[Skiboot] [RFC 1/8] secvar_devtree: add hook for reset-default-keys physical presence mode
Eric Richter
erichte at linux.ibm.com
Wed Sep 22 13:11:22 AEST 2021
Currently, the secboot_tpm driver utilizes the physical presence detection
function to determine when it should (re)define the TPM indices -- either
to recover from a faulty state or forcibly disable OS secure boot.
As this is a complete escape-hatch solution, it is not viable to use this
method in conjunction with a driver that utilizing compile-time built-in
variables. Thus, a new physical presence method is introduced specifically
for resetting to default, built-in keys for future driver use (ideally,
with OS secure boot now enabled).
The previous physical presence function has been renamed to more actually
reflect the physical presence mode it is detecting (clear-os-keys).
Signed-off-by: Eric Richter <erichte at linux.ibm.com>
---
libstb/secvar/secvar_devtree.c | 18 +++++++++++++++++-
libstb/secvar/secvar_devtree.h | 3 ++-
libstb/secvar/storage/secboot_tpm.c | 2 +-
libstb/secvar/test/secvar-test-secboot-tpm.c | 2 +-
4 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/libstb/secvar/secvar_devtree.c b/libstb/secvar/secvar_devtree.c
index 8ce21936..e6ab0710 100644
--- a/libstb/secvar/secvar_devtree.c
+++ b/libstb/secvar/secvar_devtree.c
@@ -64,7 +64,7 @@ void secvar_set_update_status(uint64_t val)
dt_add_property_u64(secvar_node, "update-status", val);
}
-bool secvar_check_physical_presence(void)
+bool secvar_check_clear_keys(void)
{
struct dt_node *secureboot;
@@ -79,3 +79,19 @@ bool secvar_check_physical_presence(void)
return false;
}
+
+bool secvar_check_reset_default_keys(void)
+{
+ struct dt_node *secureboot;
+
+ /* Only bother checking if this image was built with default keys */
+ secureboot = dt_find_by_path(dt_root, "ibm,secureboot");
+ if (!secureboot)
+ return false;
+
+
+ if (dt_find_property(secureboot, "reset-default-keys"))
+ return true;
+
+ return false;
+}
diff --git a/libstb/secvar/secvar_devtree.h b/libstb/secvar/secvar_devtree.h
index 04eb00de..d2baedd2 100644
--- a/libstb/secvar/secvar_devtree.h
+++ b/libstb/secvar/secvar_devtree.h
@@ -10,6 +10,7 @@ void secvar_init_devnode(const char *compatible);
void secvar_set_status(const char *status);
void secvar_set_update_status(uint64_t val);
-bool secvar_check_physical_presence(void);
+bool secvar_check_clear_keys(void);
+bool secvar_check_reset_default_keys(void);
#endif
diff --git a/libstb/secvar/storage/secboot_tpm.c b/libstb/secvar/storage/secboot_tpm.c
index 129f674a..53ae03f5 100644
--- a/libstb/secvar/storage/secboot_tpm.c
+++ b/libstb/secvar/storage/secboot_tpm.c
@@ -598,7 +598,7 @@ static int secboot_tpm_store_init(void)
free(indices);
/* Undefine the NV indices if physical presence has been asserted */
- if (secvar_check_physical_presence()) {
+ if (secvar_check_clear_keys()) {
prlog(PR_INFO, "Physical presence asserted, redefining NV indices, and resetting keystore\n");
rc = secboot_tpm_undefine_indices(&vars_defined, &control_defined);
if (rc)
diff --git a/libstb/secvar/test/secvar-test-secboot-tpm.c b/libstb/secvar/test/secvar-test-secboot-tpm.c
index 798ca281..21ed0320 100644
--- a/libstb/secvar/test/secvar-test-secboot-tpm.c
+++ b/libstb/secvar/test/secvar-test-secboot-tpm.c
@@ -32,7 +32,7 @@ int flash_secboot_info(uint32_t *total_size)
/* Toggle this to test the physical presence resetting */
bool phys_presence = false;
-bool secvar_check_physical_presence(void)
+bool secvar_check_clear_keys(void)
{
return phys_presence;
}
--
2.33.0
More information about the Skiboot
mailing list