[PATCH v4] powerpc/pseries: make max polling consistent for longer H_CALLs

: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore") Signed-off-by: Nayna Jain Tested-by: Nageswara R Sastry --- v4: * As per Andrew's feedback, squashed Patch 2 with Patch 1. Now it is single patch. v3: * Addition to Patch 1 timeout patch based on Andrew's feed

[PATCH v3 2/2] powerpc/pseries: increase timeout value for plpks_signed_update_var() H_CALL

Signed update H_CALL currently polls PHYP for 5msec. Update this to 5sec. Signed-off-by: Nayna Jain Tested-by: Nageswara R Sastry --- v3: * Addition to Patch 1 timeout patch based on Andrew's feedback. arch/powerpc/platforms/pseries/plpks.c | 7 --- 1 file changed, 4 insertions(

[PATCH v3 1/2] powerpc/pseries: fix max polling time in plpks_confirm_object_flushed() function

eries: define driver for Platform KeyStore") Signed-off-by: Nayna Jain Tested-by: Nageswara R Sastry --- v3: No change v2: * Updated based on feedback from Michael Ellerman Replaced usleep_range with fsleep. Since there is no more need to specify range, sleep time is reverted back

[PATCH v2] powerpc/pseries: fix max polling time in plpks_confirm_object_flushed() function

eries: define driver for Platform KeyStore") Suggested-by: Michael Ellerman Signed-off-by: Nayna Jain Tested-by: Nageswara R Sastry --- v2: * Updated based on feedback from Michael Ellerman Replaced usleep_range with fsleep. Since there is no more need to specify range, sle

[PATCH] powerpc/pseries: fix max polling time in plpks_confirm_object_flushed() function

eries: define driver for Platform KeyStore") Signed-off-by: Nayna Jain Tested-by: Nageswara R Sastry --- arch/powerpc/include/asm/plpks.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/include/asm/plpks.h b/arch/powerpc/include/asm/plpks.h index 23

[PATCH v4 5/6] integrity: PowerVM machine keyring enablement

Update Kconfig to enable machine keyring and limit to CA certificates on PowerVM. Only key signing CA keys are allowed. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen --- security/integrity/Kconfig | 4 +++- 1 file changed, 3 insertions(+), 1

[PATCH v4 1/6] integrity: PowerVM support for loading CA keys on machine keyring

s platform dependent. Load keys stored in the variable trustedcadb onto the .machine keyring on PowerVM platform. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar --- .../integrity/platform_certs/keyring_handler.c | 8 .../integrity/platform_certs/keyring_handl

[PATCH v4 0/6] Enable loading local and third party keys on PowerVM guest

riction to allow only key signing CA's. * Rebase on Jarkko's master tree - https://kernel.googlesource.com/pub/scm/linux/kernel/git/jarkko/linux-tpmdd * Tested after reverting cfa7522f280aa95 because of build failure due to this commit. Nayna Jain (6): integrity: PowerVM support for

[PATCH v4 4/6] integrity: check whether imputed trust is enabled

trust_moklist() is specific to UEFI enabled systems. Other platforms rely only on the Kconfig. Define a generic wrapper named imputed_trust_enabled(). Signed-off-by: Nayna Jain Reviewed-off-by: Mimi Zohar --- security/integrity/digsig.c| 2 +- security/integrity

[PATCH v4 6/6] integrity: PowerVM support for loading third party code signing keys

. Signed-off-by: Nayna Jain --- certs/system_keyring.c| 30 +++ include/keys/system_keyring.h | 4 +++ .../platform_certs/keyring_handler.c | 8 + .../platform_certs/keyring_handler.h | 5 .../integrity/platform_certs

[PATCH v4 3/6] integrity: remove global variable from machine_keyring.c

trust_mok variable is accessed within a single function locally. Change trust_mok from global to local static variable. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen --- security/integrity/platform_certs/machine_keyring.c | 4 ++-- 1 file changed

[PATCH v4 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform

On non-UEFI platforms, handle restrict_link_by_ca failures differently. Certificates which do not satisfy CA restrictions on non-UEFI platforms are ignored. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar Acked-by: Jarkko Sakkinen --- security/integrity/platform_certs

[PATCH v3 6/6] integrity: PowerVM support for loading third party code signing keys

. Signed-off-by: Nayna Jain --- certs/system_keyring.c| 30 +++ include/keys/system_keyring.h | 7 + security/integrity/integrity.h| 1 + .../platform_certs/keyring_handler.c | 8 + .../platform_certs

