From: "Nicholas Piggin" <npiggin@gmail.com>
To: "Andrew Donnellan" <ajd@linux.ibm.com>,
<linuxppc-dev@lists.ozlabs.org>,
<linux-integrity@vger.kernel.org>
Cc: gjoyce@linux.ibm.com, erichte@linux.ibm.com,
gregkh@linuxfoundation.org, nayna@linux.ibm.com,
linux-kernel@vger.kernel.org, zohar@linux.ibm.com,
sudhakar@linux.ibm.com, ruscur@russell.cc, joel@jms.id.au,
bgray@linux.ibm.com, gcwilson@linux.ibm.com
Subject: Re: [PATCH v4 16/24] powerpc/pseries: Implement signed update for PLPKS objects
Date: Tue, 24 Jan 2023 14:16:24 +1000 [thread overview]
Message-ID: <CQ04OOT6CW1A.MCLZN2B4BTWK@bobo> (raw)
In-Reply-To: <20230120074306.1326298-17-ajd@linux.ibm.com>
On Fri Jan 20, 2023 at 5:42 PM AEST, Andrew Donnellan wrote:
> From: Nayna Jain <nayna@linux.ibm.com>
>
> The Platform Keystore provides a signed update interface which can be used
> to create, replace or append to certain variables in the PKS in a secure
> fashion, with the hypervisor requiring that the update be signed using the
> Platform Key.
>
> Implement an interface to the H_PKS_SIGNED_UPDATE hcall in the plpks
> driver to allow signed updates to PKS objects.
>
> (The plpks driver doesn't need to do any cryptography or otherwise handle
> the actual signed variable contents - that will be handled by userspace
> tooling.)
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> [ajd: split patch, add timeout handling and misc cleanups]
> Co-developed-by: Andrew Donnellan <ajd@linux.ibm.com>
> Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
> Signed-off-by: Russell Currey <ruscur@russell.cc>
>
> ---
>
> v3: Merge plpks fixes and signed update series with secvar series
>
> Fix error code handling in plpks_confirm_object_flushed() (ruscur)
>
> Pass plpks_var struct to plpks_signed_update_var() by reference (mpe)
>
> Consistent constant naming scheme (ruscur)
>
> v4: Fix MAX_HCALL_OPCODE rebasing issue (npiggin)
> ---
> arch/powerpc/include/asm/hvcall.h | 1 +
> arch/powerpc/include/asm/plpks.h | 5 ++
> arch/powerpc/platforms/pseries/plpks.c | 71 ++++++++++++++++++++++++--
> 3 files changed, 72 insertions(+), 5 deletions(-)
>
> diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
> index 95fd7f9485d5..c099780385dd 100644
> --- a/arch/powerpc/include/asm/hvcall.h
> +++ b/arch/powerpc/include/asm/hvcall.h
> @@ -335,6 +335,7 @@
> #define H_RPT_INVALIDATE 0x448
> #define H_SCM_FLUSH 0x44C
> #define H_GET_ENERGY_SCALE_INFO 0x450
> +#define H_PKS_SIGNED_UPDATE 0x454
> #define H_WATCHDOG 0x45C
> #define MAX_HCALL_OPCODE H_WATCHDOG
>
> diff --git a/arch/powerpc/include/asm/plpks.h b/arch/powerpc/include/asm/plpks.h
> index 7c5f51a9af7c..e7204e6c0ca4 100644
> --- a/arch/powerpc/include/asm/plpks.h
> +++ b/arch/powerpc/include/asm/plpks.h
> @@ -68,6 +68,11 @@ struct plpks_var_name_list {
> struct plpks_var_name varlist[];
> };
>
> +/**
> + * Updates the authenticated variable. It expects NULL as the component.
> + */
> +int plpks_signed_update_var(struct plpks_var *var, u64 flags);
> +
> /**
> * Writes the specified var and its data to PKS.
