Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
On Wed, 2023-09-13 at 13:15 -0600, Jens Axboe wrote:
> On 9/13/23 12:59 PM, Nathan Chancellor wrote:
> > Hi Greg,
> >
> > On Fri, Sep 08, 2023 at 10:30:56AM -0500, gjo...@linux.vnet.ibm.com
> > wrote:
> > > From: Greg Joyce
> > >
> > > Define operations for SED Opal to read/write keys
> > > from POWER LPAR Platform KeyStore(PLPKS). This allows
> > > non-volatile storage of SED Opal keys.
> > >
> > > Signed-off-by: Greg Joyce
> > > Reviewed-by: Jonathan Derrick
> > > Reviewed-by: Hannes Reinecke
> >
> > After this change in -next as commit 9f2c7411ada9
> > ("powerpc/pseries:
> > PLPKS SED Opal keystore support"), I see the following crash when
> > booting some distribution configurations, such as OpenSUSE's [1]
> > (the
> > rootfs is available at [2] if necessary):
>
> I'll drop the series for now - I didn't push out the main branch just
> yet as I don't publish the block next tree until at least at -rc2
> time,
> so it's just in a private branch for now.
>
Agreed. I need to figure out:
1) best place to use plpks_is_available() to prevent a crash when PLPKS
is not present in pseries.
2) Resolve issues compiling with clang
3) declare plpks_init_var() as static
Greg
Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
Michal Suchánek writes:
> Hello,
>
> On Thu, Sep 14, 2023 at 02:13:32PM +1000, Michael Ellerman wrote:
>> Nathan Chancellor writes:
>> > Hi Greg,
>> >
>> > On Fri, Sep 08, 2023 at 10:30:56AM -0500, gjo...@linux.vnet.ibm.com wrote:
>> >> From: Greg Joyce
>> >>
>> >> Define operations for SED Opal to read/write keys
>> >> from POWER LPAR Platform KeyStore(PLPKS). This allows
>> >> non-volatile storage of SED Opal keys.
>> >>
>> >> Signed-off-by: Greg Joyce
>> >> Reviewed-by: Jonathan Derrick
>> >> Reviewed-by: Hannes Reinecke
>> >
>> > After this change in -next as commit 9f2c7411ada9 ("powerpc/pseries:
>> > PLPKS SED Opal keystore support"), I see the following crash when
>> > booting some distribution configurations, such as OpenSUSE's [1] (the
>> > rootfs is available at [2] if necessary):
>>
>> Thanks for testing Nathan.
>>
>> The code needs to check plpks_is_available() somewhere, before calling
>> the plpks routines.
>
> would this fixup do it?
>
> I don't really see any other place to plug the check with the current
> code structure.
I think the plpks_sed code should call plpks_is_available() once at init
time and cache the result.
Otherwise it's will be doing an extra hcall (in _plpks_get_config()) for
every call, which would be wasteful.
cheers
> diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c
> b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
> index c1d08075e850..f8038d998eae 100644
> --- a/arch/powerpc/platforms/pseries/plpks_sed_ops.c
> +++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
> @@ -64,6 +64,9 @@ int sed_read_key(char *keyname, char *key, u_int *keylen)
> int ret;
> u_int len;
>
> + if (!plpks_is_available())
> + return -ENODEV;
> +
> plpks_init_var(, keyname);
> var.data = (u8 *)
> var.datalen = sizeof(data);
> @@ -89,6 +92,9 @@ int sed_write_key(char *keyname, char *key, u_int keylen)
> struct plpks_sed_object_data data;
> struct plpks_var_name vname;
>
> + if (!plpks_is_available())
> + return -ENODEV;
> +
> plpks_init_var(, keyname);
>
> var.datalen = sizeof(struct plpks_sed_object_data);
> --
> 2.41.0
Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
Hello,
On Thu, Sep 14, 2023 at 02:13:32PM +1000, Michael Ellerman wrote:
> Nathan Chancellor writes:
> > Hi Greg,
> >
> > On Fri, Sep 08, 2023 at 10:30:56AM -0500, gjo...@linux.vnet.ibm.com wrote:
> >> From: Greg Joyce
> >>
> >> Define operations for SED Opal to read/write keys
> >> from POWER LPAR Platform KeyStore(PLPKS). This allows
> >> non-volatile storage of SED Opal keys.