[PATCH v3 5/6] integrity: PowerVM machine keyring enablement

Update Kconfig to enable machine keyring and limit to CA certificates on PowerVM. Only key signing CA keys are allowed. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen --- security/integrity/Kconfig | 4 +++- 1 file changed, 3 insertions(+), 1

[PATCH v3 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform

On non-UEFI platforms, handle restrict_link_by_ca failures differently. Certificates which do not satisfy CA restrictions on non-UEFI platforms are ignored. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar --- security/integrity/platform_certs/machine_keyring.c | 2 +- 1 file

[PATCH v3 4/6] integrity: check whether imputed trust is enabled

trust_moklist() is specific to UEFI enabled systems. Other platforms rely only on the Kconfig. Define a generic wrapper named imputed_trust_enabled(). Signed-off-by: Nayna Jain Reviewed-off-by: Mimi Zohar --- security/integrity/digsig.c| 2 +- security/integrity

[PATCH v3 1/6] integrity: PowerVM support for loading CA keys on machine keyring

s platform dependent. Load keys stored in the variable trustedcadb onto the .machine keyring on PowerVM platform. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar --- .../integrity/platform_certs/keyring_handler.c | 8 .../integrity/platform_certs/keyring_handl

[PATCH v3 3/6] integrity: remove global variable from machine_keyring.c

trust_mok variable is accessed within a single function locally. Change trust_mok from global to local static variable. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen --- security/integrity/platform_certs/machine_keyring.c | 4 ++-- 1 file changed

[PATCH v3 0/6] Enable loading local and third party keys on PowerVM guest

inux-tpmdd * Tested after reverting cfa7522f280aa95 because of build failure due to this commit. Nayna Jain (6): integrity: PowerVM support for loading CA keys on machine keyring integrity: ignore keys failing CA restrictions on non-UEFI platform integrity: remove global variable from mach

[PATCH v2 1/6] integrity: PowerVM support for loading CA keys on machine keyring

s platform dependent. Load keys stored in the variable trustedcadb onto the .machine keyring on PowerVM platform. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar --- .../integrity/platform_certs/keyring_handler.c | 8 .../integrity/platform_certs/keyring_handl

[PATCH v2 6/6] integrity: PowerVM support for loading third party code signing keys

. Signed-off-by: Nayna Jain --- certs/system_keyring.c| 23 +++ include/keys/system_keyring.h | 7 ++ security/integrity/integrity.h| 1 + .../platform_certs/keyring_handler.c | 8 +++ .../platform_certs

[PATCH v2 5/6] integrity: PowerVM machine keyring enablement

Update Kconfig to enable machine keyring and limit to CA certificates on PowerVM. Only key signing CA keys are allowed. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar --- security/integrity/Kconfig | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/security

[PATCH v2 4/6] integrity: check whether imputed trust is enabled

trust_moklist() is specific to UEFI enabled systems. Other platforms rely only on the Kconfig. Define a generic wrapper named imputed_trust_enabled(). Signed-off-by: Nayna Jain Reviewed-off-by: Mimi Zohar --- security/integrity/digsig.c| 2 +- security/integrity

[PATCH v2 3/6] integrity: remove global variable from machine_keyring.c

trust_mok variable is accessed within a single function locally. Change trust_mok from global to local static variable. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar --- security/integrity/platform_certs/machine_keyring.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions

[PATCH v2 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform

On non-UEFI platforms, handle restrict_link_by_ca failures differently. Certificates which do not satisfy CA restrictions on non-UEFI platforms are ignored. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar --- security/integrity/platform_certs/machine_keyring.c | 2 +- 1 file

[PATCH v2 0/6] Enable loading local and third party keys on PowerVM guest

a95 because of build failure due to this commit. Nayna Jain (6): integrity: PowerVM support for loading CA keys on machine keyring integrity: ignore keys failing CA restrictions on non-UEFI platform integrity: remove global variable from machine_keyring.c integrity: check whether imputed trust is

[PATCH 6/6] integrity: PowerVM support for loading third party code signing keys

. Signed-off-by: Nayna Jain --- Jarkko, this patch is based on Linus master tree branch, which does not contain the following commits yet: c9d004712300 integrity: Enforce digitalSignature usage in the ima and evm keyrings 59b656eb58fe KEYS: DigitalSignature link restriction certs/system_keyring.c

[PATCH 5/6] integrity: PowerVM machine keyring enablement.

