On Wed, Jul 15, 2020 at 07:52:01AM -0400, Nayna Jain wrote: > The device-tree property to check secure and trusted boot state is > different for guests(pseries) compared to baremetal(powernv). > > This patch updates the existing is_ppc_secureboot_enabled() and > is_ppc_trustedboot_enabled() functions to add support for pseries. > > The secureboot and trustedboot state are exposed via device-tree property: > /proc/device-tree/ibm,secure-boot and /proc/device-tree/ibm,trusted-boot > > The values of ibm,secure-boot under pseries are interpreted as: ^^^ > > 0 - Disabled > 1 - Enabled in Log-only mode. This patch interprets this value as > disabled, since audit mode is currently not supported for Linux. > 2 - Enabled and enforced. > 3-9 - Enabled and enforcing; requirements are at the discretion of the > operating system. > > The values of ibm,trusted-boot under pseries are interpreted as: ^^^ These two should be different I suppose?
Thanks Michal > 0 - Disabled > 1 - Enabled > > Signed-off-by: Nayna Jain <na...@linux.ibm.com> > Reviewed-by: Daniel Axtens <d...@axtens.net> > --- > v3: > * fixed double check. Thanks Daniel for noticing it. > * updated patch description. > > v2: > * included Michael Ellerman's feedback. > * added Daniel Axtens's Reviewed-by. > > arch/powerpc/kernel/secure_boot.c | 19 +++++++++++++++++-- > 1 file changed, 17 insertions(+), 2 deletions(-) > > diff --git a/arch/powerpc/kernel/secure_boot.c > b/arch/powerpc/kernel/secure_boot.c > index 4b982324d368..118bcb5f79c4 100644 > --- a/arch/powerpc/kernel/secure_boot.c > +++ b/arch/powerpc/kernel/secure_boot.c > @@ -6,6 +6,7 @@ > #include <linux/types.h> > #include <linux/of.h> > #include <asm/secure_boot.h> > +#include <asm/machdep.h> > > static struct device_node *get_ppc_fw_sb_node(void) > { > @@ -23,12 +24,19 @@ bool is_ppc_secureboot_enabled(void) > { > struct device_node *node; > bool enabled = false; > + u32 secureboot; > > node = get_ppc_fw_sb_node(); > enabled = of_property_read_bool(node, "os-secureboot-enforcing"); > - > of_node_put(node); > > + if (enabled) > + goto out; > + > + if (!of_property_read_u32(of_root, "ibm,secure-boot", &secureboot)) > + enabled = (secureboot > 1); > + > +out: > pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled"); > > return enabled; > @@ -38,12 +46,19 @@ bool is_ppc_trustedboot_enabled(void) > { > struct device_node *node; > bool enabled = false; > + u32 trustedboot; > > node = get_ppc_fw_sb_node(); > enabled = of_property_read_bool(node, "trusted-enabled"); > - > of_node_put(node); > > + if (enabled) > + goto out; > + > + if (!of_property_read_u32(of_root, "ibm,trusted-boot", &trustedboot)) > + enabled = (trustedboot > 0); > + > +out: > pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled"); > > return enabled; > -- > 2.26.2 >