> >>
> >> Signed-off-by: Greg Joyce
> >> Reviewed-by: Jonathan Derrick
> >> Reviewed-by: Hannes Reinecke
> >
> > After this change in -next as commit 9f2c7411ada9 ("powerpc/pseries:
> > PLPKS SED Opal keystore support"), I see the following crash when
> > booting some distribution configurations, such as OpenSUSE's [1] (the
> > rootfs is available at [2] if necessary):
>
> Thanks for testing Nathan.
>
> The code needs to check plpks_is_available() somewhere, before calling
> the plpks routines.
would this fixup do it?
I don't really see any other place to plug the check with the current
code structure.
Thanks
Michal
diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c
b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
index c1d08075e850..f8038d998eae 100644
--- a/arch/powerpc/platforms/pseries/plpks_sed_ops.c
+++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
@@ -64,6 +64,9 @@ int sed_read_key(char *keyname, char *key, u_int *keylen)
int ret;
u_int len;
+ if (!plpks_is_available())
+ return -ENODEV;
+
plpks_init_var(, keyname);
var.data = (u8 *)
var.datalen = sizeof(data);
@@ -89,6 +92,9 @@ int sed_write_key(char *keyname, char *key, u_int keylen)
struct plpks_sed_object_data data;
struct plpks_var_name vname;
+ if (!plpks_is_available())
+ return -ENODEV;
+
plpks_init_var(, keyname);
var.datalen = sizeof(struct plpks_sed_object_data);
--
2.41.0
Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
Nathan Chancellor writes:
> Hi Greg,
>
> On Fri, Sep 08, 2023 at 10:30:56AM -0500, gjo...@linux.vnet.ibm.com wrote:
>> From: Greg Joyce
>>
>> Define operations for SED Opal to read/write keys
>> from POWER LPAR Platform KeyStore(PLPKS). This allows
>> non-volatile storage of SED Opal keys.
>>
>> Signed-off-by: Greg Joyce
>> Reviewed-by: Jonathan Derrick
>> Reviewed-by: Hannes Reinecke
>
> After this change in -next as commit 9f2c7411ada9 ("powerpc/pseries:
> PLPKS SED Opal keystore support"), I see the following crash when
> booting some distribution configurations, such as OpenSUSE's [1] (the
> rootfs is available at [2] if necessary):
Thanks for testing Nathan.
The code needs to check plpks_is_available() somewhere, before calling
the plpks routines.
cheers
> $ qemu-system-ppc64 \
> -display none \
> -nodefaults \
> -device ipmi-bmc-sim,id=bmc0 \
> -device isa-ipmi-bt,bmc=bmc0,irq=10 \
> -machine powernv \
> -kernel arch/powerpc/boot/zImage.epapr \
> -initrd ppc64le-rootfs.cpio \
> -m 2G \
> -serial mon:stdio
> ...
> [0.00] Linux version 6.6.0-rc1-4-g9f2c7411ada9
> (nathan@dev-arch.thelio-3990X) (powerpc64-linux-gcc (GCC) 13.2.0, GNU ld (GNU
> Binutils) 2.41) #1 SMP Wed Sep 13 11:53:38 MST 2023
> ...
> [1.808911] [ cut here ]
> [1.810336] kernel BUG at arch/powerpc/kernel/syscall.c:34!