Update Kconfig to enable machine keyring and limit to CA certificates on PowerVM. Signed-off-by: Nayna Jain --- security/integrity/Kconfig | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index ec6e0d789da1

[PATCH 4/6] integrity: check whether imputed trust is enabled

trust_moklist() is specific to UEFI enabled systems. Other platforms rely only on the Kconfig. Define a generic wrapper named imputed_trust_enabled(). Signed-off-by: Nayna Jain --- security/integrity/digsig.c | 2 +- security/integrity/integrity.h| 5

[PATCH 3/6] integrity: remove global variable from machine_keyring.c

trust_mok variable is accessed within a single function locally. Change trust_mok from global to local static variable. Signed-off-by: Nayna Jain --- security/integrity/platform_certs/machine_keyring.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/integrity

[PATCH 1/6] integrity: PowerVM support for loading CA keys on machine keyring

s platform dependent. Load keys stored in the variable trustedcadb onto the .machine keyring on PowerVM platform. Signed-off-by: Nayna Jain --- .../integrity/platform_certs/keyring_handler.c | 8 .../integrity/platform_certs/keyring_handler.h | 5 + .../integrity/platform_certs/load

[PATCH 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform

On non-UEFI platforms, handle restrict_link_by_ca failures differently. Certificates which do not satisfy CA restrictions on non-UEFI platforms are ignored. Signed-off-by: Nayna Jain --- security/integrity/platform_certs/machine_keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion

[PATCH 0/6] Enable loading local and third party keys on PowerVM guest

local and third party code signing keys on PowerVM. Nayna Jain (6): integrity: PowerVM support for loading CA keys on machine keyring integrity: ignore keys failing CA restrictions on non-UEFI platform integrity: remove global variable from machine_keyring.c integrity: check whether impute

[PATCH v2] security/integrity: fix pointer to ESL data and its size on pseries

On PowerVM guest, variable data is prefixed with 8 bytes of timestamp. Extract ESL by stripping off the timestamp before passing to ESL parser. Fixes: 4b3e71e9a34c ("integrity/powerpc: Support loading keys from PLPKS") Cc: sta...@vger.kenrnel.org # v6.3 Signed-off-by: Nayna Jain ---

[PATCH] security/integrity: fix pointer to ESL data and its size on pseries

On PowerVM guest, variable data is prefixed with 8 bytes of timestamp. Extract ESL by stripping off the timestamp before passing to ESL parser. Fixes: 4b3e71e9a34c ("integrity/powerpc: Support loading keys from PLPKS") Signed-off-by: Nayna Jain --- .../integrity/platform_certs/load

[PATCH 4/4] powerpc/pseries: expose authenticated variables stored in LPAR PKS

52 d9 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b |LR.0...*.H..| 0060 05 00 30 17 31 15 30 13 06 03 55 04 03 0c 0c 72 |..0.1.0...Ur| ... Signed-off-by: Nayna Jain --- arch/powerpc/platforms/pseries/Kconfig| 10 + arch/powerpc/platforms/pseries/Makefile | 1 + .../pla

[PATCH 1/4] powerpc/pseries: Add new functions to PLPKS driver

PowerVM stores authenticated variables in the PowerVM LPAR Platform KeyStore(PLPKS). Add signed update H_CALL to PLPKS driver to support authenticated variables. Additionally, expose config values outside the PLPKS driver. Signed-off-by: Nayna Jain --- arch/powerpc/include/asm/hvcall.h

[PATCH 3/4] powerpc/pseries: initialize fwsecurityfs with plpks arch-specific structure

-r--r--r-- 1 root root 4 Sep 28 15:01 used_space -r--r--r-- 1 root root 4 Sep 28 15:01 total_size -r--r--r-- 1 root root 2 Sep 28 15:01 max_object_size -r--r--r-- 1 root root 2 Sep 28 15:01 max_object_label_size Signed-off-by: Nayna Jain --- arch/powerpc/platforms/pseries/Kconfig| 10

[PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

/security. Platforms can define their own directory or file structure under this path. Example: # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security # cd /sys/firmware/security/ Signed-off-by: Nayna Jain --- fs/Kconfig | 1 + fs/Makefile | 1 + fs

[PATCH 0/4] powerpc/pseries: expose firmware security variables via filesystem

https://lore.kernel.org/linuxppc-dev/20220122005637.28199-1-na...@linux.ibm.com/ [4] https://lore.kernel.org/linuxppc-dev/20221106205839.600442-1-na...@linux.ibm.com/T/#t Nayna Jain (4): powerpc/pseries: Add new functions to PLPKS driver fs: define a firmware security filesystem named fwsecurityfs po

