From: "Nicholas Piggin" <npiggin@gmail.com>
To: "Andrew Donnellan" <ajd@linux.ibm.com>,
<linuxppc-dev@lists.ozlabs.org>,
<linux-integrity@vger.kernel.org>
Cc: <sudhakar@linux.ibm.com>, <bgray@linux.ibm.com>,
<erichte@linux.ibm.com>, <gregkh@linuxfoundation.org>,
<nayna@linux.ibm.com>, <linux-kernel@vger.kernel.org>,
<zohar@linux.ibm.com>, <gjoyce@linux.ibm.com>,
<ruscur@russell.cc>, <gcwilson@linux.ibm.com>, <joel@jms.id.au>
Subject: Re: [PATCH v4 19/24] powerpc/pseries: Turn PSERIES_PLPKS into a hidden option
Date: Tue, 24 Jan 2023 14:26:16 +1000 [thread overview]
Message-ID: <CQ04W8MPPQT5.KT3IQUOE2YPG@bobo> (raw)
In-Reply-To: <20230120074306.1326298-20-ajd@linux.ibm.com>
On Fri Jan 20, 2023 at 5:43 PM AEST, Andrew Donnellan wrote:
> It seems a bit unnecessary for the PLPKS code to have a user-visible
> config option when it doesn't do anything on its own, and there's existing
> options for enabling Secure Boot-related features.
>
> It should be enabled by PPC_SECURE_BOOT, which will eventually be what
> uses PLPKS to populate keyrings.
>
> However, we can't get of the separate option completely, because it will
> also be used for SED Opal purposes.
>
> Change PSERIES_PLPKS into a hidden option, which is selected by
> PPC_SECURE_BOOT.
>
> Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
> Signed-off-by: Russell Currey <ruscur@russell.cc>
>
> ---
>
> v3: New patch
> ---
> arch/powerpc/Kconfig | 1 +
> arch/powerpc/platforms/pseries/Kconfig | 11 +----------
> 2 files changed, 2 insertions(+), 10 deletions(-)
>
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index b8c4ac56bddc..d4ed46101bec 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -1029,6 +1029,7 @@ config PPC_SECURE_BOOT
> depends on PPC_POWERNV || PPC_PSERIES
> depends on IMA_ARCH_POLICY
> imply IMA_SECURE_AND_OR_TRUSTED_BOOT
> + select PSERIES_PLPKS if PPC_PSERIES
> help
> Systems with firmware secure boot enabled need to define security
> policies to extend secure boot to the OS. This config allows a user
> diff --git a/arch/powerpc/platforms/pseries/Kconfig b/arch/powerpc/platforms/pseries/Kconfig
> index a3b4d99567cb..82b6f993be0f 100644
> --- a/arch/powerpc/platforms/pseries/Kconfig
> +++ b/arch/powerpc/platforms/pseries/Kconfig
> @@ -151,16 +151,7 @@ config IBMEBUS
>
> config PSERIES_PLPKS
> depends on PPC_PSERIES
> - bool "Support for the Platform Key Storage"
> - help
> - PowerVM provides an isolated Platform Keystore(PKS) storage
> - allocation for each LPAR with individually managed access
> - controls to store sensitive information securely. It can be
> - used to store asymmetric public keys or secrets as required
> - by different usecases. Select this config to enable
> - operating system interface to hypervisor to access this space.
Not a big deal but you could turn this into a small Kconfig comment
instead (people got strangely angry when I tried to just use help text
in hidden options as comments). But if it's easy enough to grep for and
pretty straightforward then maybe it doesn't matter. I like know what
these things do at a glance.