> * Any caller of PKS driver should present a valid component type for
> diff --git a/arch/powerpc/platforms/pseries/plpks.c b/arch/powerpc/platforms/pseries/plpks.c
> index 1189246b03dc..796ed5544ee5 100644
> --- a/arch/powerpc/platforms/pseries/plpks.c
> +++ b/arch/powerpc/platforms/pseries/plpks.c
> @@ -81,6 +81,12 @@ static int pseries_status_to_err(int rc)
> err = -ENOENT;
> break;
> case H_BUSY:
> + case H_LONG_BUSY_ORDER_1_MSEC:
> + case H_LONG_BUSY_ORDER_10_MSEC:
> + case H_LONG_BUSY_ORDER_100_MSEC:
> + case H_LONG_BUSY_ORDER_1_SEC:
> + case H_LONG_BUSY_ORDER_10_SEC:
> + case H_LONG_BUSY_ORDER_100_SEC:
> err = -EBUSY;
> break;
> case H_AUTHORITY:
This is a bit sad to maintain here. It's duplicating bits with
hvcs_convert, and a bunch of open coded places. Probably not the
series to do anything about. Would be nice if we could standardise
it though.
> @@ -184,14 +190,17 @@ static struct label *construct_label(char *component, u8 varos, u8 *name,
> u16 namelen)
> {
> struct label *label;
> - size_t slen;
> + size_t slen = 0;
>
> if (!name || namelen > PLPKS_MAX_NAME_SIZE)
> return ERR_PTR(-EINVAL);
>
> - slen = strlen(component);
> - if (component && slen > sizeof(label->attr.prefix))
> - return ERR_PTR(-EINVAL);
> + // Support NULL component for signed updates
> + if (component) {
> + slen = strlen(component);
> + if (slen > sizeof(label->attr.prefix))
> + return ERR_PTR(-EINVAL);
> + }
Is this already a bug? Code checks for component != NULL but previously
calls strlen which would oops on NULL component AFAIKS. Granted nothing
is actually using any of this these days.
It already seems like it's supposed to be allowed to rad NULL component
with read_var though? Why the differences, why not always allow NULL
component? (I assume there is some reason, I just don't know anything
about secvar or secure boot).
>
> // The label structure must not cross a page boundary, so we align to the next power of 2
> label = kzalloc(roundup_pow_of_two(sizeof(*label)), GFP_KERNEL);
> @@ -397,6 +406,58 @@ static int plpks_confirm_object_flushed(struct label *label,
> return pseries_status_to_err(rc);
> }
>
> +int plpks_signed_update_var(struct plpks_var *var, u64 flags)
> +{
> + unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0};
> + int rc;
> + struct label *label;
> + struct plpks_auth *auth;
> + u64 continuetoken = 0;
> + u64 timeout = 0;
> +
> + if (!var->data || var->datalen <= 0 || var->namelen > PLPKS_MAX_NAME_SIZE)
> + return -EINVAL;
> +
> + if (!(var->policy & PLPKS_SIGNEDUPDATE))
> + return -EINVAL;
> +
> + auth = construct_auth(PLPKS_OS_OWNER);
> + if (IS_ERR(auth))
> + return PTR_ERR(auth);
> +
> + label = construct_label(var->component, var->os, var->name, var->namelen);
> + if (IS_ERR(label)) {
> + rc = PTR_ERR(label);
> + goto out;
> + }
> +
> + do {
> + rc = plpar_hcall9(H_PKS_SIGNED_UPDATE, retbuf,
> + virt_to_phys(auth), virt_to_phys(label),
> + label->size, var->policy, flags,
> + virt_to_phys(var->data), var->datalen,
> + continuetoken);
> +
> + continuetoken = retbuf[0];
> + if (pseries_status_to_err(rc) == -EBUSY) {
> + int delay_ms = get_longbusy_msecs(rc);
> + mdelay(delay_ms);
> + timeout += delay_ms;
> + }
> + rc = pseries_status_to_err(rc);
> + } while (rc == -EBUSY && timeout < PLPKS_MAX_TIMEOUT);
> +
> + if (!rc)
> + rc = plpks_confirm_object_flushed(label, auth);
> +
> + kfree(label);
> +out:
> + kfree(auth);
> +
> + return rc;
> +}
> +EXPORT_SYMBOL(plpks_signed_update_var);
Sorry I missed it before -- can this be a _GPL export?
