Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
On Wed, 2023-09-13 at 13:15 -0600, Jens Axboe wrote: > On 9/13/23 12:59 PM, Nathan Chancellor wrote: > > Hi Greg, > > > > On Fri, Sep 08, 2023 at 10:30:56AM -0500, gjo...@linux.vnet.ibm.com > > wrote: > > > From: Greg Joyce > > > > > > Define operations for SED Opal to read/write keys > > > from POWER LPAR Platform KeyStore(PLPKS). This allows > > > non-volatile storage of SED Opal keys. > > > > > > Signed-off-by: Greg Joyce > > > Reviewed-by: Jonathan Derrick > > > Reviewed-by: Hannes Reinecke > > > > After this change in -next as commit 9f2c7411ada9 > > ("powerpc/pseries: > > PLPKS SED Opal keystore support"), I see the following crash when > > booting some distribution configurations, such as OpenSUSE's [1] > > (the > > rootfs is available at [2] if necessary): > > I'll drop the series for now - I didn't push out the main branch just > yet as I don't publish the block next tree until at least at -rc2 > time, > so it's just in a private branch for now. > Agreed. I need to figure out: 1) best place to use plpks_is_available() to prevent a crash when PLPKS is not present in pseries. 2) Resolve issues compiling with clang 3) declare plpks_init_var() as static Greg
Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
Michal Suchánek writes: > Hello, > > On Thu, Sep 14, 2023 at 02:13:32PM +1000, Michael Ellerman wrote: >> Nathan Chancellor writes: >> > Hi Greg, >> > >> > On Fri, Sep 08, 2023 at 10:30:56AM -0500, gjo...@linux.vnet.ibm.com wrote: >> >> From: Greg Joyce >> >> >> >> Define operations for SED Opal to read/write keys >> >> from POWER LPAR Platform KeyStore(PLPKS). This allows >> >> non-volatile storage of SED Opal keys. >> >> >> >> Signed-off-by: Greg Joyce >> >> Reviewed-by: Jonathan Derrick >> >> Reviewed-by: Hannes Reinecke >> > >> > After this change in -next as commit 9f2c7411ada9 ("powerpc/pseries: >> > PLPKS SED Opal keystore support"), I see the following crash when >> > booting some distribution configurations, such as OpenSUSE's [1] (the >> > rootfs is available at [2] if necessary): >> >> Thanks for testing Nathan. >> >> The code needs to check plpks_is_available() somewhere, before calling >> the plpks routines. > > would this fixup do it? > > I don't really see any other place to plug the check with the current > code structure. I think the plpks_sed code should call plpks_is_available() once at init time and cache the result. Otherwise it's will be doing an extra hcall (in _plpks_get_config()) for every call, which would be wasteful. cheers > diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c > b/arch/powerpc/platforms/pseries/plpks_sed_ops.c > index c1d08075e850..f8038d998eae 100644 > --- a/arch/powerpc/platforms/pseries/plpks_sed_ops.c > +++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c > @@ -64,6 +64,9 @@ int sed_read_key(char *keyname, char *key, u_int *keylen) > int ret; > u_int len; > > + if (!plpks_is_available()) > + return -ENODEV; > + > plpks_init_var(&var, keyname); > var.data = (u8 *)&data; > var.datalen = sizeof(data); > @@ -89,6 +92,9 @@ int sed_write_key(char *keyname, char *key, u_int keylen) > struct plpks_sed_object_data data; > struct plpks_var_name vname; > > + if (!plpks_is_available()) > + return -ENODEV; > + > plpks_init_var(&var, keyname); > > var.datalen = sizeof(struct plpks_sed_object_data); > -- > 2.41.0
Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
Hello, On Thu, Sep 14, 2023 at 02:13:32PM +1000, Michael Ellerman wrote: > Nathan Chancellor writes: > > Hi Greg, > > > > On Fri, Sep 08, 2023 at 10:30:56AM -0500, gjo...@linux.vnet.ibm.com wrote: > >> From: Greg Joyce > >> > >> Define operations for SED Opal to read/write keys > >> from POWER LPAR Platform KeyStore(PLPKS). This allows > >> non-volatile storage of SED Opal keys. > >> > >> Signed-off-by: Greg Joyce > >> Reviewed-by: Jonathan Derrick > >> Reviewed-by: Hannes Reinecke > > > > After this change in -next as commit 9f2c7411ada9 ("powerpc/pseries: > > PLPKS SED Opal keystore support"), I see the following crash when > > booting some distribution configurations, such as OpenSUSE's [1] (the > > rootfs is available at [2] if necessary): > > Thanks for testing Nathan. > > The code needs to check plpks_is_available() somewhere, before calling > the plpks routines. would this fixup do it? I don't really see any other place to plug the check with the current code structure. Thanks Michal diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c b/arch/powerpc/platforms/pseries/plpks_sed_ops.c index c1d08075e850..f8038d998eae 100644 --- a/arch/powerpc/platforms/pseries/plpks_sed_ops.c +++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c @@ -64,6 +64,9 @@ int sed_read_key(char *keyname, char *key, u_int *keylen) int ret; u_int len; + if (!plpks_is_available()) + return -ENODEV; + plpks_init_var(&var, keyname); var.data = (u8 *)&data; var.datalen = sizeof(data); @@ -89,6 +92,9 @@ int sed_write_key(char *keyname, char *key, u_int keylen) struct plpks_sed_object_data data; struct plpks_var_name vname; + if (!plpks_is_available()) + return -ENODEV; + plpks_init_var(&var, keyname); var.datalen = sizeof(struct plpks_sed_object_data); -- 2.41.0
Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
Nathan Chancellor writes: > Hi Greg, > > On Fri, Sep 08, 2023 at 10:30:56AM -0500, gjo...@linux.vnet.ibm.com wrote: >> From: Greg Joyce >> >> Define operations for SED Opal to read/write keys >> from POWER LPAR Platform KeyStore(PLPKS). This allows >> non-volatile storage of SED Opal keys. >> >> Signed-off-by: Greg Joyce >> Reviewed-by: Jonathan Derrick >> Reviewed-by: Hannes Reinecke > > After this change in -next as commit 9f2c7411ada9 ("powerpc/pseries: > PLPKS SED Opal keystore support"), I see the following crash when > booting some distribution configurations, such as OpenSUSE's [1] (the > rootfs is available at [2] if necessary): Thanks for testing Nathan. The code needs to check plpks_is_available() somewhere, before calling the plpks routines. cheers > $ qemu-system-ppc64 \ > -display none \ > -nodefaults \ > -device ipmi-bmc-sim,id=bmc0 \ > -device isa-ipmi-bt,bmc=bmc0,irq=10 \ > -machine powernv \ > -kernel arch/powerpc/boot/zImage.epapr \ > -initrd ppc64le-rootfs.cpio \ > -m 2G \ > -serial mon:stdio > ... > [0.00] Linux version 6.6.0-rc1-4-g9f2c7411ada9 > (nathan@dev-arch.thelio-3990X) (powerpc64-linux-gcc (GCC) 13.2.0, GNU ld (GNU > Binutils) 2.41) #1 SMP Wed Sep 13 11:53:38 MST 2023 > ... > [1.808911] [ cut here ] > [1.810336] kernel BUG