> [1.810799] Oops: Exception in kernel mode, sig: 5 [#1]
> [1.810985] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
> [1.811191] Modules linked in:
> [1.811483] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
> 6.6.0-rc1-4-g9f2c7411ada9 #1
> [1.811825] Hardware name: IBM PowerNV (emulated by qemu) POWER9 0x4e1202
> opal:v7.0 PowerNV
> [1.812133] NIP: c002c8c4 LR: c000d620 CTR:
> c000d4c0
> [1.812335] REGS: c2deb7b0 TRAP: 0700 Not tainted
> (6.6.0-rc1-4-g9f2c7411ada9)
> [1.812595] MSR: 90029033 CR: 2800028d
> XER: 20040004
> [1.812930] CFAR: c000d61c IRQMASK: 3
> [1.812930] GPR00: c000d620 c2deba50 c15ef400
> c2debe80
> [1.812930] GPR04: 4800028d
>
> [1.812930] GPR08: 79cd 0001
>
> [1.812930] GPR12: c28b
>
> [1.812930] GPR16:
>
> [1.812930] GPR20:
>
> [1.812930] GPR24:
>
> [1.812930] GPR28: 4800028d c2debe80
> c2debe10
> [1.814858] NIP [c002c8c4] system_call_exception+0x84/0x250
> [1.815480] LR [c000d620] system_call_common+0x160/0x2c4
> [1.815772] Call Trace:
> [1.815929] [c2debe50] [c000d620]
> system_call_common+0x160/0x2c4
> [1.816178] --- interrupt: c00 at plpar_hcall+0x38/0x60
> [1.816330] NIP: c00e43f8 LR: c00fb558 CTR:
>
> [1.816518] REGS: c2debe80 TRAP: 0c00 Not tainted
> (6.6.0-rc1-4-g9f2c7411ada9)
> [1.816740] MSR: 9280b033
> CR: 2800028d XER:
> [1.817039] IRQMASK: 0
> [1.817039] GPR00: 4800028d c2deb950 c15ef400
> 0434
> [1.817039] GPR04: 028eb190 28ac6600 001d
> 0010
> [1.817039] GPR08:
>
> [1.817039] GPR12: c28b c0011188
>
> [1.817039] GPR16:
>
> [1.817039] GPR20:
>
> [1.817039] GPR24:
> c00028ac6600
> [1.817039] GPR28: 0010 c28eb190 c00028ac6600
> c2deba30
> [1.818785] NIP [c00e43f8] plpar_hcall+0x38/0x60
> [1.818929] LR [c00fb558] plpks_read_var+0x208/0x290
> [1.819093] --- interrupt: c00
> [1.819195] [c2deb950] [c00fb528]
> plpks_read_var+0x1d8/0x290 (unreliable)
> [1.819433] [c2deba10] [c00fc1ac] sed_read_key+0x9c/0x170
> [1.819617] [c2debad0] [c20541a8] sed_opal_init+0xac/0x174
> [1.819823] [c2debc50] [c0010ad0]
> do_one_initcall+0x80/0x3b0
> [1.820017] [c2debd30] [c2004860]
> kernel_init_freeable+0x338/0x3dc
> [1.820229] [c2debdf0] [c00111b0] kernel_init+0x30/0x1a0
> [1.820411] [c2debe50] [c000d620]
> system_call_common+0x160/0x2c4
> [1.820614] ---
Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
On 9/13/23 12:59 PM, Nathan Chancellor wrote:
> Hi Greg,
>
> On Fri, Sep 08, 2023 at 10:30:56AM -0500, gjo...@linux.vnet.ibm.com wrote:
>> From: Greg Joyce
>>
>> Define operations for SED Opal to read/write keys
>> from POWER LPAR Platform KeyStore(PLPKS). This allows
>> non-volatile storage of SED Opal keys.
>>
>> Signed-off-by: Greg Joyce
>> Reviewed-by: Jonathan Derrick
>> Reviewed-by: Hannes Reinecke
>
> After this change in -next as commit 9f2c7411ada9 ("powerpc/pseries:
> PLPKS SED Opal keystore support"), I see the following crash when
> booting some distribution configurations, such as OpenSUSE's [1] (the
> rootfs is available at [2] if necessary):
I'll drop the series for now - I didn't push out the main branch just
yet as I don't publish the block next tree until at least at -rc2 time,
so it's just in a private branch for now.
--
Jens Axboe
Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
Hi Greg,
On Fri, Sep 08, 2023 at 10:30:56AM -0500, gjo...@linux.vnet.ibm.com wrote:
> From: Greg Joyce
>
> Define operations for SED Opal to read/write keys
> from POWER LPAR Platform KeyStore(PLPKS). This allows
> non-volatile storage of SED Opal keys.
