[Skiboot] [PATCH v4 00/18] Add initial secure variable storage and backend drivers

Eric Richter erichte at linux.ibm.com
Tue May 12 07:31:34 AEST 2020 

This is a minor update to the previous set that addresses a few bugs
found in internal testing, adds documentation, and fixes some style
issues.

Changes include:
 - adjusts secureboot_enforce() to use platform.terminate, and exposes
   it for other components to use
 - backend driver functions now take in references to the banks they
   should operate on, rather than implicitly using an extern reference
 - updated the hardcoded NV public name hash values in secboot_tpm to
   match the new set of attributes the indices are defined with
 - added documentation for the driver api
 - added documentation for the secboot_tpm storage driver
 - fixed some style issues (mostly lines over 80-column)

NOTE: This set depends on the "Improve mbedtls infrastructure" and
"Advance TSS infrastructure" patch sets.

Patches 1 through 8 address changes in base secureboot/secvar behavior
that came up during reviews. In particular, secvar_main has seen changes
to its flow, to accomodate better error handling. These are not reliant
on the TSS changes or secvar drivers, and can be considered an
independent set if necessary.

Patch 10 adds the driver api document, which details what is expected
of a secvar driver, and how each driver function is used.

Patches 11 and 16 implement the initial pair of drivers for secure
variable support. The new secboot_tpm document is included with its
implementation in patch 11.

Patch 12 implements a TPM NV simulation, which is NOT enabled by
default. This is intended for testing purposes on unsupported (no-TPM)
hardware, or tests in userspace.

Patch 14 includes an auxiliary tool to generate the expected hash for a
TPM NV public name, given the set of attributes the NV index was defined
with. This tool is very drafty, and has been included to determine if it
is worth putting more effort into. It can be removed from the set if
needed.

Patch 18 enables the secvar drivers for witherspoon platforms, other
platforms should implement a similar change.


Claudio Carvalho (1):
  core/flash.c: add SECBOOT read and write support

Eric Richter (12):
  libstb/secureboot: use platform.terminate instead of hard abort
  secvar_main: increase error verbosity, restyle all comments
  secvar_main: rework secvar_main error flow, make storage locking
    explicit
  secvar_util: add new helper functions
  secvar_devtree: add physical presence mode helper
  doc/secvar: add document detailing secvar driver API
  secvar/storage: add secvar storage driver for pnor-based p9
  secvar/storage/fakenv: add fake tpm operations for testing
  secvar/test: add secboot_tpm storage driver test cases
  secvar/storage: add utility tool to generate NV public name hashes
  secvar/test: add edk2-compat driver test and test data
  witherspoon: enable secvar for witherspoon platform

Nayna Jain (5):
  libstb/secureboot: OS Secure Boot is enabled only if FW secureboot is
    enabled
  secvar: change backend hook interface to take in bank references
  hdata/spira: add physical presence flags
  crypto: add out-of-tree mbedtls pkcs7 parser
  secvar/backend: add edk2 derived key updates processing

