From: David Gibson <david@gibson.dropbear.id.au>
To: Daniel Axtens <dja@axtens.net>
Cc: qemu-ppc@nongnu.org, qemu-devel@nongnu.org
Subject: Re: [PATCH] ppc/spapr: advertise secure boot in the guest device tree
Date: Tue, 11 May 2021 14:50:44 +1000 [thread overview]
Message-ID: <YJoNJDaN2SlyuwZZ@yekko> (raw)
In-Reply-To: <20210510120713.90053-1-dja@axtens.net>
[-- Attachment #1: Type: text/plain, Size: 5081 bytes --]
On Mon, May 10, 2021 at 10:07:13PM +1000, Daniel Axtens wrote:
> The ibm,secure-boot property of the / node determines how firmware
> and the operating system should enforce secure boot. The meaning
> of the various values are:
>
> 0 - secure boot is disabled
> 1 - secure boot in log-only mode
> 2 - secure boot enabled and enforced
> 3-9 - secure boot enabled and enforced; requirements at the
> discretion of the operating system
>
> We expose this as two properties:
>
> - secure-boot: determines whether the property is advertised in the
> guest device tree. The default is false.
>
> - secure-boot-level: what value is advertised if enabled?
> The default is 2.
>
> This doesn't make the firmware or OS actually _do_ any verification, it
> just advises them that they should.
So.. what's the point? AFAIK we have no secure boot support in SLOF,
so what would advertising it in the device tree accomplish?
>
> Signed-off-by: Daniel Axtens <dja@axtens.net>
>
> ---
>
> Linux already reads this property. Versions of SLOF and grub that do
> verification are available on my GitHub:
> - github.com/daxtens/SLOF branch ibm,secure-boot (not production ready!)
> - github.com/daxtens/grub branch appendedsig-2.06
> ---
> hw/ppc/spapr.c | 42 ++++++++++++++++++++++++++++++++++++++++++
> include/hw/ppc/spapr.h | 4 ++++
> 2 files changed, 46 insertions(+)
>
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index 3b1a5ed86518..544a412c3d18 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -1157,6 +1157,20 @@ static void spapr_dt_hypervisor(SpaprMachineState *spapr, void *fdt)
> }
> }
>
> +static void spapr_dt_stb(SpaprMachineState *spapr, void *fdt)
> +{
> + /*
> + * PowerVM may provide fw-secure-boot, which purports to tell a partition
> + * if the underlying firmware was booted securely. It's not meaningful
> + * for KVM as there are no agreed semantics for what it would mean (host
> + * secure boot only gives you integrity for the host kernel, not host
> + * qemu). So we omit the property for now.
> + */
> + if (spapr->secure_boot)
> + _FDT(fdt_setprop_cell(fdt, 0, "ibm,secure-boot",
> + spapr->secure_boot_level));
> +}
> +
> void *spapr_build_fdt(SpaprMachineState *spapr, bool reset, size_t space)
> {
> MachineState *machine = MACHINE(spapr);
> @@ -1263,6 +1277,9 @@ void *spapr_build_fdt(SpaprMachineState *spapr, bool reset, size_t space)
> spapr_dt_hypervisor(spapr, fdt);
> }
>
> + /* /ibm,secureboot */
> + spapr_dt_stb(spapr, fdt);
> +
> /* Build memory reserve map */
> if (reset) {
> if (spapr->kernel_size) {
> @@ -3298,6 +3315,20 @@ static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
> spapr->host_serial = g_strdup(value);
> }
>
> +static bool spapr_get_secure_boot(Object *obj, Error **errp)
> +{
> + SpaprMachineState *spapr = SPAPR_MACHINE(obj);
> +
> + return spapr->secure_boot;
> +}
> +
> +static void spapr_set_secure_boot(Object *obj, bool value, Error **errp)
> +{
> + SpaprMachineState *spapr = SPAPR_MACHINE(obj);
> +
> + spapr->secure_boot = value;
> +}
> +
> static void spapr_instance_init(Object *obj)
> {
> SpaprMachineState *spapr = SPAPR_MACHINE(obj);
> @@ -3353,6 +3384,17 @@ static void spapr_instance_init(Object *obj)
> spapr_get_host_serial, spapr_set_host_serial);
> object_property_set_description(obj, "host-serial",
> "Host serial number to advertise in guest device tree");
> +
> + /* If we have secure boot, the default level is 2: enable and enforce */
> + spapr->secure_boot_level = 2;
> + object_property_add_bool(obj, "secure-boot",
> + spapr_get_secure_boot, spapr_set_secure_boot);
> + object_property_set_description(obj, "secure-boot",
> + "Advertise secure boot in the guest device tree");
> + object_property_add_uint8_ptr(obj, "secure-boot-level",
> + &spapr->secure_boot_level, OBJ_PROP_FLAG_READWRITE);
> + object_property_set_description(obj, "secure-boot-level",
> + "Level of secure boot advertised in the guest device tree");
> }
>
> static void spapr_machine_finalizefn(Object *obj)
> diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
> index c421410e3fb8..d829d0c27011 100644
> --- a/include/hw/ppc/spapr.h
> +++ b/include/hw/ppc/spapr.h
> @@ -210,6 +210,10 @@ struct SpaprMachineState {
> int fwnmi_machine_check_interlock;
> QemuCond fwnmi_machine_check_interlock_cond;
>
> + /* Secure Boot */
> + bool secure_boot;
> + uint8_t secure_boot_level;
> +
> /*< public >*/
> char *kvm_type;
> char *host_model;
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-05-12 2:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-10 12:07 [PATCH] ppc/spapr: advertise secure boot in the guest device tree Daniel Axtens
2021-05-11 4:50 ` David Gibson [this message]
2021-05-12 3:47 ` Daniel Axtens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YJoNJDaN2SlyuwZZ@yekko \
--to=david@gibson.dropbear.id.au \
--cc=dja@axtens.net \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.