On Fri Jan 20, 2023 at 5:43 PM AEST, Andrew Donnellan wrote: > It seems a bit unnecessary for the PLPKS code to have a user-visible > config option when it doesn't do anything on its own, and there's existing > options for enabling Secure Boot-related features. > > It should be enabled by PPC_SECURE_BOOT, which will eventually be what > uses PLPKS to populate keyrings. > > However, we can't get of the separate option completely, because it will > also be used for SED Opal purposes. > > Change PSERIES_PLPKS into a hidden option, which is selected by > PPC_SECURE_BOOT. > > Signed-off-by: Andrew Donnellan <a...@linux.ibm.com> > Signed-off-by: Russell Currey <rus...@russell.cc> > > --- > > v3: New patch > --- > arch/powerpc/Kconfig | 1 + > arch/powerpc/platforms/pseries/Kconfig | 11 +---------- > 2 files changed, 2 insertions(+), 10 deletions(-) > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index b8c4ac56bddc..d4ed46101bec 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -1029,6 +1029,7 @@ config PPC_SECURE_BOOT > depends on PPC_POWERNV || PPC_PSERIES > depends on IMA_ARCH_POLICY > imply IMA_SECURE_AND_OR_TRUSTED_BOOT > + select PSERIES_PLPKS if PPC_PSERIES > help > Systems with firmware secure boot enabled need to define security > policies to extend secure boot to the OS. This config allows a user > diff --git a/arch/powerpc/platforms/pseries/Kconfig > b/arch/powerpc/platforms/pseries/Kconfig > index a3b4d99567cb..82b6f993be0f 100644 > --- a/arch/powerpc/platforms/pseries/Kconfig > +++ b/arch/powerpc/platforms/pseries/Kconfig > @@ -151,16 +151,7 @@ config IBMEBUS > > config PSERIES_PLPKS > depends on PPC_PSERIES > - bool "Support for the Platform Key Storage" > - help > - PowerVM provides an isolated Platform Keystore(PKS) storage > - allocation for each LPAR with individually managed access > - controls to store sensitive information securely. It can be > - used to store asymmetric public keys or secrets as required > - by different usecases. Select this config to enable > - operating system interface to hypervisor to access this space.
Not a big deal but you could turn this into a small Kconfig comment instead (people got strangely angry when I tried to just use help text in hidden options as comments). But if it's easy enough to grep for and pretty straightforward then maybe it doesn't matter. I like know what these things do at a glance. Thanks, Nick