 core/flash.c                                  | 130 +++
 core/init.c                                   |   2 +-
 doc/secvar/driver-api.rst                     | 312 +++++++
 doc/secvar/edk2.rst                           |  49 ++
 doc/secvar/secboot_tpm.rst                    | 175 ++++
 hdata/spira.c                                 |  11 +
 hdata/spira.h                                 |   7 +-
 include/platform.h                            |   4 +
 include/secvar.h                              |  22 +-
 libstb/crypto/Makefile.inc                    |   4 +-
 libstb/crypto/mbedtls-config.h                |   1 +
 libstb/crypto/pkcs7/Makefile.inc              |  12 +
 libstb/crypto/pkcs7/pkcs7.c                   | 508 ++++++++++++
 libstb/crypto/pkcs7/pkcs7.h                   | 151 ++++
 libstb/secureboot.c                           |  10 +-
 libstb/secureboot.h                           |   2 +
 libstb/secvar/backend/Makefile.inc            |   4 +-
 libstb/secvar/backend/edk2-compat-process.c   | 717 ++++++++++++++++
 libstb/secvar/backend/edk2-compat-process.h   |  61 ++
 libstb/secvar/backend/edk2-compat-reset.c     | 115 +++
 libstb/secvar/backend/edk2-compat-reset.h     |  24 +
 libstb/secvar/backend/edk2-compat.c           | 262 ++++++
 libstb/secvar/backend/edk2.h                  | 243 ++++++
 libstb/secvar/secvar.h                        |   9 +-
 libstb/secvar/secvar_devtree.c                |  15 +
 libstb/secvar/secvar_devtree.h                |   2 +
 libstb/secvar/secvar_main.c                   |  83 +-
 libstb/secvar/secvar_util.c                   |  63 +-
 libstb/secvar/storage/Makefile.inc            |  11 +-
 libstb/secvar/storage/fakenv_ops.c            | 175 ++++
 libstb/secvar/storage/gen_tpmnv_public_name.c | 107 +++
 libstb/secvar/storage/secboot_tpm.c           | 678 ++++++++++++++++
 libstb/secvar/storage/secboot_tpm.h           |  61 ++
 .../secvar/storage/secboot_tpm_public_name.h  |  18 +
 libstb/secvar/storage/tpmnv_ops.c             |  15 +
 libstb/secvar/test/Makefile.check             |  10 +-
 libstb/secvar/test/data/KEK.h                 | 170 ++++
 libstb/secvar/test/data/PK1.h                 | 170 ++++
 libstb/secvar/test/data/edk2_test_data.h      | 764 ++++++++++++++++++
 libstb/secvar/test/data/multipleDB.h          | 246 ++++++
 libstb/secvar/test/data/multipleKEK.h         | 236 ++++++
 libstb/secvar/test/data/multiplePK.h          | 236 ++++++
 libstb/secvar/test/data/noPK.h                | 102 +++
 libstb/secvar/test/secvar-test-edk2-compat.c  | 297 +++++++
 libstb/secvar/test/secvar-test-secboot-tpm.c  | 163 ++++
 libstb/secvar/test/secvar_common_test.c       |   2 +
 platforms/astbmc/witherspoon.c                |   8 +
 47 files changed, 6423 insertions(+), 44 deletions(-)
 create mode 100644 doc/secvar/driver-api.rst
 create mode 100644 doc/secvar/edk2.rst
 create mode 100644 doc/secvar/secboot_tpm.rst
 create mode 100644 libstb/crypto/pkcs7/Makefile.inc
 create mode 100644 libstb/crypto/pkcs7/pkcs7.c
 create mode 100644 libstb/crypto/pkcs7/pkcs7.h
 create mode 100644 libstb/secvar/backend/edk2-compat-process.c
 create mode 100644 libstb/secvar/backend/edk2-compat-process.h
 create mode 100644 libstb/secvar/backend/edk2-compat-reset.c
 create mode 100644 libstb/secvar/backend/edk2-compat-reset.h
 create mode 100644 libstb/secvar/backend/edk2-compat.c
 create mode 100644 libstb/secvar/backend/edk2.h
 create mode 100644 libstb/secvar/storage/fakenv_ops.c
 create mode 100644 libstb/secvar/storage/gen_tpmnv_public_name.c
 create mode 100644 libstb/secvar/storage/secboot_tpm.c
 create mode 100644 libstb/secvar/storage/secboot_tpm.h
 create mode 100644 libstb/secvar/storage/secboot_tpm_public_name.h
 create mode 100644 libstb/secvar/storage/tpmnv_ops.c
 create mode 100644 libstb/secvar/test/data/KEK.h
 create mode 100644 libstb/secvar/test/data/PK1.h
 create mode 100644 libstb/secvar/test/data/edk2_test_data.h
 create mode 100644 libstb/secvar/test/data/multipleDB.h
 create mode 100644 libstb/secvar/test/data/multipleKEK.h
 create mode 100644 libstb/secvar/test/data/multiplePK.h
 create mode 100644 libstb/secvar/test/data/noPK.h
 create mode 100644 libstb/secvar/test/secvar-test-edk2-compat.c
 create mode 100644 libstb/secvar/test/secvar-test-secboot-tpm.c

-- 
2.21.1

More information about the Skiboot mailing list