[PATCH 6/6] powerpc/pseries: fix plpks_read_var() code for different consumers

ned-off-by: Nayna Jain --- arch/powerpc/platforms/pseries/plpks.c | 28 +- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/arch/powerpc/platforms/pseries/plpks.c b/arch/powerpc/platforms/pseries/plpks.c index e8c02735b702..4edd1585e245 100644 --- a/arch/powerpc

[PATCH 5/6] powerpc/pseries: replace kmalloc with kzalloc in PLPKS driver

Replace kmalloc with kzalloc in construct_auth() function to default initialize structure with zeroes. Signed-off-by: Nayna Jain --- arch/powerpc/platforms/pseries/plpks.c | 8 ++-- 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/arch/powerpc/platforms/pseries/plpks.c b/arch

[PATCH 4/6] powerpc/pseries: cleanup error logs in plpks driver

Logging H_CALL return codes in PLPKS driver are easy to confuse with Linux error codes. Let the caller of the function log the converted linux error code. Signed-off-by: Nayna Jain --- arch/powerpc/platforms/pseries/plpks.c | 10 -- 1 file changed, 10 deletions(-) diff --git a/arch

[PATCH 3/6] powerpc/pseries: Return -EIO instead of -EINTR for H_ABORTED error

Some commands for eg. "cat" might continue to retry on encountering EINTR. This is not expected for original error code H_ABORTED. Map H_ABORTED to more relevant Linux error code EIO. Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore") Signe

[PATCH 2/6] powerpc/pseries: Fix the H_CALL error code in PLPKS driver

PAPR Spec defines H_P1 actually as H_PARAMETER and maps H_ABORTED to a different numerical value. Fix the error codes as per PAPR Specification. Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore") Signed-off-by: Nayna Jain --- arch/powerpc/include/asm/hvcall.

[PATCH 0/6] powerpc/pseries - bugfixes/cleanups for PLPKS driver

This patchset fixes some bugs and does some cleanups. Nayna Jain (6): powerpc/pseries: fix the object owners enum value in plpks driver powerpc/pseries: Fix the H_CALL error code in PLPKS driver powerpc/pseries: Return -EIO instead of -EINTR for H_ABORTED error powerpc/pseries: cleanup

[PATCH 1/6] powerpc/pseries: fix the object owners enum value in plpks driver

OS_VAR_LINUX enum in PLPKS driver should be 0x02 instead of 0x01. Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore") Signed-off-by: Nayna Jain --- arch/powerpc/platforms/pseries/plpks.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ar

[PATCH v2 3/3] powerpc/pseries: Override lib/arch_vars.c with PowerPC architecture specific version

From: Greg Joyce Self Encrypting Drives(SED) make use of POWER LPAR Platform KeyStore for storing its variables. Thus the block subsystem needs to access PowerPC specific functions to read/write objects in PLPKS. Override the default implementations in lib/arch_vars.c file with PowerPC specific

[PATCH v2 2/3] lib: define generic accessor functions for arch specific keystore

From: Greg Joyce Generic kernel subsystems may rely on platform specific persistent KeyStore to store objects containing sensitive key material. In such case, they need to access architecture specific functions to perform read/write operations on these variables. Define the generic variable read

[PATCH v2 1/3] powerpc/pseries: define driver for Platform KeyStore

) driver using H_CALL interface to access PKS storage. Signed-off-by: Nayna Jain --- arch/powerpc/include/asm/hvcall.h | 11 + arch/powerpc/platforms/pseries/Kconfig | 13 + arch/powerpc/platforms/pseries/Makefile | 1 + arch/powerpc/platforms/pseries/plpks.c | 460

[PATCH v2 0/3] Provide PowerVM LPAR Platform KeyStore driver for Self Encrypting Drives

/arch_vars.c with PowerPC architecture specific version Nayna Jain (1): powerpc/pseries: define driver for Platform KeyStore arch/powerpc/include/asm/hvcall.h | 11 + arch/powerpc/platforms/pseries/Kconfig| 13 + arch/powerpc/platforms/pseries/Makefile | 2 + arch

[PATCH 1/2] powerpc/pseries: define driver for Platform KeyStore

access PKS storage. Signed-off-by: Nayna Jain --- arch/powerpc/include/asm/hvcall.h | 9 + arch/powerpc/include/asm/plpks.h | 90 arch/powerpc/platforms/pseries/Kconfig| 13 + arch/powerpc/platforms/pseries/Makefile | 2 + arch/powerpc/platforms

[PATCH 2/2] powerpc/pseries: kernel interfaces to PLPKS platform driver

From: Greg Joyce Add platform specific interfaces arch_read_variable() and arch_variable() to allow platform agnostic access to platform variable stores. Signed-off-by: Greg Joyce --- arch/powerpc/platforms/pseries/plpks/Makefile | 1 + .../platforms/pseries/plpks/plpks_arch_ops.c | 163 +++