>
> Signed-off-by: Greg Joyce
> Reviewed-by: Jonathan Derrick
> Reviewed-by: Hannes Reinecke
After this change in -next as commit 9f2c7411ada9 ("powerpc/pseries:
PLPKS SED Opal keystore support"), I see the following crash when
booting some distribution configurations, such as OpenSUSE's [1] (the
rootfs is available at [2] if necessary):
$ qemu-system-ppc64 \
-display none \
-nodefaults \
-device ipmi-bmc-sim,id=bmc0 \
-device isa-ipmi-bt,bmc=bmc0,irq=10 \
-machine powernv \
-kernel arch/powerpc/boot/zImage.epapr \
-initrd ppc64le-rootfs.cpio \
-m 2G \
-serial mon:stdio
...
[0.00] Linux version 6.6.0-rc1-4-g9f2c7411ada9
(nathan@dev-arch.thelio-3990X) (powerpc64-linux-gcc (GCC) 13.2.0, GNU ld (GNU
Binutils) 2.41) #1 SMP Wed Sep 13 11:53:38 MST 2023
...
[1.808911] [ cut here ]
[1.810336] kernel BUG at arch/powerpc/kernel/syscall.c:34!
[1.810799] Oops: Exception in kernel mode, sig: 5 [#1]
[1.810985] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
[1.811191] Modules linked in:
[1.811483] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
6.6.0-rc1-4-g9f2c7411ada9 #1
[1.811825] Hardware name: IBM PowerNV (emulated by qemu) POWER9 0x4e1202
opal:v7.0 PowerNV
[1.812133] NIP: c002c8c4 LR: c000d620 CTR: c000d4c0
[1.812335] REGS: c2deb7b0 TRAP: 0700 Not tainted
(6.6.0-rc1-4-g9f2c7411ada9)
[1.812595] MSR: 90029033 CR: 2800028d
XER: 20040004
[1.812930] CFAR: c000d61c IRQMASK: 3
[1.812930] GPR00: c000d620 c2deba50 c15ef400
c2debe80
[1.812930] GPR04: 4800028d
[1.812930] GPR08: 79cd 0001
[1.812930] GPR12: c28b
[1.812930] GPR16:
[1.812930] GPR20:
[1.812930] GPR24:
[1.812930] GPR28: 4800028d c2debe80
c2debe10
[1.814858] NIP [c002c8c4] system_call_exception+0x84/0x250
[1.815480] LR [c000d620] system_call_common+0x160/0x2c4
[1.815772] Call Trace:
[1.815929] [c2debe50] [c000d620]
system_call_common+0x160/0x2c4
[1.816178] --- interrupt: c00 at plpar_hcall+0x38/0x60
[1.816330] NIP: c00e43f8 LR: c00fb558 CTR:
[1.816518] REGS: c2debe80 TRAP: 0c00 Not tainted
(6.6.0-rc1-4-g9f2c7411ada9)
[1.816740] MSR: 9280b033 CR:
2800028d XER:
[1.817039] IRQMASK: 0
[1.817039] GPR00: 4800028d c2deb950 c15ef400
0434
[1.817039] GPR04: 028eb190 28ac6600 001d
0010
[1.817039] GPR08:
[1.817039] GPR12: c28b c0011188
[1.817039] GPR16:
[1.817039] GPR20:
[1.817039] GPR24:
c00028ac6600
[1.817039] GPR28: 0010 c28eb190 c00028ac6600
c2deba30
[1.818785] NIP [c00e43f8] plpar_hcall+0x38/0x60
[1.818929] LR [c00fb558] plpks_read_var+0x208/0x290
[1.819093] --- interrupt: c00
[1.819195] [c2deb950] [c00fb528] plpks_read_var+0x1d8/0x290
(unreliable)
[1.819433] [c2deba10] [c00fc1ac] sed_read_key+0x9c/0x170
[1.819617] [c2debad0] [c20541a8] sed_opal_init+0xac/0x174
[1.819823] [c2debc50] [c0010ad0] do_one_initcall+0x80/0x3b0
[1.820017] [c2debd30] [c2004860]
kernel_init_freeable+0x338/0x3dc
[1.820229] [c2debdf0] [c00111b0] kernel_init+0x30/0x1a0
[1.820411] [c2debe50] [c000d620]
system_call_common+0x160/0x2c4
[1.820614] --- interrupt: c00 at plpar_hcall+0x38/0x60
[1.820755] NIP: c00e43f8 LR: c00fb558 CTR:
[1.820940] REGS: c2debe80 TRAP: 0c00 Not tainted
(6.6.0-rc1-4-g9f2c7411ada9)
[1.821157] MSR: 9280b033 CR:
2800028d XER:
[1.821444] IRQMASK: 0
[1.821444] GPR00: 4800028d c2deb950
[PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
From: Greg Joyce
Define operations for SED Opal to read/write keys
from POWER LPAR Platform KeyStore(PLPKS). This allows
non-volatile storage of SED Opal keys.