Thanks,
Nick
next prev parent reply other threads:[~2023-01-24 4:17 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-20 7:42 [PATCH v4 00/24] pSeries dynamic secure boot secvar interface + platform keyring loading Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 01/24] powerpc/pseries: Fix handling of PLPKS object flushing timeout Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 02/24] powerpc/pseries: Fix alignment of PLPKS structures and buffers Andrew Donnellan
2023-01-25 13:09 ` Michael Ellerman
2023-01-26 17:19 ` Segher Boessenkool
2023-01-26 17:31 ` David Laight
2023-01-27 3:20 ` Andrew Donnellan
2023-01-27 9:05 ` David Laight
2023-01-27 11:08 ` Michael Ellerman
2023-01-27 10:52 ` Michael Ellerman
2023-01-20 7:42 ` [PATCH v4 03/24] powerpc/secvar: Use u64 in secvar_operations Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 04/24] powerpc/secvar: Warn and error if multiple secvar ops are set Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 05/24] powerpc/secvar: Use sysfs_emit() instead of sprintf() Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 06/24] powerpc/secvar: Handle format string in the consumer Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 07/24] powerpc/secvar: Handle max object size " Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 08/24] powerpc/secvar: Clean up init error messages Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 09/24] powerpc/secvar: Extend sysfs to include config vars Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 10/24] powerpc/secvar: Allow backend to populate static list of variable names Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 11/24] powerpc/secvar: Warn when PAGE_SIZE is smaller than max object size Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 12/24] powerpc/secvar: Don't print error on ENOENT when reading variables Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 13/24] powerpc/pseries: Move plpks.h to include directory Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 14/24] powerpc/pseries: Move PLPKS constants to header file Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 15/24] powerpc/pseries: Expose PLPKS config values, support additional fields Andrew Donnellan
2023-01-20 7:42 ` [PATCH v4 16/24] powerpc/pseries: Implement signed update for PLPKS objects Andrew Donnellan
2023-01-24 4:16 ` Nicholas Piggin [this message]
2023-01-30 4:43 ` Andrew Donnellan
2023-01-31 4:23 ` Russell Currey
2023-01-20 7:42 ` [PATCH v4 17/24] powerpc/pseries: Log hcall return codes for PLPKS debug Andrew Donnellan
2023-01-20 7:43 ` [PATCH v4 18/24] powerpc/pseries: Make caller pass buffer to plpks_read_var() Andrew Donnellan
2023-01-20 7:43 ` [PATCH v4 19/24] powerpc/pseries: Turn PSERIES_PLPKS into a hidden option Andrew Donnellan
2023-01-24 4:26 ` Nicholas Piggin
2023-01-20 7:43 ` [PATCH v4 20/24] powerpc/pseries: Add helpers to get PLPKS password Andrew Donnellan
2023-01-20 7:43 ` [PATCH v4 21/24] powerpc/pseries: Pass PLPKS password on kexec Andrew Donnellan
2023-01-24 4:36 ` Nicholas Piggin
2023-01-24 4:40 ` Andrew Donnellan
2023-01-25 3:59 ` Michael Ellerman
2023-01-31 2:43 ` Russell Currey
2023-01-20 7:43 ` [PATCH v4 22/24] powerpc/pseries: Implement secvars for dynamic secure boot Andrew Donnellan
2023-01-24 5:17 ` Nicholas Piggin
2023-01-31 2:54 ` Andrew Donnellan
2023-01-31 4:25 ` Andrew Donnellan
2023-01-31 8:55 ` Nicholas Piggin
2023-02-01 2:15 ` Andrew Donnellan
2023-01-20 7:43 ` [PATCH v4 23/24] integrity/powerpc: Improve error handling & reporting when loading certs Andrew Donnellan
2023-01-24 15:42 ` Mimi Zohar
2023-01-20 7:43 ` [PATCH v4 24/24] integrity/powerpc: Support loading keys from pseries secvar Andrew Donnellan
2023-01-24 5:24 ` Nicholas Piggin
2023-01-24 15:14 ` Mimi Zohar
2023-01-25 0:45 ` Andrew Donnellan
2023-01-25 2:23 ` Russell Currey
2023-01-25 2:47 ` Mimi Zohar
2023-01-31 1:03 ` Andrew Donnellan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CQ04OOT6CW1A.MCLZN2B4BTWK@bobo \
--to=npiggin@gmail.com \
--cc=ajd@linux.ibm.com \
--cc=bgray@linux.ibm.com \
--cc=erichte@linux.ibm.com \
--cc=gcwilson@linux.ibm.com \
--cc=gjoyce@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=joel@jms.id.au \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nayna@linux.ibm.com \
--cc=ruscur@russell.cc \
--cc=sudhakar@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).