at arch/powerpc/kernel/syscall.c:34! > [1.810799] Oops: Exception in kernel mode, sig: 5 [#1] > [1.810985] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV > [1.811191] Modules linked in: > [1.811483] CPU: 0 PID: 1 Comm: swapper/0 Not tainted > 6.6.0-rc1-4-g9f2c7411ada9 #1 > [1.811825] Hardware name: IBM PowerNV (emulated by qemu) POWER9 0x4e1202 > opal:v7.0 PowerNV > [1.812133] NIP: c002c8c4 LR: c000d620 CTR: > c000d4c0 > [1.812335] REGS: c2deb7b0 TRAP: 0700 Not tainted > (6.6.0-rc1-4-g9f2c7411ada9) > [1.812595] MSR: 90029033 CR: 2800028d > XER: 20040004 > [1.812930] CFAR: c000d61c IRQMASK: 3 > [1.812930] GPR00: c000d620 c2deba50 c15ef400 > c2debe80 > [1.812930] GPR04: 4800028d > > [1.812930] GPR08: 79cd 0001 > > [1.812930] GPR12: c28b > > [1.812930] GPR16: > > [1.812930] GPR20: > > [1.812930] GPR24: > > [1.812930] GPR28: 4800028d c2debe80 > c2debe10 > [1.814858] NIP [c002c8c4] system_call_exception+0x84/0x250 > [1.815480] LR [c000d620] system_call_common+0x160/0x2c4 > [1.815772] Call Trace: > [1.815929] [c2debe50] [c000d620] > system_call_common+0x160/0x2c4 > [1.816178] --- interrupt: c00 at plpar_hcall+0x38/0x60 > [1.816330] NIP: c00e43f8 LR: c00fb558 CTR: > > [1.816518] REGS: c2debe80 TRAP: 0c00 Not tainted > (6.6.0-rc1-4-g9f2c7411ada9) > [1.816740] MSR: 9280b033 > CR: 2800028d XER: > [1.817039] IRQMASK: 0 > [1.817039] GPR00: 4800028d c2deb950 c15ef400 > 0434 > [1.817039] GPR04: 028eb190 28ac6600 001d > 0010 > [1.817039] GPR08: > > [1.817039] GPR12: c28b c0011188 > > [1.817039] GPR16: > > [1.817039] GPR20: > > [1.817039] GPR24: > c00028ac6600 > [1.817039] GPR28: 0010 c28eb190 c00028ac6600 > c2deba30 > [1.818785] NIP [c00e43f8] plpar_hcall+0x38/0x60 > [1.818929] LR [c00fb558] plpks_read_var+0x208/0x290 > [1.819093] --- interrupt: c00 > [1.819195] [c2deb950] [c00fb528] > plpks_read_var+0x1d8/0x290 (unreliable) > [1.819433] [c2deba10] [c00fc1ac] sed_read_key+0x9c/0x170 > [1.819617] [c2debad0] [c20541a8] sed_opal_init+0xac/0x174 > [1.819823] [c2debc50] [c0010ad0] > do_one_initcall+0x80/0x3b0 > [1.820017] [c2debd30] [c2004860] > kernel_init_freeable+0x338/0x3dc > [1.820229] [c2debdf0] [c00111b0] kernel_init+0x30/0x1a0 > [1.820411] [c2debe50] [c000d620] > system_call_common+0x160/0x2c4 > [1.820614] --- interru
Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
On 9/13/23 12:59 PM, Nathan Chancellor wrote: > Hi Greg, > > On Fri, Sep 08, 2023 at 10:30:56AM -0500, gjo...@linux.vnet.ibm.com wrote: >> From: Greg Joyce >> >> Define operations for SED Opal to read/write keys >> from POWER LPAR Platform KeyStore(PLPKS). This allows >> non-volatile storage of SED Opal keys. >> >> Signed-off-by: Greg Joyce >> Reviewed-by: Jonathan Derrick >> Reviewed-by: Hannes Reinecke > > After this change in -next as commit 9f2c7411ada9 ("powerpc/pseries: > PLPKS SED Opal keystore support"), I see the following crash when > booting some distribution configurations, such as OpenSUSE's [1] (the > rootfs is available at [2] if necessary): I'll drop the series for now - I didn't push out the main branch just yet as I don't publish the block next tree until at least at -rc2 time, so it's just in a private branch for now. -- Jens Axboe
Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
