1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3  * Copyright (C) 2022 IBM Corporation
4  * Author: Nayna Jain <nayna@linux.ibm.com>
5  *
6  * Platform keystore for pseries LPAR(PLPKS).
7  */
8 
9 #ifndef _ASM_POWERPC_PLPKS_H
10 #define _ASM_POWERPC_PLPKS_H
11 
12 #ifdef CONFIG_PSERIES_PLPKS
13 
14 #include <linux/types.h>
15 #include <linux/list.h>
16 
17 // Object policy flags from supported_policies
18 #define PLPKS_OSSECBOOTAUDIT	PPC_BIT32(1) // OS secure boot must be audit/enforce
19 #define PLPKS_OSSECBOOTENFORCE	PPC_BIT32(2) // OS secure boot must be enforce
20 #define PLPKS_PWSET		PPC_BIT32(3) // No access without password set
21 #define PLPKS_WORLDREADABLE	PPC_BIT32(4) // Readable without authentication
22 #define PLPKS_IMMUTABLE		PPC_BIT32(5) // Once written, object cannot be removed
23 #define PLPKS_TRANSIENT		PPC_BIT32(6) // Object does not persist through reboot
24 #define PLPKS_SIGNEDUPDATE	PPC_BIT32(7) // Object can only be modified by signed updates
25 #define PLPKS_HVPROVISIONED	PPC_BIT32(28) // Hypervisor has provisioned this object
26 
27 // Signature algorithm flags from signed_update_algorithms
28 #define PLPKS_ALG_RSA2048	PPC_BIT(0)
29 #define PLPKS_ALG_RSA4096	PPC_BIT(1)
30 
31 // Object label OS metadata flags
32 #define PLPKS_VAR_LINUX		0x02
33 #define PLPKS_VAR_COMMON	0x04
34 
35 // Flags for which consumer owns an object is owned by
36 #define PLPKS_FW_OWNER			0x1
37 #define PLPKS_BOOTLOADER_OWNER		0x2
38 #define PLPKS_OS_OWNER			0x3
39 
40 // Flags for label metadata fields
41 #define PLPKS_LABEL_VERSION		0
42 #define PLPKS_MAX_LABEL_ATTR_SIZE	16
43 #define PLPKS_MAX_NAME_SIZE		239
44 #define PLPKS_MAX_DATA_SIZE		4000
45 
46 // Timeouts for PLPKS operations
47 #define PLPKS_MAX_TIMEOUT		5000 // msec
48 #define PLPKS_FLUSH_SLEEP		10 // msec
49 #define PLPKS_FLUSH_SLEEP_RANGE		400
50 
51 struct plpks_var {
52 	char *component;
53 	u8 *name;
54 	u8 *data;
55 	u32 policy;
56 	u16 namelen;
57 	u16 datalen;
58 	u8 os;
59 };
60 
61 struct plpks_var_name {
62 	u8  *name;
63 	u16 namelen;
64 };
65 
66 struct plpks_var_name_list {
67 	u32 varcount;
68 	struct plpks_var_name varlist[];
69 };
70 
71 /**
72  * Updates the authenticated variable. It expects NULL as the component.
73  */
74 int plpks_signed_update_var(struct plpks_var *var, u64 flags);
75 
76 /**
77  * Writes the specified var and its data to PKS.
78  * Any caller of PKS driver should present a valid component type for
79  * their variable.
80  */
81 int plpks_write_var(struct plpks_var var);
82 
83 /**
84  * Removes the specified var and its data from PKS.
85  */
86 int plpks_remove_var(char *component, u8 varos,
87 		     struct plpks_var_name vname);
88 
89 /**
90  * Returns the data for the specified os variable.
91  *
92  * Caller must allocate a buffer in var->data with length in var->datalen.
93  * If no buffer is provided, var->datalen will be populated with the object's
94  * size.
95  */
96 int plpks_read_os_var(struct plpks_var *var);
97 
98 /**
99  * Returns the data for the specified firmware variable.
100  *
101  * Caller must allocate a buffer in var->data with length in var->datalen.
102  * If no buffer is provided, var->datalen will be populated with the object's
103  * size.
104  */
105 int plpks_read_fw_var(struct plpks_var *var);
106 
107 /**
108  * Returns the data for the specified bootloader variable.
109  *
110  * Caller must allocate a buffer in var->data with length in var->datalen.
111  * If no buffer is provided, var->datalen will be populated with the object's
112  * size.
113  */
114 int plpks_read_bootloader_var(struct plpks_var *var);
115 
116 /**
117  * Returns if PKS is available on this LPAR.
118  */
119 bool plpks_is_available(void);
120 
121 /**
122  * Returns version of the Platform KeyStore.
123  */
124 u8 plpks_get_version(void);
125 
126 /**
127  * Returns hypervisor storage overhead per object, not including the size of
128  * the object or label. Only valid for config version >= 2
129  */
130 u16 plpks_get_objoverhead(void);
131 
132 /**
133  * Returns maximum password size. Must be >= 32 bytes
134  */
135 u16 plpks_get_maxpwsize(void);
136 
137 /**
138  * Returns maximum object size supported by Platform KeyStore.
139  */
140 u16 plpks_get_maxobjectsize(void);
141 
142 /**
143  * Returns maximum object label size supported by Platform KeyStore.
144  */
145 u16 plpks_get_maxobjectlabelsize(void);
146 
147 /**
148  * Returns total size of the configured Platform KeyStore.
149  */
150 u32 plpks_get_totalsize(void);
151 
152 /**
153  * Returns used space from the total size of the Platform KeyStore.
154  */
155 u32 plpks_get_usedspace(void);
156 
157 /**
158  * Returns bitmask of policies supported by the hypervisor.
159  */
160 u32 plpks_get_supportedpolicies(void);
161 
162 /**
163  * Returns maximum byte size of a single object supported by the hypervisor.
164  * Only valid for config version >= 3
165  */
166 u32 plpks_get_maxlargeobjectsize(void);
167 
168 /**
169  * Returns bitmask of signature algorithms supported for signed updates.
170  * Only valid for config version >= 3
171  */
172 u64 plpks_get_signedupdatealgorithms(void);
173 
174 /**
175  * Returns the length of the PLPKS password in bytes.
176  */
177 u16 plpks_get_passwordlen(void);
178 
179 /**
180  * Called in early init to retrieve and clear the PLPKS password from the DT.
181  */
182 void plpks_early_init_devtree(void);
183 
184 /**
185  * Populates the FDT with the PLPKS password to prepare for kexec.
186  */
187 int plpks_populate_fdt(void *fdt);
188 #else // CONFIG_PSERIES_PLPKS
plpks_is_available(void)189 static inline bool plpks_is_available(void) { return false; }
plpks_get_passwordlen(void)190 static inline u16 plpks_get_passwordlen(void) { BUILD_BUG(); }
plpks_early_init_devtree(void)191 static inline void plpks_early_init_devtree(void) { }
plpks_populate_fdt(void * fdt)192 static inline int plpks_populate_fdt(void *fdt) { BUILD_BUG(); }
193 #endif // CONFIG_PSERIES_PLPKS
194 
195 #endif // _ASM_POWERPC_PLPKS_H
196