From: Stefan Berger <stefanb@linux.ibm.com>
To: Andrew Donnellan <ajd@linux.ibm.com>,
linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org
Cc: sudhakar@linux.ibm.com, erichte@linux.ibm.com,
gregkh@linuxfoundation.org, nayna@linux.ibm.com,
npiggin@gmail.com, linux-kernel@vger.kernel.org,
zohar@linux.ibm.com, gjoyce@linux.ibm.com, ruscur@russell.cc,
joel@jms.id.au, bgray@linux.ibm.com, brking@linux.ibm.com,
gcwilson@linux.ibm.com
Subject: Re: [PATCH v6 23/26] powerpc/pseries: Pass PLPKS password on kexec
Date: Fri, 10 Feb 2023 15:59:45 -0500 [thread overview]
Message-ID: <07132425-72e5-60d0-765d-223f0f3e7d64@linux.ibm.com> (raw)
In-Reply-To: <20230210080401.345462-24-ajd@linux.ibm.com>
On 2/10/23 03:03, Andrew Donnellan wrote:
> From: Russell Currey <ruscur@russell.cc>
>
> Before interacting with the PLPKS, we ask the hypervisor to generate a
> password for the current boot, which is then required for most further
> PLPKS operations.
>
> If we kexec into a new kernel, the new kernel will try and fail to
> generate a new password, as the password has already been set.
>
> Pass the password through to the new kernel via the device tree, in
> /chosen/ibm,plpks-pw. Check for the presence of this property before
> trying to generate a new password - if it exists, use the existing
> password and remove it from the device tree.
>
> This only works with the kexec_file_load() syscall, not the older
> kexec_load() syscall, however if you're using Secure Boot then you want
> to be using kexec_file_load() anyway.
>
> Signed-off-by: Russell Currey <ruscur@russell.cc>
> Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
>
> ---
>
> v3: New patch
>
> v4: Fix compile when CONFIG_PSERIES_PLPKS=n (snowpatch)
>
> Fix error handling on fdt_path_offset() call (ruscur)
>
> v5: Fix DT property name in commit message (npiggin)
>
> Clear prop in FDT during init to prevent password exposure (mpe)
>
> Rework to remove ifdefs from C code (npiggin)
>
> v6: Rebase on top of 7294194b47e994753a86eee8cf1c61f3f36458a3 and
> fc546faa559538fb312c77e055243ece18ab3288
>
> Whitespace (stefanb)
>
> Use more const (stefanb)
>
> Get rid of FDT extra space allocation for node overhead, as it
> shouldn't be necessary (ruscur)
>
> Note kexec_file_load() restriction in commit message
> ---
> arch/powerpc/include/asm/plpks.h | 14 ++++++
> arch/powerpc/kernel/prom.c | 4 ++
> arch/powerpc/kexec/file_load_64.c | 18 +++++---
> arch/powerpc/platforms/pseries/plpks.c | 61 ++++++++++++++++++++++++++
> 4 files changed, 92 insertions(+), 5 deletions(-)
>
> diff --git a/arch/powerpc/include/asm/plpks.h b/arch/powerpc/include/asm/plpks.h
> index 757313e00521..23b77027c916 100644
> --- a/arch/powerpc/include/asm/plpks.h
> +++ b/arch/powerpc/include/asm/plpks.h
> @@ -176,6 +176,20 @@ u64 plpks_get_signedupdatealgorithms(void);
> */
> u16 plpks_get_passwordlen(void);
>
> +/**
> + * Called in early init to retrieve and clear the PLPKS password from the DT.
> + */
> +void plpks_early_init_devtree(void);
> +
> +/**
> + * Populates the FDT with the PLPKS password to prepare for kexec.