[PATCH 0/2] Provide PowerVM LPAR Platform KeyStore driver for Self Encrypting Drives

Nayna Jain (1): powerpc/pseries: define driver for Platform KeyStore arch/powerpc/include/asm/hvcall.h | 9 + arch/powerpc/include/asm/plpks.h | 90 arch/powerpc/platforms/pseries/Kconfig| 13 + arch/powerpc/platforms/pseries/Makefile | 2 + arch

[RFC PATCH v2 3/3] powerpc/pseries: expose authenticated variables stored in LPAR PKS

0d 06 09 2a 86 48 86 f7 |.c.TLR.0...*.H..| ... Signed-off-by: Nayna Jain --- arch/powerpc/platforms/pseries/Kconfig| 17 ++ arch/powerpc/platforms/pseries/plpks/Makefile | 2 + .../pseries/plpks/fwsecurityfs_arch.c | 16 ++ .../platforms/pseries/plpks/internal.h| 1

[RFC PATCH v2 2/3] fs: define a firmware security filesystem named fwsecurityfs

point /sys/firmware/security. Platforms can define their own directory or file structure under this path. Example: # mount -t fwsecurityfs fwsecurityfs /sys/firmware/security # cd /sys/firmware/security/ Signed-off-by: Nayna Jain --- fs/Kconfig | 1 + fs/Makefile

[RFC PATCH v2 0/3] powerpc/pseries: add support for local secure storage called Platform KeyStore(PKS)

ed unified interface(firmware security filesystem) for all platforms to expose their variables used for security features. * Expose secvars using firmware security fileystem. * Renamed PKS driver to PLPKS to avoid naming conflict as mentioned by Dave Hanson. Nayna Jain (3): powerpc/pseries: def

[RFC PATCH v2 1/3] powerpc/pseries: define driver for Platform KeyStore

access PKS storage. Signed-off-by: Nayna Jain --- arch/powerpc/include/asm/hvcall.h | 12 +- arch/powerpc/include/asm/plpks.h | 92 arch/powerpc/platforms/pseries/Kconfig| 10 + arch/powerpc/platforms/pseries/Makefile | 2 + arch/powerpc/platforms

[RFC PATCH 2/2] pseries: define sysfs interface to expose PKS variables

rly, please let us know. Signed-off-by: Nayna Jain --- Documentation/ABI/testing/sysfs-pksvar| 77 arch/powerpc/platforms/pseries/Kconfig| 7 + arch/powerpc/platforms/pseries/Makefile | 1 + arch/powerpc/platforms/pseries/pksvar-sysfs.c | 356 ++ 4 f

[RFC PATCH 1/2] pseries: define driver for Platform Keystore

to access PKS storage. Signed-off-by: Nayna Jain --- arch/powerpc/include/asm/hvcall.h | 13 +- arch/powerpc/include/asm/pks.h | 84 arch/powerpc/platforms/pseries/Kconfig | 10 + arch/powerpc/platforms/pseries/Makefile | 1 + arch/powerpc/platforms/pseries/pks.c| 494

[RFC PATCH 0/2] powerpc/pseries: add support for local secure storage called Platform Keystore(PKS)

required for secure boot on PowerVM. Nayna Jain (2): pseries: define driver for Platform Keystore pseries: define sysfs interface to expose PKS variables Documentation/ABI/testing/sysfs-pksvar| 77 +++ arch/powerpc/include/asm/hvcall.h | 13 +- arch/powerpc/include/asm

[PATCH v3] powerpc/pseries: detect secure and trusted boot state of the system.

supported for Linux. 2 - Enabled and enforced. 3-9 - Enabled and enforcing; requirements are at the discretion of the operating system. The values of ibm,trusted-boot under pseries are interpreted as: 0 - Disabled 1 - Enabled Signed-off-by: Nayna Jain Reviewed-by: Daniel Axtens --- v3: * fixed

[PATCH v2] powerpc/pseries: detect secure and trusted boot state of the system.

The device-tree property to check secure and trusted boot state is different for guests(pseries) compared to baremetal(powernv). This patch updates the existing is_ppc_secureboot_enabled() and is_ppc_trustedboot_enabled() function to add support for pseries. Signed-off-by: Nayna Jain Reviewed

[PATCH] powerpc/pseries: detect secure and trusted boot state of the system.

