1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * Copyright (C) 2022 IBM Corporation 4 * Author: Nayna Jain <nayna@linux.ibm.com> 5 * 6 * Platform keystore for pseries LPAR(PLPKS). 7 */ 8 9 #ifndef _ASM_POWERPC_PLPKS_H 10 #define _ASM_POWERPC_PLPKS_H 11 12 #ifdef CONFIG_PSERIES_PLPKS 13 14 #include <linux/types.h> 15 #include <linux/list.h> 16 17 // Object policy flags from supported_policies 18 #define PLPKS_OSSECBOOTAUDIT PPC_BIT32(1) // OS secure boot must be audit/enforce 19 #define PLPKS_OSSECBOOTENFORCE PPC_BIT32(2) // OS secure boot must be enforce 20 #define PLPKS_PWSET PPC_BIT32(3) // No access without password set 21 #define PLPKS_WORLDREADABLE PPC_BIT32(4) // Readable without authentication 22 #define PLPKS_IMMUTABLE PPC_BIT32(5) // Once written, object cannot be removed 23 #define PLPKS_TRANSIENT PPC_BIT32(6) // Object does not persist through reboot 24 #define PLPKS_SIGNEDUPDATE PPC_BIT32(7) // Object can only be modified by signed updates 25 #define PLPKS_HVPROVISIONED PPC_BIT32(28) // Hypervisor has provisioned this object 26 27 // Signature algorithm flags from signed_update_algorithms 28 #define PLPKS_ALG_RSA2048 PPC_BIT(0) 29 #define PLPKS_ALG_RSA4096 PPC_BIT(1) 30 31 // Object label OS metadata flags 32 #define PLPKS_VAR_LINUX 0x02 33 #define PLPKS_VAR_COMMON 0x04 34 35 // Flags for which consumer owns an object is owned by 36 #define PLPKS_FW_OWNER 0x1 37 #define PLPKS_BOOTLOADER_OWNER 0x2 38 #define PLPKS_OS_OWNER 0x3 39 40 // Flags for label metadata fields 41 #define PLPKS_LABEL_VERSION 0 42 #define PLPKS_MAX_LABEL_ATTR_SIZE 16 43 #define PLPKS_MAX_NAME_SIZE 239 44 #define PLPKS_MAX_DATA_SIZE 4000 45 46 // Timeouts for PLPKS operations 47 #define PLPKS_MAX_TIMEOUT 5000 // msec 48 #define PLPKS_FLUSH_SLEEP 10 // msec 49 #define PLPKS_FLUSH_SLEEP_RANGE 400 50 51 struct plpks_var { 52 char *component; 53 u8 *name; 54 u8 *data; 55 u32 policy; 56 u16 namelen; 57 u16 datalen; 58 u8 os; 59 }; 60 61 struct plpks_var_name { 62 u8 *name; 63 u16 namelen; 64 }; 65 66 struct plpks_var_name_list { 67 u32 varcount; 68 struct plpks_var_name varlist[]; 69 }; 70 71 /** 72 * Updates the authenticated variable. It expects NULL as the component. 73 */ 74 int plpks_signed_update_var(struct plpks_var *var, u64 flags); 75 76 /** 77 * Writes the specified var and its data to PKS. 78 * Any caller of PKS driver should present a valid component type for 79 * their variable. 80 */ 81 int plpks_write_var(struct plpks_var var); 82 83 /** 84 * Removes the specified var and its data from PKS. 85 */ 86 int plpks_remove_var(char *component, u8 varos, 87 struct plpks_var_name vname); 88 89 /** 90 * Returns the data for the specified os variable. 91 * 92 * Caller must allocate a buffer in var->data with length in var->datalen. 93 * If no buffer is provided, var->datalen will be populated with the object's 94 * size. 95 */ 96 int plpks_read_os_var(struct plpks_var *var); 97 98 /** 99 * Returns the data for the specified firmware variable. 100 * 101 * Caller must allocate a buffer in var->data with length in var->datalen. 102 * If no buffer is provided, var->datalen will be populated with the object's 103 * size. 104 */ 105 int plpks_read_fw_var(struct plpks_var *var); 106 107 /** 108 * Returns the data for the specified bootloader variable. 109 * 110 * Caller must allocate a buffer in var->data with length in var->datalen. 111 * If no buffer is provided, var->datalen will be populated with the object's 112 * size. 113 */ 114 int plpks_read_bootloader_var(struct plpks_var *var); 115 116 /** 117 * Returns if PKS is available on this LPAR. 118 */ 119 bool plpks_is_available(void); 120 121 /** 122 * Returns version of the Platform KeyStore. 123 */ 124 u8 plpks_get_version(void); 125 126 /** 127 * Returns hypervisor storage overhead per object, not including the size of 128 * the object or label. Only valid for config version >= 2 129 */ 130 u16 plpks_get_objoverhead(void); 131 132 /** 133 * Returns maximum password size. Must be >= 32 bytes 134 */ 135 u16 plpks_get_maxpwsize(void); 136 137 /** 138 * Returns maximum object size supported by Platform KeyStore. 139 */ 140 u16 plpks_get_maxobjectsize(void); 141 142 /** 143 * Returns maximum object label size supported by Platform KeyStore. 144 */ 145 u16 plpks_get_maxobjectlabelsize(void); 146 147 /** 148 * Returns total size of the configured Platform KeyStore. 149 */ 150 u32 plpks_get_totalsize(void); 151 152 /** 153 * Returns used space from the total size of the Platform KeyStore. 154 */ 155 u32 plpks_get_usedspace(void); 156 157 /** 158 * Returns bitmask of policies supported by the hypervisor. 159 */ 160 u32 plpks_get_supportedpolicies(void); 161 162 /** 163 * Returns maximum byte size of a single object supported by the hypervisor. 164 * Only valid for config version >= 3 165 */ 166 u32 plpks_get_maxlargeobjectsize(void); 167 168 /** 169 * Returns bitmask of signature algorithms supported for signed updates. 170 * Only valid for config version >= 3 171 */ 172 u64 plpks_get_signedupdatealgorithms(void); 173 174 /** 175 * Returns the length of the PLPKS password in bytes. 176 */ 177 u16 plpks_get_passwordlen(void); 178 179 /** 180 * Called in early init to retrieve and clear the PLPKS password from the DT. 181 */ 182 void plpks_early_init_devtree(void); 183 184 /** 185 * Populates the FDT with the PLPKS password to prepare for kexec. 186 */ 187 int plpks_populate_fdt(void *fdt); 188 #else // CONFIG_PSERIES_PLPKS plpks_is_available(void)189static inline bool plpks_is_available(void) { return false; } plpks_get_passwordlen(void)190static inline u16 plpks_get_passwordlen(void) { BUILD_BUG(); } plpks_early_init_devtree(void)191static inline void plpks_early_init_devtree(void) { } plpks_populate_fdt(void * fdt)192static inline int plpks_populate_fdt(void *fdt) { BUILD_BUG(); } 193 #endif // CONFIG_PSERIES_PLPKS 194 195 #endif // _ASM_POWERPC_PLPKS_H 196