[Skiboot] [PATCH v5 02/20] libstb/secureboot: OS Secure Boot is enabled only if FW secureboot is enabled
Eric Richter
erichte at linux.ibm.com
Sat Jun 13 06:24:56 AEST 2020
From: Nayna Jain <nayna at linux.ibm.com>
OS Secure Boot establishes a chain of trust from firmware to the OS.
However, OS Secure Boot can only be secure if the chain of trust
beneath it - from hardware to firmware - has been established by
Firmware Secure Boot. This patch ensures that OS Secure Boot is enabled
only if Firmware Secure Boot is enabled.
Signed-off-by: Nayna Jain <nayna at linux.ibm.com>
Signed-off-by: Eric Richter <erichte at linux.ibm.com>
---
core/init.c | 2 +-
libstb/secureboot.c | 5 +++++
libstb/secureboot.h | 1 +
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/core/init.c b/core/init.c
index 63e3f97a..892b4740 100644
--- a/core/init.c
+++ b/core/init.c
@@ -1263,7 +1263,7 @@ void __noreturn __nomcount main_cpu_entry(const void *fdt)
trustedboot_init();
/* Secure variables init, handled by platform */
- if (platform.secvar_init)
+ if (platform.secvar_init && is_fw_secureboot())
platform.secvar_init();
/*
diff --git a/libstb/secureboot.c b/libstb/secureboot.c
index 60324809..f8cce285 100644
--- a/libstb/secureboot.c
+++ b/libstb/secureboot.c
@@ -62,6 +62,11 @@ bool secureboot_is_compatible(struct dt_node *node, int *version, const char **c
return false;
}
+bool is_fw_secureboot(void)
+{
+ return secure_mode;
+}
+
void secureboot_init(void)
{
struct dt_node *node;
diff --git a/libstb/secureboot.h b/libstb/secureboot.h
index 721b28de..74e93c84 100644
--- a/libstb/secureboot.h
+++ b/libstb/secureboot.h
@@ -18,6 +18,7 @@ enum secureboot_version {
void secureboot_enforce(void);
bool secureboot_is_compatible(struct dt_node *node, int *version, const char **compat);
void secureboot_init(void);
+bool is_fw_secureboot(void);
/**
* secureboot_verify - verify a PNOR partition content
--
2.27.0
More information about the Skiboot
mailing list