The device-tree property to check secure and trusted boot state is different for guests(pseries) compared to baremetal(powernv). This patch updates the existing is_ppc_secureboot_enabled() and is_ppc_trustedboot_enabled() function to add support for pseries. Signed-off-by: Nayna Jain --- arch

[PATCH v2] powerpc/ima: fix secure boot rules in ima arch policy

e based on CONFIG_MODULE_SIG instead. Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules") Signed-off-by: Nayna Jain --- v2: * Fixes the patch description to specify the problem more clearly as asked by Michael Ellerman. arch/powerpc/kernel/ima_arch.c | 6 ++

[PATCH] powerpc/ima: fix secure boot rules in ima arch policy

account the ability of enabling "sig_enforce" on the boot command line (module.sig_enforce=1). This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules") Signed-off-by: N

[PATCH v3] ima: add a new CONFIG for loading arch-specific policies

From: Nayna Jain Every time a new architecture defines the IMA architecture specific functions - arch_ima_get_secureboot() and arch_ima_get_policy(), the IMA include file needs to be updated. To avoid this "noise", this patch defines a new IMA Kconfig IMA_SECURE_AND_OR_TRUSTED_B

[PATCH v3] ima: add a new CONFIG for loading arch-specific policies

different architectures to select it. Suggested-by: Linus Torvalds Signed-off-by: Nayna Jain Cc: Ard Biesheuvel Cc: Philipp Rudo Cc: Michael Ellerman --- v3: * Updated and tested the patch with improvements suggested by Michael. It now uses "imply" instead of "select".

[PATCH v2] ima: add a new CONFIG for loading arch-specific policies

different architectures to select it. Suggested-by: Linus Torvalds Signed-off-by: Nayna Jain Cc: Ard Biesheuvel Cc: Philipp Rudo Cc: Michael Ellerman --- v2: * Fixed the issue identified by Mimi. Thanks Mimi, Ard, Heiko and Michael for discussing the fix. arch/powerpc/Kconfig | 1 +

[PATCH] ima: add a new CONFIG for loading arch-specific policies

different architectures to select it. Suggested-by: Linus Torvalds Signed-off-by: Nayna Jain Cc: Ard Biesheuvel Cc: Martin Schwidefsky Cc: Philipp Rudo Cc: Michael Ellerman --- arch/powerpc/Kconfig | 2 +- arch/s390/Kconfig | 1 + arch/x86/Kconfig | 1

[PATCH v9 4/4] powerpc: load firmware trusted keys/hashes into kernel keyring

trusted by firmware. Signed-off-by: Nayna Jain Reviewed-by: Mimi Zohar Signed-off-by: Eric Richter --- security/integrity/Kconfig | 9 +++ security/integrity/Makefile | 4 +- security/integrity/platform_certs/load_powerpc.c | 99

[PATCH v9 3/4] x86/efi: move common keyring handler functions to new file

The handlers to add the keys to the .platform keyring and blacklisted hashes to the .blacklist keyring is common for both the uefi and powerpc mechanisms of loading the keys/hashes from the firmware. This patch moves the common code from load_uefi.c to keyring_handler.c Signed-off-by: Nayna Jain

[PATCH v9 2/4] powerpc: expose secure variables to userspace via sysfs

. The users shall use this interface for manipulating the keys stored in the secure variables. Signed-off-by: Nayna Jain Reviewed-by: Greg Kroah-Hartman Signed-off-by: Eric Richter --- Documentation/ABI/testing/sysfs-secvar | 46 ++ arch/powerpc/Kconfig | 11 ++ arch

[PATCH v9 1/4] powerpc/powernv: Add OPAL API interface to access secure variable

CONFIG_OPAL_SECVAR. Signed-off-by: Claudio Carvalho Signed-off-by: Nayna Jain Signed-off-by: Eric Richter --- arch/powerpc/include/asm/opal-api.h | 5 +- arch/powerpc/include/asm/opal.h | 7 ++ arch/powerpc/include/asm/secvar.h| 35 +++ arch/powerpc

[PATCH v9 0/4] powerpc: expose secure variables to the kernel and userspace

secvar_sysfs_init() * fixes spaces v2: * removes complete efi-sms from the sysfs implementation and is simplified * includes Greg's and Oliver's feedbacks: * adds sysfs documentation * moves sysfs code to arch/powerpc * other code related feedbacks. * adds two new patches t

[PATCH v8 4/4] powerpc: load firmware trusted keys/hashes into kernel keyring

trusted by firmware. Signed-off-by: Nayna Jain Reviewed-by: Mimi Zohar Signed-off-by: Eric Richter --- security/integrity/Kconfig| 9 ++ security/integrity/Makefile | 4 +- .../integrity/platform_certs/load_powerpc.c | 98 +++ 3 files changed