Hi Greg, On Fri, Sep 08, 2023 at 10:30:56AM -0500, gjo...@linux.vnet.ibm.com wrote: > From: Greg Joyce > > Define operations for SED Opal to read/write keys > from POWER LPAR Platform KeyStore(PLPKS). This allows > non-volatile storage of SED Opal keys. > > Signed-off-by: Greg Joyce > Reviewed-by: Jonathan Derrick > Reviewed-by: Hannes Reinecke After this change in -next as commit 9f2c7411ada9 ("powerpc/pseries: PLPKS SED Opal keystore support"), I see the following crash when booting some distribution configurations, such as OpenSUSE's [1] (the rootfs is available at [2] if necessary): $ qemu-system-ppc64 \ -display none \ -nodefaults \ -device ipmi-bmc-sim,id=bmc0 \ -device isa-ipmi-bt,bmc=bmc0,irq=10 \ -machine powernv \ -kernel arch/powerpc/boot/zImage.epapr \ -initrd ppc64le-rootfs.cpio \ -m 2G \ -serial mon:stdio ... [0.00] Linux version 6.6.0-rc1-4-g9f2c7411ada9 (nathan@dev-arch.thelio-3990X) (powerpc64-linux-gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1 SMP Wed Sep 13 11:53:38 MST 2023 ... [1.808911] [ cut here ] [1.810336] kernel BUG at arch/powerpc/kernel/syscall.c:34! [1.810799] Oops: Exception in kernel mode, sig: 5 [#1] [1.810985] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV [1.811191] Modules linked in: [1.811483] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.0-rc1-4-g9f2c7411ada9 #1 [1.811825] Hardware name: IBM PowerNV (emulated by qemu) POWER9 0x4e1202 opal:v7.0 PowerNV [1.812133] NIP: c002c8c4 LR: c000d620 CTR: c000d4c0 [1.812335] REGS: c2deb7b0 TRAP: 0700 Not tainted (6.6.0-rc1-4-g9f2c7411ada9) [1.812595] MSR: 90029033 CR: 2800028d XER: 20040004 [1.812930] CFAR: c000d61c IRQMASK: 3 [1.812930] GPR00: c000d620 c2deba50 c15ef400 c2debe80 [1.812930] GPR04: 4800028d [1.812930] GPR08: 79cd 0001 [1.812930] GPR12: c28b [1.812930] GPR16: [1.812930] GPR20: [1.812930] GPR24: [1.812930] GPR28: 4800028d c2debe80 c2debe10 [1.814858] NIP [c002c8c4] system_call_exception+0x84/0x250 [1.815480] LR [c000d620] system_call_common+0x160/0x2c4 [1.815772] Call Trace: [1.815929] [c2debe50] [c000d620] system_call_common+0x160/0x2c4 [1.816178] --- interrupt: c00 at plpar_hcall+0x38/0x60 [1.816330] NIP: c00e43f8 LR: c00fb558 CTR: [1.816518] REGS: c2debe80 TRAP: 0c00 Not tainted (6.6.0-rc1-4-g9f2c7411ada9) [1.816740] MSR: 9280b033 CR: 2800028d XER: [1.817039] IRQMASK: 0 [1.817039] GPR00: 4800028d c2deb950 c15ef400 0434 [1.817039] GPR04: 028eb190 28ac6600 001d 0010 [1.817039] GPR08: [1.817039] GPR12: c28b c0011188 [1.817039] GPR16: [1.817039] GPR20: [1.817039] GPR24: c00028ac6600 [1.817039] GPR28: 0010 c28eb190 c00028ac6600 c2deba30 [1.818785] NIP [c00e43f8] plpar_hcall+0x38/0x60 [1.818929] LR [c00fb558] plpks_read_var+0x208/0x290 [1.819093] --- interrupt: c00 [1.819195] [c2deb950] [c00fb528] plpks_read_var+0x1d8/0x290 (unreliable) [1.819433] [c2deba10] [c00fc1ac] sed_read_key+0x9c/0x170 [1.819617] [c2debad0] [c20541a8] sed_opal_init+0xac/0x174 [1.819823] [c2debc50] [c0010ad0] do_one_initcall+0x80/0x3b0 [1.820017] [c2debd30] [c2004860] kernel_init_freeable+0x338/0x3dc [1.820229] [c2debdf0] [c00111b0] kernel_init+0x30/0x1a0 [1.820411] [c2debe50] [c000d620] system_call_common+0x160/0x2c4 [1.820614] --- interrupt: c00 at plpar_hcall+0x38/0x60 [1.820755] NIP: c00e43f8 LR: c00fb558 CTR: [1.820940] REGS: c2debe80 TRAP: 0c00 Not tainted (6.6.0-rc1-4-g9f2c7411ada9) [1.821157] MSR: 9280b033 CR: 2800028d XER: [1.821444] IRQMASK: 0 [1.821444] GPR00: 4800028d c2deb950 c
[PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
From: Greg Joyce Define operations for SED Opal to read/write keys from POWER LPAR Platform KeyStore(PLPKS). This allows non-volatile storage of SED Opal keys. Signed-off-by: Greg Joyce Reviewed-by: Jonathan Derrick Reviewed-by: Hannes Reinecke --- arch/powerpc/platforms/pseries/Kconfig| 6 + arch/powerpc/platforms/pseries/Makefile | 1 + .../powerpc/platforms/pseries/plpks_sed_ops.c | 114 ++ block/Kconfig | 1 + 4 files changed, 122 insertions(+) create mode 100644 arch/powerpc/platforms/pseries/plpks_sed_ops.c diff --git a/arch/powerpc/platforms/pseries/Kconfig b/arch/powerpc/platforms/pseries/Kconfig index 4ebf2ef2845d..afc0f6a61337 100644 --- a/arch/powerpc/platforms/pseries/Kconfig +++ b/arch/powerpc/platforms/pseries/Kconfig @@ -164,6 +164,12 @@ config PSERIES_PLPKS # This option is selected by in-kernel consumers that require # access to the PKS. +config PSERIES_PLPKS_SED + depends on PPC_PSERIES + bool + # This option is selected by in-kernel consumers that require + # access to the SED PKS keystore. + config PAPR_SCM depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM tristate "Support for the PAPR Storage Class Memory interface" diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile index 53c3b91af2f7..1476c5e4433c 100644 --- a/arch/powerpc/platforms/pseries/Makefile +++ b/arch/powerpc/platforms/pseries/Makefile @@ -29,6 +29,7 @@ obj-$(CONFIG_PPC_SVM) += svm.o obj-$(CONFIG_FA_DUMP) += rtas-fadump.o obj-$(CONFIG_PSERIES_PLPKS)+= plpks.o obj-$(CONFIG_PPC_SECURE_BOOT) += plpks-secvar.o +obj-$(CONFIG_PSERIES_PLPKS_SED)+= plpks_sed_ops.o obj-$(CONFIG_SUSPEND) += suspend.o obj-$(CONFIG_PPC_VAS) += vas.o vas-sysfs.o diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c b/arch/powerpc/platforms/pseries/plpks_sed_ops.c new file mode 100644 index ..c1d08075e850 --- /dev/null +++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c @@ -0,0 +1,114 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * POWER Platform specific code for non-volatile SED key access + * Copyright (C) 2022 IBM Corporation + * + * Define operations for SED Opal to read/write keys + * from POWER LPAR Platform KeyStore(PLPKS). + * + * Self Encrypting Drives(SED) key storage using PLPKS + */ + +#include +#include +#include +#include +#include +#include + +/* + * structure that contains all SED data + */ +struct plpks_sed_object_data { + u_char version; + u_char pad1[7]; + u_long authority; + u_long range; + u_int key_len; + u_char key[32]; +}; + +#define PLPKS_SED_OBJECT_DATA_V00 +#define PLPKS_SED_MANGLED_LABEL "/default/pri" +#define PLPKS_SED_COMPONENT "sed-opal" +#define PLPKS_SED_KEY "opal-boot-pin" + +/* + * authority is admin1 and range is global + */ +#define PLPKS_SED_AUTHORITY 0x000900010001 +#define PLPKS_SED_RANGE 0x08020001 + +void plpks_init_var(struct plpks_var *var, char *keyname) +{ + var->name = keyname; + var->namelen = strlen(keyname); + if (strcmp(PLPKS_SED_KEY, keyname) == 0) { + var->name = PLPKS_SED_MANGLED_LABEL; + var->namelen = strlen(keyname); + } + var->policy = PLPKS_WORLDREADABLE; + var->os = PLPKS_VAR_COMMON; + var->data = NULL; + var->datalen = 0; + var->component = PLPKS_SED_COMPONENT; +} + +/* + * Read the SED Opal key from PLPKS given the label + */ +int sed_read_key(char *keyname, char *key, u_int *keylen) +{ + struct plpks_var var; + struct plpks_sed_object_data data; + int ret; + u_int len; + + plpks_init_var(&var, keyname); + var.data = (u8 *)&data; + var.datalen = sizeof(data); + + ret = plpks_read_os_var(&var); + if (ret != 0) + return ret; + + len = min_t(u16, be32_to_cpu(data.key_len), var.datalen); + memcpy(key, data.key, len); + key[len] = '\0'; + *keylen = len; + + return 0; +} + +/* + * Write the SED Opal key to PLPKS given the label + */ +int sed_write_key(char *keyname, char *key, u_int keylen) +{ + struct plpks_var var; + struct plpks_sed_object_data data; + struct plpks_var_name vname; + + plpks_init_var(&var, keyname); + + var.datalen = sizeof(struct plpks_sed_object_data); + var.data = (u8 *)&data; + + /* initialize SED object */ + data.version = PLPKS_SED_OBJECT_DATA_V0; + data.authority = cpu_to_be64(PLPKS_SED_AUTHORITY); + data.range = cpu_to_be64(PLPKS_SED_RANGE); + memset(&data.pad1, '\0', sizeof(data.pad1)); + data.key_len = cpu_to_be32(keylen); + memcpy(data.key, (char *)key, keylen); + + /* +* Key update requires remove first. The return value +* is
Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
On 7/21/23 23:19, gjo...@linux.vnet.ibm.com wrote: From: Greg Joyce Define operations for SED Opal to read/write keys from POWER LPAR Platform KeyStore(PLPKS). This allows non-volatile storage of SED Opal keys. Signed-off-by: Greg Joyce Reviewed-by: Jonathan Derrick --- arch/powerpc/platforms/pseries/Kconfig| 6 + arch/powerpc/platforms/pseries/Makefile | 1 + .../powerpc/platforms/pseries/plpks_sed_ops.c | 114 ++ block/Kconfig | 1 + 4 files changed, 122 insertions(+) create mode 100644 arch/powerpc/platforms/pseries/plpks_sed_ops.c Reviewed-by: Hannes Reinecke Cheers, Hannes -- Dr. Hannes ReineckeKernel Storage Architect h...@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg HRB 36809 (AG Nürnberg), Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman
[PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
From: Greg Joyce Define operations for SED Opal to read/write keys from POWER LPAR Platform KeyStore(PLPKS). This allows non-volatile storage of SED Opal keys. Signed-off-by: Greg Joyce Reviewed-by: Jonathan Derrick --- arch/powerpc/platforms/pseries/Kconfig| 6 + arch/powerpc/platforms/pseries/Makefile | 1 + .../powerpc/platforms/pseries/plpks_sed_ops.c | 114 ++ block/Kconfig | 1 + 4 files changed, 122 insertions(+) create mode 100644 arch/powerpc/platforms/pseries/plpks_sed_ops.c diff --git a/arch/powerpc/platforms/pseries/Kconfig b/arch/powerpc/platforms/pseries/Kconfig index 4ebf2ef2845d..afc0f6a61337 100644 --- a/arch/powerpc/platforms/pseries/Kconfig +++ b/arch/powerpc/platforms/pseries/Kconfig @@ -164,6 +164,12 @@ config PSERIES_PLPKS # This option is selected by in-kernel consumers that require # access to the PKS. +config PSERIES_PLPKS_SED + depends on PPC_PSERIES + bool + # This option is selected by in-kernel consumers that require + # access to the SED PKS keystore. + config PAPR_SCM depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM tristate "Support for the PAPR Storage