Signed-off-by: Greg Joyce
Reviewed-by: Jonathan Derrick
Reviewed-by: Hannes Reinecke
---
arch/powerpc/platforms/pseries/Kconfig| 6 +
arch/powerpc/platforms/pseries/Makefile | 1 +
.../powerpc/platforms/pseries/plpks_sed_ops.c | 114 ++
block/Kconfig | 1 +
4 files changed, 122 insertions(+)
create mode 100644 arch/powerpc/platforms/pseries/plpks_sed_ops.c
diff --git a/arch/powerpc/platforms/pseries/Kconfig
b/arch/powerpc/platforms/pseries/Kconfig
index 4ebf2ef2845d..afc0f6a61337 100644
--- a/arch/powerpc/platforms/pseries/Kconfig
+++ b/arch/powerpc/platforms/pseries/Kconfig
@@ -164,6 +164,12 @@ config PSERIES_PLPKS
# This option is selected by in-kernel consumers that require
# access to the PKS.
+config PSERIES_PLPKS_SED
+ depends on PPC_PSERIES
+ bool
+ # This option is selected by in-kernel consumers that require
+ # access to the SED PKS keystore.
+
config PAPR_SCM
depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM
tristate "Support for the PAPR Storage Class Memory interface"
diff --git a/arch/powerpc/platforms/pseries/Makefile
b/arch/powerpc/platforms/pseries/Makefile
index 53c3b91af2f7..1476c5e4433c 100644
--- a/arch/powerpc/platforms/pseries/Makefile
+++ b/arch/powerpc/platforms/pseries/Makefile
@@ -29,6 +29,7 @@ obj-$(CONFIG_PPC_SVM) += svm.o
obj-$(CONFIG_FA_DUMP) += rtas-fadump.o
obj-$(CONFIG_PSERIES_PLPKS)+= plpks.o
obj-$(CONFIG_PPC_SECURE_BOOT) += plpks-secvar.o
+obj-$(CONFIG_PSERIES_PLPKS_SED)+= plpks_sed_ops.o
obj-$(CONFIG_SUSPEND) += suspend.o
obj-$(CONFIG_PPC_VAS) += vas.o vas-sysfs.o
diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c
b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
new file mode 100644
index ..c1d08075e850
--- /dev/null
+++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
@@ -0,0 +1,114 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * POWER Platform specific code for non-volatile SED key access
+ * Copyright (C) 2022 IBM Corporation
+ *
+ * Define operations for SED Opal to read/write keys
+ * from POWER LPAR Platform KeyStore(PLPKS).
+ *
+ * Self Encrypting Drives(SED) key storage using PLPKS
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+/*
+ * structure that contains all SED data
+ */
+struct plpks_sed_object_data {
+ u_char version;
+ u_char pad1[7];
+ u_long authority;
+ u_long range;
+ u_int key_len;
+ u_char key[32];
+};
+
+#define PLPKS_SED_OBJECT_DATA_V00
+#define PLPKS_SED_MANGLED_LABEL "/default/pri"
+#define PLPKS_SED_COMPONENT "sed-opal"
+#define PLPKS_SED_KEY "opal-boot-pin"
+
+/*
+ * authority is admin1 and range is global
+ */
+#define PLPKS_SED_AUTHORITY 0x000900010001
+#define PLPKS_SED_RANGE 0x08020001
+
+void plpks_init_var(struct plpks_var *var, char *keyname)
+{
+ var->name = keyname;
+ var->namelen = strlen(keyname);
+ if (strcmp(PLPKS_SED_KEY, keyname) == 0) {
+ var->name = PLPKS_SED_MANGLED_LABEL;
+ var->namelen = strlen(keyname);
+ }
+ var->policy = PLPKS_WORLDREADABLE;
+ var->os = PLPKS_VAR_COMMON;
+ var->data = NULL;
+ var->datalen = 0;
+ var->component = PLPKS_SED_COMPONENT;
+}
+
+/*
+ * Read the SED Opal key from PLPKS given the label
