[Skiboot] [RFC 8/8] mowgli: (EXAMPLE) enable mode-switchable drivers for secvar
Daniel Axtens
dja at axtens.net
Wed Oct 6 20:52:56 AEDT 2021
Eric Richter <erichte at linux.ibm.com> writes:
> This example patch enables the new mode-switchable secvar drivers for the
> mowgli platform.
>
> RFC NOTE: This is a patch that should likely be carried out-of-tree for
> platforms that decide to use these switchable drivers. As this will depend
> on having default variables compiled it, there should likely be some
> compile-time check to confirm default keys are in use, or some runtime
> check to force USER_MODE if no built-in keys are provided.
Yeah figuring out how to avoid the intrinsic set of footguns would be
good.
I am not a fan of carrying a driver in-tree that has no in-tree users.
I think my preference would be makefile hacking that detects the
presence of the default keys and only compiles in the static and
switchable modes if they are present.
Ultimately I would prefer an explicit user configuration but skiboot
hasn't really gone down the kernel-style `make config` direction so
maybe this limited 'magic' is the least surprising thing we can manage.
Kind regards,
Daniel
>
> I am slightly in favor of the latter option, so that it is easier for
> users of platforms supported by secvar to enable switchable modes by only
> needing to supply default variable data.
> ---
> platforms/astbmc/mowgli.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/platforms/astbmc/mowgli.c b/platforms/astbmc/mowgli.c
> index df83319d..8b0686b6 100644
> --- a/platforms/astbmc/mowgli.c
> +++ b/platforms/astbmc/mowgli.c
> @@ -84,7 +84,9 @@ static bool mowgli_probe(void)
> }
> static int mowgli_secvar_init(void)
> {
> - return secvar_main(secboot_tpm_driver, edk2_compatible_v1);
> + // TODO: Provide a compile-time check to make sure there actually are static keys?
> + // have switchable mode only in the presence of a mode to switch to
> + return secvar_main(secboot_tpm_switchable_driver, edk2_switchable_driver);
> }
>
>
> --
> 2.33.0
>
> _______________________________________________
> Skiboot mailing list
> Skiboot at lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/skiboot
More information about the Skiboot
mailing list