[Skiboot] [PATCH v2 0/6] Secvar adjustments and fixes

Eric Richter erichte at linux.ibm.com
Tue Nov 2 09:05:07 AEDT 2021


This set contains four changes to secvar behavior, and two minor
auxiliary changes. Patches 1, 2, 3, and 6 contain the major changes,
and futher detail can be found in their respective patch descriptions,
and I've included a short summary of each change below.

Major Patches:

Patch 1 and 2 are the same as the set I sent earlier. Patch 1 addresses
the bug where the active bank bit was not being flipped on when
formatting the PNOR space. Patch 2 cleans up some uglier failure
conditions when PNOR space has been cleared or tampered with.

Patch 3 moves the timestamp (TS) variable into TPM NV space, as it
should not be cleared whenever PNOR space is wiped. This is a problem
with the current codebase as well, but Patch 2's relaxed PNOR wiping
makes the problem more obvious.

Patch 6 now requires PK updates to be signed by themselves when
enrolling in setup mode (i.e. empty PK). This has always been the
intended behvior, and all current test cases and documentation examples
already assume this is the case. This patch adds the actual enforcement.

Minor Patches:

Patch 5 changes an internal function to use a different parameter
structure, purely to make Patch 6 cleaner. It may be squashed into Patch
4 or 6 if necessary.

Patch 4 is somewhat optional. This minor function refactor was
originally intended to be a dependency for Patch 6, however became
unecessary due to verify_signature expecting an ESL and not an AUTH.
As the change was still a minor clean up, I kept it in this set. It
can be removed, but would require a minor rebase.


Eric Richter (6):
  secvar/secboot_tpm: correctly reset the control index on secboot
    format
  secvar/secboot_tpm: unify behavior for bank hash check and secboot
    header check
  secvar/edk2: store timestamp variable in protected storage
  secvar/edk2: change get_key_authority to return a list of variables
    instead of their names
  secvar/edk2: change verify_signature to take in the raw esl data and
    size
  secvar/edk2: enforce a PK update enrolled in setup mode to be signed
    by itself

 libstb/secvar/backend/edk2-compat-process.c  | 75 +++++++++++---------
 libstb/secvar/backend/edk2-compat.c          |  1 +
 libstb/secvar/storage/secboot_tpm.c          | 41 +++++++++--
 libstb/secvar/test/secvar-test-secboot-tpm.c |  6 ++
 4 files changed, 86 insertions(+), 37 deletions(-)

-- 
2.29.2



More information about the Skiboot mailing list