Class Memory interface" diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile index 53c3b91af2f7..1476c5e4433c 100644 --- a/arch/powerpc/platforms/pseries/Makefile +++ b/arch/powerpc/platforms/pseries/Makefile @@ -29,6 +29,7 @@ obj-$(CONFIG_PPC_SVM) += svm.o obj-$(CONFIG_FA_DUMP) += rtas-fadump.o obj-$(CONFIG_PSERIES_PLPKS)+= plpks.o obj-$(CONFIG_PPC_SECURE_BOOT) += plpks-secvar.o +obj-$(CONFIG_PSERIES_PLPKS_SED)+= plpks_sed_ops.o obj-$(CONFIG_SUSPEND) += suspend.o obj-$(CONFIG_PPC_VAS) += vas.o vas-sysfs.o diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c b/arch/powerpc/platforms/pseries/plpks_sed_ops.c new file mode 100644 index ..c1d08075e850 --- /dev/null +++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c @@ -0,0 +1,114 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * POWER Platform specific code for non-volatile SED key access + * Copyright (C) 2022 IBM Corporation + * + * Define operations for SED Opal to read/write keys + * from POWER LPAR Platform KeyStore(PLPKS). + * + * Self Encrypting Drives(SED) key storage using PLPKS + */ + +#include +#include +#include +#include +#include +#include + +/* + * structure that contains all SED data + */ +struct plpks_sed_object_data { + u_char version; + u_char pad1[7]; + u_long authority; + u_long range; + u_int key_len; + u_char key[32]; +}; + +#define PLPKS_SED_OBJECT_DATA_V00 +#define PLPKS_SED_MANGLED_LABEL "/default/pri" +#define PLPKS_SED_COMPONENT "sed-opal" +#define PLPKS_SED_KEY "opal-boot-pin" + +/* + * authority is admin1 and range is global + */ +#define PLPKS_SED_AUTHORITY 0x000900010001 +#define PLPKS_SED_RANGE 0x08020001 + +void plpks_init_var(struct plpks_var *var, char *keyname) +{ + var->name = keyname; + var->namelen = strlen(keyname); + if (strcmp(PLPKS_SED_KEY, keyname) == 0) { + var->name = PLPKS_SED_MANGLED_LABEL; + var->namelen = strlen(keyname); + } + var->policy = PLPKS_WORLDREADABLE; + var->os = PLPKS_VAR_COMMON; + var->data = NULL; + var->datalen = 0; + var->component = PLPKS_SED_COMPONENT; +} + +/* + * Read the SED Opal key from PLPKS given the label + */ +int sed_read_key(char *keyname, char *key, u_int *keylen) +{ + struct plpks_var var; + struct plpks_sed_object_data data; + int ret; + u_int len; + + plpks_init_var(&var, keyname); + var.data = (u8 *)&data; + var.datalen = sizeof(data); + + ret = plpks_read_os_var(&var); + if (ret != 0) + return ret; + + len = min_t(u16, be32_to_cpu(data.key_len), var.datalen); + memcpy(key, data.key, len); + key[len] = '\0'; + *keylen = len; + + return 0; +} + +/* + * Write the SED Opal key to PLPKS given the label + */ +int sed_write_key(char *keyname, char *key, u_int keylen) +{ + struct plpks_var var; + struct plpks_sed_object_data data; + struct plpks_var_name vname; + + plpks_init_var(&var, keyname); + + var.datalen = sizeof(struct plpks_sed_object_data); + var.data = (u8 *)&data; + + /* initialize SED object */ + data.version = PLPKS_SED_OBJECT_DATA_V0; + data.authority = cpu_to_be64(PLPKS_SED_AUTHORITY); + data.range = cpu_to_be64(PLPKS_SED_RANGE); + memset(&data.pad1, '\0', sizeof(data.pad1)); + data.key_len = cpu_to_be32(keylen); + memcpy(data.key, (char *)key, keylen); + + /* +* Key update requires remove first. The return value +* is ignored since it's okay if the