
 	/* Secure variables init, handled by platform */
-	if (platform.secvar_init)
+	if (platform.secvar_init && is_fw_secureboot())
 		platform.secvar_init();
 
 	/*
diff --git a/libstb/secureboot.c b/libstb/secureboot.c
index 60324809..f8cce285 100644
--- a/libstb/secureboot.c
+++ b/libstb/secureboot.c
@@ -62,6 +62,11 @@ bool secureboot_is_compatible(struct dt_node *node, int *version, const char **c
 	return false;
 }
 
+bool is_fw_secureboot(void)
+{
+	return secure_mode;
+}
+
 void secureboot_init(void)
 {
 	struct dt_node *node;
diff --git a/libstb/secureboot.h b/libstb/secureboot.h
index 721b28de..74e93c84 100644
--- a/libstb/secureboot.h
+++ b/libstb/secureboot.h
@@ -18,6 +18,7 @@ enum secureboot_version {
 void secureboot_enforce(void);
 bool secureboot_is_compatible(struct dt_node *node, int *version, const char **compat);
 void secureboot_init(void);
+bool is_fw_secureboot(void);
 
 /**
  * secureboot_verify - verify a PNOR partition content
-- 
2.27.0



More information about the Skiboot mailing list