The PLPKS enabled Power LPAR sysfs exposes all of the secure boot secure
variables irrespective of the key management mode. There is support for
both static and dynamic key management and the key management mode can
be updated using the management console. The user can modify the secure
boot secvars db, dbx, grubdb, grubdbx, and sbat only in the dynamic key
mode. But the sysfs interface exposes these secvars even in static key
mode. This could lead to errors when reading them or writing to them in
the static key mode.
Update the secvar format property based on the key management mode and
expose only the secure variables relevant to the key management mode.
Enable loading of signed third-party kernel modules in the static key
mode when the platform keystore is enabled.
Changelog:
v2:
* Patch 1:
- Updated plpks_get_sb_keymgmt_mode to handle -ENOENT and -EPERM in
the case of static key management mode, based on feedback from
Andrew.
- Moved the documentation changes relevant to the secvar format
property from Patch 2 to Patch 1.
- Added reviewed-by from Nayna.
* Patch 2:
- Moved the documentaton changes relevant to secure variables from
/sys/firmware/secvar/format to
/sys/firmware/secvar/vars/<variable name>.
- Added reviewed-by from Nayna and Andrew.
* Patch 3:
- Added reviewed-by from Nayna and Andrew.
Srish Srinivasan (3):
powerpc/pseries: Correct secvar format representation for static key
management
powerpc/secvar: Expose secvars relevant to the key management mode
integrity/platform_certs: Allow loading of keys in the static key
management mode
Documentation/ABI/testing/sysfs-secvar | 15 ++-
arch/powerpc/platforms/pseries/plpks-secvar.c | 104 ++++++++++++------
.../integrity/platform_certs/load_powerpc.c | 5 +-
3 files changed, 85 insertions(+), 39 deletions(-)
--
2.47.1