[PATCH v8 3/4] x86/efi: move common keyring handler functions to new file

The handlers to add the keys to the .platform keyring and blacklisted hashes to the .blacklist keyring is common for both the uefi and powerpc mechanisms of loading the keys/hashes from the firmware. This patch moves the common code from load_uefi.c to keyring_handler.c Signed-off-by: Nayna Jain

[PATCH v8 2/4] powerpc: expose secure variables to userspace via sysfs

. The users shall use this interface for manipulating the keys stored in the secure variables. Signed-off-by: Nayna Jain Reviewed-by: Greg Kroah-Hartman Signed-off-by: Eric Richter --- Documentation/ABI/testing/sysfs-secvar | 46 + arch/powerpc/Kconfig | 11 ++ arch

[PATCH v8 1/4] powerpc/powernv: Add OPAL API interface to access secure variable

CONFIG_OPAL_SECVAR. Signed-off-by: Claudio Carvalho Signed-off-by: Nayna Jain Signed-off-by: Eric Richter --- arch/powerpc/include/asm/opal-api.h | 5 +- arch/powerpc/include/asm/opal.h | 7 + arch/powerpc/include/asm/secvar.h| 35 + arch/powerpc/kernel

[PATCH v8 0/4] powerpc: expose secure variables to the kernel and userspace

* removes complete efi-sms from the sysfs implementation and is simplified * includes Greg's and Oliver's feedbacks: * adds sysfs documentation * moves sysfs code to arch/powerpc * other code related feedbacks. * adds two new patches to load keys to .platform and .blacklist keyring. Thes

Re: [PATCH v9 7/8] ima: check against blacklisted hashes for files with modsig

On 10/24/19 12:48 PM, Lakshmi Ramasubramanian wrote: On 10/23/2019 8:47 PM, Nayna Jain wrote: +/* + * ima_check_blacklist - determine if the binary is blacklisted. + * + * Add the hash of the blacklisted binary to the measurement list, based + * on policy. + * + * Returns -EPERM if the

Re: [PATCH v9 5/8] ima: make process_buffer_measurement() generic

On 10/24/19 10:20 AM, Lakshmi Ramasubramanian wrote: On 10/23/19 8:47 PM, Nayna Jain wrote: Hi Nayna, +void process_buffer_measurement(const void *buf, int size, +    const char *eventname, enum ima_hooks func, +    int pcr)   {   int ret = 0;   struct

Re: [PATCH v9 2/8] powerpc/ima: add support to initialize ima policy rules

On 10/24/19 12:35 PM, Lakshmi Ramasubramanian wrote: On 10/23/2019 8:47 PM, Nayna Jain wrote: +/* + * The "secure_rules" are enabled only on "secureboot" enabled systems. + * These rules verify the file signatures against known good values. + * The "appraise_type=ima

Re: [PATCH v9 1/8] powerpc: detect the secure boot mode of the system

On 10/24/19 12:26 PM, Lakshmi Ramasubramanian wrote: On 10/23/2019 8:47 PM, Nayna Jain wrote: This patch defines a function to detect the secure boot state of a PowerNV system. +bool is_ppc_secureboot_enabled(void) +{ +    struct device_node *node; +    bool enabled = false; + +    node

Re: [PATCH v9 3/8] powerpc: detect the trusted boot state of the system

On 10/24/19 12:38 PM, Lakshmi Ramasubramanian wrote: On 10/23/2019 8:47 PM, Nayna Jain wrote: +bool is_ppc_trustedboot_enabled(void) +{ +    struct device_node *node; +    bool enabled = false; + +    node = get_ppc_fw_sb_node(); +    enabled = of_property_read_bool(node, "trusted-en

[PATCH v5 4/4] powerpc: load firmware trusted keys/hashes into kernel keyring

trusted by firmware. Signed-off-by: Nayna Jain Reviewed-by: Mimi Zohar --- arch/powerpc/Kconfig | 1 + security/integrity/Kconfig| 8 ++ security/integrity/Makefile | 4 +- .../integrity/platform_certs/load_powerpc.c | 86

[PATCH v5 3/4] x86/efi: move common keyring handler functions to new file

The handlers to add the keys to the .platform keyring and blacklisted hashes to the .blacklist keyring is common for both the uefi and powerpc mechanisms of loading the keys/hashes from the firmware. This patch moves the common code from load_uefi.c to keyring_handler.c Signed-off-by: Nayna Jain