+ */
+int sed_read_key(char *keyname, char *key, u_int *keylen)
+{
+ struct plpks_var var;
+ struct plpks_sed_object_data data;
+ int ret;
+ u_int len;
+
+ plpks_init_var(, keyname);
+ var.data = (u8 *)
+ var.datalen = sizeof(data);
+
+ ret = plpks_read_os_var();
+ if (ret != 0)
+ return ret;
+
+ len = min_t(u16, be32_to_cpu(data.key_len), var.datalen);
+ memcpy(key, data.key, len);
+ key[len] = '\0';
+ *keylen = len;
+
+ return 0;
+}
+
+/*
+ * Write the SED Opal key to PLPKS given the label
+ */
+int sed_write_key(char *keyname, char *key, u_int keylen)
+{
+ struct plpks_var var;
+ struct plpks_sed_object_data data;
+ struct plpks_var_name vname;
+
+ plpks_init_var(, keyname);
+
+ var.datalen = sizeof(struct plpks_sed_object_data);
+ var.data = (u8 *)
+
+ /* initialize SED object */
+ data.version = PLPKS_SED_OBJECT_DATA_V0;
+ data.authority = cpu_to_be64(PLPKS_SED_AUTHORITY);
+ data.range = cpu_to_be64(PLPKS_SED_RANGE);
+ memset(, '\0', sizeof(data.pad1));
+ data.key_len = cpu_to_be32(keylen);
+ memcpy(data.key, (char *)key, keylen);
+
+ /*
+* Key update requires remove first. The return value
+* is ignored since it's okay if the
Re: [PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
On 7/21/23 23:19, gjo...@linux.vnet.ibm.com wrote: From: Greg Joyce Define operations for SED Opal to read/write keys from POWER LPAR Platform KeyStore(PLPKS). This allows non-volatile storage of SED Opal keys. Signed-off-by: Greg Joyce Reviewed-by: Jonathan Derrick --- arch/powerpc/platforms/pseries/Kconfig| 6 + arch/powerpc/platforms/pseries/Makefile | 1 + .../powerpc/platforms/pseries/plpks_sed_ops.c | 114 ++ block/Kconfig | 1 + 4 files changed, 122 insertions(+) create mode 100644 arch/powerpc/platforms/pseries/plpks_sed_ops.c Reviewed-by: Hannes Reinecke Cheers, Hannes -- Dr. Hannes ReineckeKernel Storage Architect h...@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg HRB 36809 (AG Nürnberg), Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman
[PATCH v7 3/3 RESEND] powerpc/pseries: PLPKS SED Opal keystore support
From: Greg Joyce
Define operations for SED Opal to read/write keys
from POWER LPAR Platform KeyStore(PLPKS). This allows
non-volatile storage of SED Opal keys.
Signed-off-by: Greg Joyce
Reviewed-by: Jonathan Derrick
---
arch/powerpc/platforms/pseries/Kconfig| 6 +
arch/powerpc/platforms/pseries/Makefile | 1 +
.../powerpc/platforms/pseries/plpks_sed_ops.c | 114 ++
block/Kconfig | 1 +
4 files changed, 122 insertions(+)
create mode 100644 arch/powerpc/platforms/pseries/plpks_sed_ops.c
diff --git a/arch/powerpc/platforms/pseries/Kconfig
b/arch/powerpc/platforms/pseries/Kconfig
index 4ebf2ef2845d..afc0f6a61337 100644
--- a/arch/powerpc/platforms/pseries/Kconfig
+++ b/arch/powerpc/platforms/pseries/Kconfig
@@ -164,6 +164,12 @@ config PSERIES_PLPKS
# This option is selected by in-kernel consumers that require
# access to the PKS.
+config PSERIES_PLPKS_SED
+ depends on PPC_PSERIES
+ bool
+ # This option is selected by in-kernel consumers that require
+ # access to the SED PKS keystore.