> + */
> +int plpks_populate_fdt(void *fdt);
> +#else // CONFIG_PSERIES_PLPKS
> +static inline bool plpks_is_available(void) { return false; }
> +static inline u16 plpks_get_passwordlen(void) { BUILD_BUG(); }
> +static inline void plpks_early_init_devtree(void) { }
> +static inline int plpks_populate_fdt(void *fdt) { BUILD_BUG(); }
> #endif // CONFIG_PSERIES_PLPKS
>
> #endif // _ASM_POWERPC_PLPKS_H
> diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c
> index 4f1c920aa13e..8a13b378770f 100644
> --- a/arch/powerpc/kernel/prom.c
> +++ b/arch/powerpc/kernel/prom.c
> @@ -56,6 +56,7 @@
> #include <asm/drmem.h>
> #include <asm/ultravisor.h>
> #include <asm/prom.h>
> +#include <asm/plpks.h>
>
> #include <mm/mmu_decl.h>
>
> @@ -893,6 +894,9 @@ void __init early_init_devtree(void *params)
> powerpc_firmware_features |= FW_FEATURE_PS3_POSSIBLE;
> #endif
>
> + /* If kexec left a PLPKS password in the DT, get it and clear it */
> + plpks_early_init_devtree();
> +
> tm_init();
>
> DBG(" <- early_init_devtree()\n");
> diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
> index 52085751f5f4..8a9469e1ce71 100644
> --- a/arch/powerpc/kexec/file_load_64.c
> +++ b/arch/powerpc/kexec/file_load_64.c
> @@ -27,6 +27,7 @@
> #include <asm/kexec_ranges.h>
> #include <asm/crashdump-ppc64.h>
> #include <asm/prom.h>
> +#include <asm/plpks.h>
>
> struct umem_info {
> u64 *buf; /* data buffer for usable-memory property */
> @@ -977,12 +978,17 @@ static unsigned int cpu_node_size(void)
> */
> unsigned int kexec_extra_fdt_size_ppc64(struct kimage *image)
> {
> - unsigned int cpu_nodes, extra_size;
> + unsigned int cpu_nodes, extra_size = 0;
> struct device_node *dn;
> u64 usm_entries;
>
> + // Budget some space for the password blob. There's already extra space
> + // for the key name
> + if (plpks_is_available())
> + extra_size += (unsigned int)plpks_get_passwordlen();
> +
> if (image->type != KEXEC_TYPE_CRASH)
> - return 0;
> + return extra_size;
>
> /*
> * For kdump kernel, account for linux,usable-memory and
> @@ -992,9 +998,7 @@ unsigned int kexec_extra_fdt_size_ppc64(struct kimage *image)
> if (drmem_lmb_size()) {
> usm_entries = ((memory_hotplug_max() / drmem_lmb_size()) +
> (2 * (resource_size(&crashk_res) / drmem_lmb_size())));
> - extra_size = (unsigned int)(usm_entries * sizeof(u64));
> - } else {
> - extra_size = 0;
> + extra_size += (unsigned int)(usm_entries * sizeof(u64));
> }
>
> /*
> @@ -1233,6 +1237,10 @@ int setup_new_fdt_ppc64(const struct kimage *image, void *fdt,
> }
> }
>
> + // If we have PLPKS active, we need to provide the password to the new kernel
> + if (plpks_is_available())
> + ret = plpks_populate_fdt(fdt);
> +
> out:
> kfree(rmem);
> kfree(umem);
> diff --git a/arch/powerpc/platforms/pseries/plpks.c b/arch/powerpc/platforms/pseries/plpks.c
> index 671a10acaebf..cdf09e5bd741 100644
> --- a/arch/powerpc/platforms/pseries/plpks.c
> +++ b/arch/powerpc/platforms/pseries/plpks.c
> @@ -16,6 +16,9 @@
> #include <linux/slab.h>
> #include <linux/string.h>
> #include <linux/types.h>
> +#include <linux/of_fdt.h>
> +#include <linux/libfdt.h>
> +#include <linux/memblock.h>
> #include <asm/hvcall.h>
> #include <asm/machdep.h>
> #include <asm/plpks.h>
> @@ -128,6 +131,12 @@ static int plpks_gen_password(void)
> u8 *password, consumer = PLPKS_OS_OWNER;
> int rc;
>
> + // If we booted from kexec, we could be reusing an existing password already
> + if (ospassword) {
> + pr_debug("Password of length %u already in use\n", ospasswordlength);
> + return 0;
> + }
> +
> // The password must not cross a page boundary, so we align to the next power of 2
> password = kzalloc(roundup_pow_of_two(maxpwsize), GFP_KERNEL);
> if (!password)
> @@ -621,6 +630,58 @@ int plpks_read_bootloader_var(struct plpks_var *var)
> return plpks_read_var(PLPKS_BOOTLOADER_OWNER, var);
> }
>
> +int plpks_populate_fdt(void *fdt)
> +{
> + int chosen_offset = fdt_path_offset(fdt, "/chosen");
> +
> + if (chosen_offset < 0) {
> + pr_err("Can't find chosen node: %s\n",
> + fdt_strerror(chosen_offset));
> + return chosen_offset;
> + }
> +
> + return fdt_setprop(fdt, chosen_offset, "ibm,plpks-pw", ospassword, ospasswordlength);
> +}
> +
> +// Once a password is registered with the hypervisor it cannot be cleared without
> +// rebooting the LPAR, so to keep using the PLPKS across kexec boots we need to
> +// recover the previous password from the FDT.
> +//
> +// There are a few challenges here. We don't want the password to be visible to
> +// users, so we need to clear it from the FDT. This has to be done in early boot.
> +// Clearing it from the FDT would make the FDT's checksum invalid, so we have to
> +// manually cause the checksum to be recalculated.
