From: Srish Srinivasan <ssrish@linux.ibm.com>
To: linux-integrity@vger.kernel.org, linuxppc-dev@lists.ozlabs.org
Cc: maddy@linux.ibm.com, mpe@ellerman.id.au, npiggin@gmail.com,
christophe.leroy@csgroup.eu, naveen@kernel.org,
ajd@linux.ibm.com, zohar@linux.ibm.com, nayna@linux.ibm.com,
rnsastry@linux.ibm.com, linux-kernel@vger.kernel.org
Subject: [PATCH v3 0/3] Enhancements to the secvar interface in static key management mode
Date: Tue, 3 Jun 2025 15:27:33 +0530 [thread overview]
Message-ID: <20250603095736.99007-1-ssrish@linux.ibm.com> (raw)
The PLPKS enabled Power LPAR sysfs exposes all of the secure boot secure
variables irrespective of the key management mode. There is support for
both static and dynamic key management and the key management mode can
be updated using the management console. The user can modify the secure
boot secvars db, dbx, grubdb, grubdbx, and sbat only in the dynamic key
mode. But the sysfs interface exposes these secvars even in static key
mode. This could lead to errors when reading them or writing to them in
the static key mode.
Update the secvar format property based on the key management mode and
expose only the secure variables relevant to the key management mode.
Enable loading of signed third-party kernel modules in the static key
mode when the platform keystore is enabled.
Changelog:
v3:
* Patch 1:
- Minor changes to the documentation based on feedback from Andrew.
- Added reviewed-by from Andrew.
v2:
* Patch 1:
- Updated plpks_get_sb_keymgmt_mode to handle -ENOENT and -EPERM in
the case of static key management mode, based on feedback from
Andrew.
- Moved the documentation changes relevant to the secvar format
property from Patch 2 to Patch 1.
- Added reviewed-by from Nayna.
* Patch 2:
- Moved the documentaton changes relevant to secure variables from
/sys/firmware/secvar/format to
/sys/firmware/secvar/vars/<variable name>.
- Added reviewed-by from Nayna and Andrew.
* Patch 3:
- Added reviewed-by from Nayna and Andrew.
Srish Srinivasan (3):
powerpc/pseries: Correct secvar format representation for static key
management
powerpc/secvar: Expose secvars relevant to the key management mode
integrity/platform_certs: Allow loading of keys in the static key
management mode
Documentation/ABI/testing/sysfs-secvar | 16 ++-
arch/powerpc/platforms/pseries/plpks-secvar.c | 104 ++++++++++++------
.../integrity/platform_certs/load_powerpc.c | 5 +-
3 files changed, 86 insertions(+), 39 deletions(-)
--
2.47.1
next reply other threads:[~2025-06-03 9:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-03 9:57 Srish Srinivasan [this message]
2025-06-03 9:57 ` [PATCH v3 1/3] powerpc/pseries: Correct secvar format representation for static key management Srish Srinivasan
2025-06-03 9:57 ` [PATCH v3 2/3] powerpc/secvar: Expose secvars relevant to the key management mode Srish Srinivasan
2025-06-03 9:57 ` [PATCH v3 3/3] integrity/platform_certs: Allow loading of keys in the static " Srish Srinivasan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250603095736.99007-1-ssrish@linux.ibm.com \
--to=ssrish@linux.ibm.com \
--cc=ajd@linux.ibm.com \
--cc=christophe.leroy@csgroup.eu \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=naveen@kernel.org \
--cc=nayna@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=rnsastry@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).