[Skiboot] [RFC PATCH v5 15/16] ultravisor: Pickup wraping key data from mambo

Alexey Kardashevskiy aik at ozlabs.ru
Thu Mar 12 12:45:20 AEDT 2020 


On 28/02/2020 07:40, Ryan Grimm wrote:
> From: Michael Anderson <andmike at linux.ibm.com>


How is this used? This patchset does not call add_wrapping_key_mambo()
at all, do we need this patch at all? Thanks,

> 
> Signed-off-by: Michael Anderson <andmike at linux.ibm.com>
> ---
>  external/mambo/skiboot.tcl | 77 ++++++++++++++++++++++++++++++++++++++
>  include/ultravisor.h       |  2 +
>  platforms/mambo/uv.c       | 39 +++++++++++++++++++
>  3 files changed, 118 insertions(+)
>  create mode 100644 platforms/mambo/uv.c
> 
> diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl
> index 39504140..877a9385 100644
> --- a/external/mambo/skiboot.tcl
> +++ b/external/mambo/skiboot.tcl
> @@ -95,6 +95,9 @@ mconfig net_mac MAMBO_NET_MAC 00:11:22:33:44:55
>  # Net: What is the name of the tap device
>  mconfig net_tapdev MAMBO_NET_TAPDEV "tap0"
>  
> +# TPM Wrapping Directory for key files
> +mconfig wrapkey_dir WRAPKEY_DIR none
> +
>  # Enable (default) or disable the "speculation-policy-favor-security" setting,
>  # set to 0 to disable. When enabled it causes Linux's RFI flush to be enabled.
>  mconfig speculation_policy_favor_security MAMBO_SPECULATION_POLICY_FAVOR_SECURITY 1
> @@ -333,6 +336,80 @@ foreach pmem_size $pmem_sizes { # PMEM_VOLATILE
>      set pmem_start [pmem_node_add $pmem_root $pmem_start $pmem_size]
>  }
>  
> +#
> +# Add files to simulate TPM wrapping keys.
> +# wrapping-key-policy-a
> +# wrapping-key-policy-b
> +# wrapping-key-passwd
> +# wrapping-key-publicname
> +#
> +
> +proc add_key_prop { k_file node p_name } {
> +    set key_list [list]
> +    set f [open $k_file r]
> +
> +    while {1} {
> +        set key_byte [read $f 2]
> +        if {[eof $f]} {
> +            close $f
> +            break
> +        }
> +        lappend key_list $key_byte
> +    }
> +
> +    mysim of addprop $node byte_array $p_name $key_list
> +}
> +
> +if { $mconf(wrapkey_dir) != "none" } {
> +  set tpm_node [ mysim of addchild $root_node "tpm_sim" "" ]
> +  mysim of addprop $tpm_node string "compatible" "uv,tpm_sim"
> +
> +  # policy-a.txt
> +  if {[file exists $mconf(wrapkey_dir)/policy-a.txt]} {
> +    puts "Using policy-a.txt"
> +    add_key_prop $mconf(wrapkey_dir)/policy-a.txt $tpm_node "wrapping-key-policy-a"
> +  } else {
> +    puts "ERROR: Could not find policy-a.txt in : $mconf(wrapkey_dir)"
> +    exit
> +  }
> +
> +  # policy-b.txt
> +  if {[file exists $mconf(wrapkey_dir)/policy-b.txt]} {
> +    puts "Using policy-b.txt"
> +    add_key_prop $mconf(wrapkey_dir)/policy-b.txt $tpm_node "wrapping-key-policy-b"
> +  } else {
> +    puts "ERROR: Could not find policy-b.txt in : $mconf(wrapkey_dir)"
> +    exit
> +  }
> +
> +  # wrapping-key-passwd
> +  if {[file exists $mconf(wrapkey_dir)/wrapping-key-passwd.txt]} {
> +    puts "Using wrapping-key-passwd.txt"
> +    add_key_prop $mconf(wrapkey_dir)/wrapping-key-passwd.txt $tpm_node "wrapping-key-passwd"
> +  } else {
> +    puts "ERROR: Could not find wrapping-key-passwd.txt in : $mconf(wrapkey_dir)"
> +    exit
> +  }
> +
> +  # wrapping-key-publicname
> +  if {[file exists $mconf(wrapkey_dir)/wrapping-key-publicname.txt]} {
> +    puts "Using wrapping-key-publicname.txt"
> +    add_key_prop $mconf(wrapkey_dir)/wrapping-key-publicname.txt $tpm_node "wrapping-key-publicname"
> +  } else {
> +    puts "ERROR: Could not find wrapping-key-publicname.txt in : $mconf(wrapkey_dir)"
> +    exit
> +  }
> +
> +  # wrapping-key-handle
> +  if {[file exists $mconf(wrapkey_dir)/wrapping-key-handle.txt]} {
> +    puts "Using wrapping-key-handle.txt"
> +    add_key_prop $mconf(wrapkey_dir)/wrapping-key-handle.txt $tpm_node "wrapping-key-handle"
> +  } else {
> +    puts "ERROR: Could not find wrapping-key-handle.txt in : $mconf(wrapkey_dir)"
> +    exit
> +  }
> +
> +}
>  
>  # Default NVRAM is blank and will be formatted by Skiboot if no file is provided
>  set fake_nvram_start $cpio_end
> diff --git a/include/ultravisor.h b/include/ultravisor.h
> index 347b085d..faa1d16b 100644
> --- a/include/ultravisor.h
> +++ b/include/ultravisor.h
> @@ -24,6 +24,8 @@ int start_ultravisor(void *fdt);
>  void uv_preload_image(void);
>  void init_uv(void);
>  
> +int add_wrapping_key_mambo(void *fdt);
> +
>  static inline int uv_xscom_read(u64 partid, u64 pcb_addr, u64 *val)
>  {
>  	unsigned long retbuf[UCALL_BUFSIZE];
> diff --git a/platforms/mambo/uv.c b/platforms/mambo/uv.c
> new file mode 100644
> index 00000000..2519d240
> --- /dev/null
> +++ b/platforms/mambo/uv.c
> @@ -0,0 +1,39 @@
> +// SPDX-License-Identifier: Apache-2.0
> +/* Copyright 2016-2017 IBM Corp. */
> +
> +const char *wrap_key_prop_str[] = {
> +	"wrapping-key-passwd",
> +	"wrapping-key-publicname",
> +	"wrapping-key-policy-a",
> +	"wrapping-key-policy-b",
> +	NULL
> +};
> +
> +int add_wrapping_key_mambo(void *fdt)
> +{
> +	struct dt_node *tpm_sim_node;
> +	const struct dt_property *property = NULL;
> +	int i;
> +
> +	tpm_sim_node = dt_find_compatible_node(dt_root, NULL, "uv,tpm_sim");
> +	if (!tpm_sim_node) {
> +		prlog(PR_INFO, "uv,tpm_sim compatible node not found\n");
> +		return OPAL_HARDWARE;
> +	}
> +
> +	fdt_begin_node(fdt, "ibm,uv-tpm");
> +	fdt_property_string(fdt, "compatible", "ibm,uv-tpm");
> +
> +	for (i = 0; wrap_key_prop_str[i] != NULL; i++) {
> +		property = dt_find_property(tpm_sim_node, wrap_key_prop_str[i]);
> +		if (property) {
> +			fdt_property(fdt, wrap_key_prop_str[i],
> +				property->prop,
> +				property->len);
> +		}
> +	}
> +
> +	fdt_end_node(fdt);
> +
> +	return OPAL_SUCCESS;
> +}
> 

-- 
Alexey

More information about the Skiboot mailing list