> +void __init plpks_early_init_devtree(void)
> +{
> + void *fdt = initial_boot_params;
> + int chosen_node = fdt_path_offset(fdt, "/chosen");
> + const u8 *password;
> + int len;
> +
> + if (chosen_node < 0)
> + return;
> +
> + password = fdt_getprop(fdt, chosen_node, "ibm,plpks-pw", &len);
> + if (len <= 0) {
> + pr_debug("Couldn't find ibm,plpks-pw node.\n");
> + return;
> + }
> +
> + ospassword = memblock_alloc_raw(len, SMP_CACHE_BYTES);
> + if (!ospassword) {
> + pr_err("Error allocating memory for password.\n");
> + goto out;
> + }
> +
> + memcpy(ospassword, password, len);
> + ospasswordlength = (u16)len;
> +
> +out:
> + fdt_nop_property(fdt, chosen_node, "ibm,plpks-pw");
> + // Since we've cleared the password, we must update the FDT checksum
> + early_init_dt_verify(fdt);
> +}
> +
> static __init int pseries_plpks_init(void)
> {
> int rc;
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
next prev parent reply other threads:[~2023-02-10 21:00 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-10 8:03 [PATCH v6 00/26] pSeries dynamic secure boot secvar interface + platform keyring loading Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 01/26] powerpc/pseries: Fix handling of PLPKS object flushing timeout Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 02/26] powerpc/pseries: Fix alignment of PLPKS structures and buffers Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 03/26] powerpc/secvar: Fix incorrect return in secvar_sysfs_load() Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 04/26] powerpc/secvar: Use u64 in secvar_operations Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 05/26] powerpc/secvar: Warn and error if multiple secvar ops are set Andrew Donnellan
2023-02-10 20:51 ` Stefan Berger
2023-02-10 8:03 ` [PATCH v6 06/26] powerpc/secvar: Use sysfs_emit() instead of sprintf() Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 07/26] powerpc/secvar: Handle format string in the consumer Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 08/26] powerpc/secvar: Handle max object size " Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 09/26] powerpc/secvar: Clean up init error messages Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 10/26] powerpc/secvar: Extend sysfs to include config vars Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 11/26] powerpc/secvar: Allow backend to populate static list of variable names Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 12/26] powerpc/secvar: Warn when PAGE_SIZE is smaller than max object size Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 13/26] powerpc/secvar: Don't print error on ENOENT when reading variables Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 14/26] powerpc/pseries: Move plpks.h to include directory Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 15/26] powerpc/pseries: Move PLPKS constants to header file Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 16/26] powerpc/pseries: Expose PLPKS config values, support additional fields Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 17/26] powerpc/pseries: Implement signed update for PLPKS objects Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 18/26] powerpc/pseries: Log hcall return codes for PLPKS debug Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 19/26] powerpc/pseries: Make caller pass buffer to plpks_read_var() Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 20/26] powerpc/pseries: Turn PSERIES_PLPKS into a hidden option Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 21/26] powerpc/pseries: Clarify warning when PLPKS password already set Andrew Donnellan
2023-02-10 20:47 ` Stefan Berger
2023-02-12 13:26 ` Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 22/26] powerpc/pseries: Add helper to get PLPKS password length Andrew Donnellan
2023-02-10 8:03 ` [PATCH v6 23/26] powerpc/pseries: Pass PLPKS password on kexec Andrew Donnellan
2023-02-10 20:59 ` Stefan Berger [this message]
2023-02-10 8:03 ` [PATCH v6 24/26] powerpc/pseries: Implement secvars for dynamic secure boot Andrew Donnellan
2023-02-10 21:23 ` Stefan Berger
2023-02-10 21:28 ` Stefan Berger
2023-02-12 13:33 ` Andrew Donnellan
2023-02-13 5:26 ` Michael Ellerman
2023-02-13 7:07 ` Andrew Donnellan
2023-02-13 7:06 ` Andrew Donnellan
2023-02-13 11:32 ` Michael Ellerman
2023-02-13 13:52 ` Stefan Berger
2023-02-14 6:07 ` Andrew Donnellan
2023-02-15 11:46 ` Michael Ellerman
2023-02-10 8:04 ` [PATCH v6 25/26] integrity/powerpc: Improve error handling & reporting when loading certs Andrew Donnellan
2023-02-10 8:04 ` [PATCH v6 26/26] integrity/powerpc: Support loading keys from PLPKS Andrew Donnellan
2023-02-15 12:41 ` [PATCH v6 00/26] pSeries dynamic secure boot secvar interface + platform keyring loading Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=07132425-72e5-60d0-765d-223f0f3e7d64@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=ajd@linux.ibm.com \
--cc=bgray@linux.ibm.com \
--cc=brking@linux.ibm.com \
--cc=erichte@linux.ibm.com \
--cc=gcwilson@linux.ibm.com \
--cc=gjoyce@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=joel@jms.id.au \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nayna@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=ruscur@russell.cc \
--cc=sudhakar@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).