/* SPDX-License-Identifier: GPL-2.0 */ /* * Copyright (C) 2022 IBM Corporation * Author: Nayna Jain * * Platform keystore for pseries LPAR(PLPKS). */ #ifndef _ASM_POWERPC_PLPKS_H #define _ASM_POWERPC_PLPKS_H #ifdef CONFIG_PSERIES_PLPKS #include #include // Object policy flags from supported_policies #define PLPKS_OSSECBOOTAUDIT PPC_BIT32(1) // OS secure boot must be audit/enforce #define PLPKS_OSSECBOOTENFORCE PPC_BIT32(2) // OS secure boot must be enforce #define PLPKS_PWSET PPC_BIT32(3) // No access without password set #define PLPKS_WORLDREADABLE PPC_BIT32(4) // Readable without authentication #define PLPKS_IMMUTABLE PPC_BIT32(5) // Once written, object cannot be removed #define PLPKS_TRANSIENT PPC_BIT32(6) // Object does not persist through reboot #define PLPKS_SIGNEDUPDATE PPC_BIT32(7) // Object can only be modified by signed updates #define PLPKS_HVPROVISIONED PPC_BIT32(28) // Hypervisor has provisioned this object // Signature algorithm flags from signed_update_algorithms #define PLPKS_ALG_RSA2048 PPC_BIT(0) #define PLPKS_ALG_RSA4096 PPC_BIT(1) // Object label OS metadata flags #define PLPKS_VAR_LINUX 0x02 #define PLPKS_VAR_COMMON 0x04 // Flags for which consumer owns an object is owned by #define PLPKS_FW_OWNER 0x1 #define PLPKS_BOOTLOADER_OWNER 0x2 #define PLPKS_OS_OWNER 0x3 // Flags for label metadata fields #define PLPKS_LABEL_VERSION 0 #define PLPKS_MAX_LABEL_ATTR_SIZE 16 #define PLPKS_MAX_NAME_SIZE 239 #define PLPKS_MAX_DATA_SIZE 4000 // Timeouts for PLPKS operations #define PLPKS_MAX_TIMEOUT 5000 // msec #define PLPKS_FLUSH_SLEEP 10 // msec #define PLPKS_FLUSH_SLEEP_RANGE 400 struct plpks_var { char *component; u8 *name; u8 *data; u32 policy; u16 namelen; u16 datalen; u8 os; }; struct plpks_var_name { u8 *name; u16 namelen; }; struct plpks_var_name_list { u32 varcount; struct plpks_var_name varlist[]; }; /** * Updates the authenticated variable. It expects NULL as the component. */ int plpks_signed_update_var(struct plpks_var *var, u64 flags); /** * Writes the specified var and its data to PKS. * Any caller of PKS driver should present a valid component type for * their variable. */ int plpks_write_var(struct plpks_var var); /** * Removes the specified var and its data from PKS. */ int plpks_remove_var(char *component, u8 varos, struct plpks_var_name vname); /** * Returns the data for the specified os variable. * * Caller must allocate a buffer in var->data with length in var->datalen. * If no buffer is provided, var->datalen will be populated with the object's * size. */ int plpks_read_os_var(struct plpks_var *var); /** * Returns the data for the specified firmware variable. * * Caller must allocate a buffer in var->data with length in var->datalen. * If no buffer is provided, var->datalen will be populated with the object's * size. */ int plpks_read_fw_var(struct plpks_var *var); /** * Returns the data for the specified bootloader variable. * * Caller must allocate a buffer in var->data with length in var->datalen. * If no buffer is provided, var->datalen will be populated with the object's * size. */ int plpks_read_bootloader_var(struct plpks_var *var); /** * Returns if PKS is available on this LPAR. */ bool plpks_is_available(void); /** * Returns version of the Platform KeyStore. */ u8 plpks_get_version(void); /** * Returns hypervisor storage overhead per object, not including the size of * the object or label. Only valid for config version >= 2 */ u16 plpks_get_objoverhead(void); /** * Returns maximum password size. Must be >= 32 bytes */ u16 plpks_get_maxpwsize(void); /** * Returns maximum object size supported by Platform KeyStore. */ u16 plpks_get_maxobjectsize(void); /** * Returns maximum object label size supported by Platform KeyStore. */ u16 plpks_get_maxobjectlabelsize(void); /** * Returns total size of the configured Platform KeyStore. */ u32 plpks_get_totalsize(void); /** * Returns used space from the total size of the Platform KeyStore. */ u32 plpks_get_usedspace(void); /** * Returns bitmask of policies supported by the hypervisor. */ u32 plpks_get_supportedpolicies(void); /** * Returns maximum byte size of a single object supported by the hypervisor. * Only valid for config version >= 3 */ u32 plpks_get_maxlargeobjectsize(void); /** * Returns bitmask of signature algorithms supported for signed updates. * Only valid for config version >= 3 */ u64 plpks_get_signedupdatealgorithms(void); /** * Returns the length of the PLPKS password in bytes. */ u16 plpks_get_passwordlen(void); /** * Called in early init to retrieve and clear the PLPKS password from the DT. */ void plpks_early_init_devtree(void); /** * Populates the FDT with the PLPKS password to prepare for kexec. */ int plpks_populate_fdt(void *fdt); #else // CONFIG_PSERIES_PLPKS static inline bool plpks_is_available(void) { return false; } static inline u16 plpks_get_passwordlen(void) { BUILD_BUG(); } static inline void plpks_early_init_devtree(void) { } static inline int plpks_populate_fdt(void *fdt) { BUILD_BUG(); } #endif // CONFIG_PSERIES_PLPKS #endif // _ASM_POWERPC_PLPKS_H