[PATCH v5 2/4] powerpc: expose secure variables to userspace via sysfs

. The users shall use this interface for manipulating the keys stored in the secure variables. Signed-off-by: Nayna Jain Reviewed-by: Greg Kroah-Hartman --- Documentation/ABI/testing/sysfs-secvar | 39 + arch/powerpc/Kconfig | 11 ++ arch/powerpc/kernel/Makefile

[PATCH v5 1/4] powerpc/powernv: Add OPAL API interface to access secure variable

CONFIG_OPAL_SECVAR. Signed-off-by: Claudio Carvalho Signed-off-by: Nayna Jain --- arch/powerpc/include/asm/opal-api.h | 5 +- arch/powerpc/include/asm/opal.h | 7 + arch/powerpc/include/asm/secvar.h| 35 + arch/powerpc/kernel/Makefile | 2

[PATCH v5 0/4] powerpc: expose secure variables to the kernel and userspace

s feedbacks: * adds sysfs documentation * moves sysfs code to arch/powerpc * other code related feedbacks. * adds two new patches to load keys to .platform and .blacklist keyring. These patches are added to this series as they are also dependent on OPAL APIs. Nayna Jain (4): powerpc/powernv: A

[PATCH v9 8/8] powerpc/ima: update ima arch policy to check for blacklist

This patch updates the arch-specific policies for PowerNV system to make sure that the binary hash is not blacklisted. Signed-off-by: Nayna Jain Reviewed-by: Mimi Zohar --- arch/powerpc/kernel/ima_arch.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/powerpc

[PATCH v9 7/8] ima: check against blacklisted hashes for files with modsig

217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132 b blacklisted-hash 77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3 Signed-off-by: Nayna Jain --- Documentation/ABI/testing/ima_policy | 4 security/integrity/ima/ima.h | 8 +

[PATCH v9 6/8] certs: add wrapper function to check blacklisted binary hash

The -EKEYREJECTED error returned by existing is_hash_blacklisted() is misleading when called for checking against blacklisted hash of a binary. This patch adds a wrapper function is_binary_blacklisted() to return -EPERM error if binary is blacklisted. Signed-off-by: Nayna Jain Reviewed-by: Mimi

[PATCH v9 5/8] ima: make process_buffer_measurement() generic

an IMA hook or as an auxiliary measurement record. In both cases the buffer measurement is based on policy. This patch modifies the function to conditionally retrieve the policy defined PCR and template for the IMA hook case. Signed-off-by: Nayna Jain --- security/integrity/ima/ima.h | 3

[PATCH v9 4/8] powerpc/ima: define trusted boot policy

This patch defines an arch-specific trusted boot only policy and a combined secure and trusted boot policy. Signed-off-by: Nayna Jain --- arch/powerpc/kernel/ima_arch.c | 33 - 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/arch/powerpc/kernel

[PATCH v9 3/8] powerpc: detect the trusted boot state of the system

state of a PowerNV system. The state is used to conditionally enable additional measurement rules in the IMA arch-specific policies. Signed-off-by: Nayna Jain --- arch/powerpc/include/asm/secure_boot.h | 6 ++ arch/powerpc/kernel/secure_boot.c | 26 ++ 2 files

[PATCH v9 2/8] powerpc/ima: add support to initialize ima policy rules

define IMA policy rules based on the runtime secure boot mode of the system. This patch provides arch-specific IMA policies if PPC_SECURE_BOOT config is enabled. Signed-off-by: Nayna Jain --- arch/powerpc/Kconfig | 1 + arch/powerpc/kernel/Makefile | 2 +- arch/powerpc/kernel

[PATCH v9 1/8] powerpc: detect the secure boot mode of the system

This patch defines a function to detect the secure boot state of a PowerNV system. The PPC_SECURE_BOOT config represents the base enablement of secure boot for powerpc. Signed-off-by: Nayna Jain --- arch/powerpc/Kconfig | 10 arch/powerpc/include/asm/secure_boot.h

[PATCH v9 0/8] powerpc: Enabling IMA arch specific secure boot policies

ECVAR * Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in arch/powerpc/kernel/Makefile Nayna Jain (8): powerpc: detect the secure boot mode of the system powerpc/ima: add support to initialize ima policy rules powerpc: detect the trusted boot state of the system powerpc/ima: define

[PATCH v8 2/8] powerpc/ima: add support to initialize ima policy rules

define IMA policy rules based on the runtime secure boot mode of the system. This patch provides arch-specific IMA policies if PPC_SECURE_BOOT config is enabled. Signed-off-by: Nayna Jain --- arch/powerpc/Kconfig | 1 + arch/powerpc/kernel/Makefile | 2 +- arch/powerpc/kernel

  1   2   >