+
config PAPR_SCM
depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM
tristate "Support for the PAPR Storage Class Memory interface"
diff --git a/arch/powerpc/platforms/pseries/Makefile
b/arch/powerpc/platforms/pseries/Makefile
index 53c3b91af2f7..1476c5e4433c 100644
--- a/arch/powerpc/platforms/pseries/Makefile
+++ b/arch/powerpc/platforms/pseries/Makefile
@@ -29,6 +29,7 @@ obj-$(CONFIG_PPC_SVM) += svm.o
obj-$(CONFIG_FA_DUMP) += rtas-fadump.o
obj-$(CONFIG_PSERIES_PLPKS)+= plpks.o
obj-$(CONFIG_PPC_SECURE_BOOT) += plpks-secvar.o
+obj-$(CONFIG_PSERIES_PLPKS_SED)+= plpks_sed_ops.o
obj-$(CONFIG_SUSPEND) += suspend.o
obj-$(CONFIG_PPC_VAS) += vas.o vas-sysfs.o
diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c
b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
new file mode 100644
index ..c1d08075e850
--- /dev/null
+++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
@@ -0,0 +1,114 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * POWER Platform specific code for non-volatile SED key access
+ * Copyright (C) 2022 IBM Corporation
+ *
+ * Define operations for SED Opal to read/write keys
+ * from POWER LPAR Platform KeyStore(PLPKS).
+ *
+ * Self Encrypting Drives(SED) key storage using PLPKS
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+/*
+ * structure that contains all SED data
+ */
+struct plpks_sed_object_data {
+ u_char version;
+ u_char pad1[7];
+ u_long authority;
+ u_long range;
+ u_int key_len;
+ u_char key[32];
+};
+
+#define PLPKS_SED_OBJECT_DATA_V00
+#define PLPKS_SED_MANGLED_LABEL "/default/pri"
+#define PLPKS_SED_COMPONENT "sed-opal"
+#define PLPKS_SED_KEY "opal-boot-pin"
+
+/*
+ * authority is admin1 and range is global
+ */
+#define PLPKS_SED_AUTHORITY 0x000900010001
+#define PLPKS_SED_RANGE 0x08020001
+
+void plpks_init_var(struct plpks_var *var, char *keyname)
+{
+ var->name = keyname;
+ var->namelen = strlen(keyname);
+ if (strcmp(PLPKS_SED_KEY, keyname) == 0) {
+ var->name = PLPKS_SED_MANGLED_LABEL;
+ var->namelen = strlen(keyname);
+ }
+ var->policy = PLPKS_WORLDREADABLE;
+ var->os = PLPKS_VAR_COMMON;
+ var->data = NULL;
+ var->datalen = 0;
+ var->component = PLPKS_SED_COMPONENT;
+}
+
+/*
+ * Read the SED Opal key from PLPKS given the label
+ */
+int sed_read_key(char *keyname, char *key, u_int *keylen)
+{
+ struct plpks_var var;
+ struct plpks_sed_object_data data;
+ int ret;
+ u_int len;
+
+ plpks_init_var(, keyname);
+ var.data = (u8 *)
+ var.datalen = sizeof(data);
+
+ ret = plpks_read_os_var();
+ if (ret != 0)
+ return ret;
+
+ len = min_t(u16, be32_to_cpu(data.key_len), var.datalen);
+ memcpy(key, data.key, len);
+ key[len] = '\0';
+ *keylen = len;
+
+ return 0;
+}
+
+/*
+ * Write the SED Opal key to PLPKS given the label
+ */
+int sed_write_key(char *keyname, char *key, u_int keylen)
+{
+ struct plpks_var var;
+ struct plpks_sed_object_data data;
+ struct plpks_var_name vname;
+
+ plpks_init_var(, keyname);
+
+ var.datalen = sizeof(struct plpks_sed_object_data);
+ var.data = (u8 *)
+
+ /* initialize SED object */
+ data.version = PLPKS_SED_OBJECT_DATA_V0;
+ data.authority = cpu_to_be64(PLPKS_SED_AUTHORITY);
+ data.range = cpu_to_be64(PLPKS_SED_RANGE);
+ memset(, '\0', sizeof(data.pad1));
+ data.key_len = cpu_to_be32(keylen);
+ memcpy(data.key, (char *)key, keylen);
+
+ /*
+* Key update requires remove first. The return value
+* is ignored since it's okay if the key doesn't exist.
+*/
+