Thanks,
Nick
next prev parent reply other threads:[~2023-01-24 4:26 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-20 7:42 [PATCH v4 00/24] pSeries dynamic secure boot secvar interface + platform keyring loading Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 01/24] powerpc/pseries: Fix handling of PLPKS object flushing timeout Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 02/24] powerpc/pseries: Fix alignment of PLPKS structures and buffers Andrew Donnellan
2023-01-25 13:09 ` Michael Ellerman
2023-01-26 17:19 ` Segher Boessenkool
2023-01-26 17:31 ` David Laight
2023-01-27 3:20 ` Andrew Donnellan
2023-01-27 9:05 ` David Laight
2023-01-27 11:08 ` Michael Ellerman
2023-01-27 10:52 ` Michael Ellerman
2023-01-20 7:42 ` [PATCH v4 03/24] powerpc/secvar: Use u64 in secvar_operations Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 04/24] powerpc/secvar: Warn and error if multiple secvar ops are set Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 05/24] powerpc/secvar: Use sysfs_emit() instead of sprintf() Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 06/24] powerpc/secvar: Handle format string in the consumer Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 07/24] powerpc/secvar: Handle max object size " Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 08/24] powerpc/secvar: Clean up init error messages Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 09/24] powerpc/secvar: Extend sysfs to include config vars Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 10/24] powerpc/secvar: Allow backend to populate static list of variable names Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 11/24] powerpc/secvar: Warn when PAGE_SIZE is smaller than max object size Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 12/24] powerpc/secvar: Don't print error on ENOENT when reading variables Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 13/24] powerpc/pseries: Move plpks.h to include directory Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 14/24] powerpc/pseries: Move PLPKS constants to header file Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 15/24] powerpc/pseries: Expose PLPKS config values, support additional fields Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 16/24] powerpc/pseries: Implement signed update for PLPKS objects Andrew Donnellan
2023-01-24 4:16 ` Nicholas Piggin
2023-01-30 4:43 ` Andrew Donnellan
2023-01-31 4:23 ` Russell Currey
2023-01-20 7:42 ` [PATCH v4 17/24] powerpc/pseries: Log hcall return codes for PLPKS debug Andrew Donnellan
2023-01-20 7:43 ` [PATCH v4 18/24] powerpc/pseries: Make caller pass buffer to plpks_read_var() Andrew Donnellan
2023-01-20 7:43 ` [PATCH v4 19/24] powerpc/pseries: Turn PSERIES_PLPKS into a hidden option Andrew Donnellan
2023-01-24 4:26 ` Nicholas Piggin [this message]
2023-01-20 7:43 ` [PATCH v4 20/24] powerpc/pseries: Add helpers to get PLPKS password Andrew Donnellan
2023-01-20 7:43 ` [PATCH v4 21/24] powerpc/pseries: Pass PLPKS password on kexec Andrew Donnellan
2023-01-24 4:36 ` Nicholas Piggin
2023-01-24 4:40 ` Andrew Donnellan
2023-01-25 3:59 ` Michael Ellerman
2023-01-31 2:43 ` Russell Currey
2023-01-20 7:43 ` [PATCH v4 22/24] powerpc/pseries: Implement secvars for dynamic secure boot Andrew Donnellan
2023-01-24 5:17 ` Nicholas Piggin
2023-01-31 2:54 ` Andrew Donnellan
2023-01-31 4:25 ` Andrew Donnellan
2023-01-31 8:55 ` Nicholas Piggin
2023-02-01 2:15 ` Andrew Donnellan
2023-01-20 7:43 ` [PATCH v4 23/24] integrity/powerpc: Improve error handling & reporting when loading certs Andrew Donnellan
2023-01-24 15:42 ` Mimi Zohar
2023-01-20 7:43 ` [PATCH v4 24/24] integrity/powerpc: Support loading keys from pseries secvar Andrew Donnellan
2023-01-24 5:24 ` Nicholas Piggin
2023-01-24 15:14 ` Mimi Zohar
2023-01-25 0:45 ` Andrew Donnellan
2023-01-25 2:23 ` Russell Currey
2023-01-25 2:47 ` Mimi Zohar
2023-01-31 1:03 ` Andrew Donnellan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CQ04W8MPPQT5.KT3IQUOE2YPG@bobo \
--to=npiggin@gmail.com \
--cc=ajd@linux.ibm.com \
--cc=bgray@linux.ibm.com \
--cc=erichte@linux.ibm.com \
--cc=gcwilson@linux.ibm.com \
--cc=gjoyce@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=joel@jms.id.au \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nayna@linux.ibm.com \
--cc=ruscur@russell.cc \
--cc=sudhakar@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox