github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-24 07:03:03 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
master
linux/arch/powerpc/platforms/pseries/plpks.c
Srish Srinivasan e2071f9ce4 powerpc/pseries: plpks: export plpks_wrapping_is_supported 
Building trusted-keys as a module fails modpost with:

ERROR: modpost: "plpks_wrapping_is_supported" [security/keys/trusted-keys/
trusted.ko] undefined!

Export plpks_wrapping_is_supported() so trusted-keys links cleanly

This patch is intended to be applied on top of the earlier "Extend "trusted
" keys to support a new trust source named the PowerVM Key Wrapping Module
(PKWM)" series (v5).
Link: https://lore.kernel.org/all/20260127145228.48320-1-ssrish@linux.ibm.com/

Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202602010724.1g9hbLKv-lkp@intel.com/
Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260201165344.950870-1-ssrish@linux.ibm.com
2026-02-11 07:53:54 +05:30

1380 lines
38 KiB
C
Raw Permalink Blame History

// SPDX-License-Identifier: GPL-2.0-only
/*
* POWER LPAR Platform KeyStore(PLPKS)
* Copyright (C) 2022 IBM Corporation
* Author: Nayna Jain <nayna@linux.ibm.com>
*
* Provides access to variables stored in Power LPAR Platform KeyStore(PLPKS).
*/
#define pr_fmt(fmt) "plpks: " fmt
#define PLPKS_WRAPKEY_COMPONENT "PLPKSWR"
#define PLPKS_WRAPKEY_NAME "default-wrapping-key"
/*
* To 4K align the {input, output} buffers to the {UN}WRAP H_CALLs
*/
#define PLPKS_WRAPPING_BUF_ALIGN 4096
/*
* To ensure the output buffer's length is at least 1024 bytes greater
* than the input buffer's length during the WRAP H_CALL
*/
#define PLPKS_WRAPPING_BUF_DIFF 1024
#define PLPKS_WRAP_INTERFACE_BIT 3
#define PLPKS_WRAPPING_KEY_LENGTH 32
#define WRAPFLAG_BE_BIT_SET(be_bit) \
BIT_ULL(63 - (be_bit))
#define WRAPFLAG_BE_GENMASK(be_bit_hi, be_bit_lo) \
GENMASK_ULL(63 - (be_bit_hi), 63 - (be_bit_lo))
#define WRAPFLAG_BE_FIELD_PREP(be_bit_hi, be_bit_lo, val) \
FIELD_PREP(WRAPFLAG_BE_GENMASK(be_bit_hi, be_bit_lo), (val))
#include <linux/delay.h>
#include <linux/errno.h>
#include <linux/io.h>
#include <linux/printk.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/types.h>
#include <linux/of_fdt.h>
#include <linux/libfdt.h>
#include <linux/memblock.h>
#include <linux/bitfield.h>
#include <asm/hvcall.h>
#include <asm/machdep.h>
#include <asm/plpks.h>
#include <asm/firmware.h>
static u8 *ospassword;
static u16 ospasswordlength;
// Retrieved with H_PKS_GET_CONFIG
static u8 version;
static u16 objoverhead;
static u16 maxpwsize;
static u16 maxobjsize;
static s16 maxobjlabelsize;
static u32 totalsize;
static u32 usedspace;
static u32 supportedpolicies;
static u32 maxlargeobjectsize;
static u64 signedupdatealgorithms;
static u64 wrappingfeatures;
static bool wrapsupport;
struct plpks_auth {
u8 version;
u8 consumer;
__be64 rsvd0;
__be32 rsvd1;
__be16 passwordlength;
u8 password[];
} __packed __aligned(16);
struct label_attr {
u8 prefix[8];
u8 version;
u8 os;
u8 length;
u8 reserved[5];
};
struct label {
struct label_attr attr;
u8 name[PLPKS_MAX_NAME_SIZE];
size_t size;
};
static int pseries_status_to_err(int rc)
{
int err;
switch (rc) {
case H_SUCCESS:
err = 0;
break;
case H_FUNCTION:
err = -ENXIO;
break;
case H_PARAMETER:
case H_P2:
case H_P3:
case H_P4:
case H_P5:
case H_P6:
err = -EINVAL;
break;
case H_NOT_FOUND:
err = -ENOENT;
break;
case H_BUSY:
case H_LONG_BUSY_ORDER_1_MSEC:
case H_LONG_BUSY_ORDER_10_MSEC:
case H_LONG_BUSY_ORDER_100_MSEC:
case H_LONG_BUSY_ORDER_1_SEC:
case H_LONG_BUSY_ORDER_10_SEC:
case H_LONG_BUSY_ORDER_100_SEC:
err = -EBUSY;
break;
case H_AUTHORITY:
err = -EPERM;
break;
case H_NO_MEM:
err = -ENOMEM;
break;
case H_RESOURCE:
err = -EEXIST;
break;
case H_TOO_BIG:
err = -EFBIG;
break;
case H_STATE:
err = -EIO;
break;
case H_R_STATE:
err = -EIO;
break;
case H_IN_USE:
err = -EEXIST;
break;
case H_ABORTED:
err = -EIO;
break;
default:
err = -EINVAL;
}
pr_debug("Converted hypervisor code %d to Linux %d\n", rc, err);
return err;
}
static int plpks_gen_password(void)
{
unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 };
u8 *password, consumer = PLPKS_OS_OWNER;
int rc;
// If we booted from kexec, we could be reusing an existing password already
if (ospassword) {
pr_debug("Password of length %u already in use\n", ospasswordlength);
return 0;
}
// The password must not cross a page boundary, so we align to the next power of 2
password = kzalloc(roundup_pow_of_two(maxpwsize), GFP_KERNEL);
if (!password)
return -ENOMEM;
rc = plpar_hcall(H_PKS_GEN_PASSWORD, retbuf, consumer, 0,
virt_to_phys(password), maxpwsize);
if (!rc) {
ospasswordlength = maxpwsize;
ospassword = kzalloc(maxpwsize, GFP_KERNEL);
if (!ospassword) {
kfree_sensitive(password);
return -ENOMEM;
}
memcpy(ospassword, password, ospasswordlength);
} else {
if (rc == H_IN_USE) {
pr_warn("Password already set - authenticated operations will fail\n");
rc = 0;
} else {
goto out;
}
}
out:
kfree_sensitive(password);
return pseries_status_to_err(rc);
}
static struct plpks_auth *construct_auth(u8 consumer)
{
struct plpks_auth *auth;
if (consumer > PLPKS_OS_OWNER)
return ERR_PTR(-EINVAL);
// The auth structure must not cross a page boundary and must be
// 16 byte aligned. We align to the next largest power of 2
auth = kzalloc(roundup_pow_of_two(struct_size(auth, password, maxpwsize)), GFP_KERNEL);
if (!auth)
return ERR_PTR(-ENOMEM);
auth->version = 1;
auth->consumer = consumer;
if (consumer == PLPKS_FW_OWNER || consumer == PLPKS_BOOTLOADER_OWNER)
return auth;
memcpy(auth->password, ospassword, ospasswordlength);
auth->passwordlength = cpu_to_be16(ospasswordlength);
return auth;
}
/*
* Label is combination of label attributes + name.
* Label attributes are used internally by kernel and not exposed to the user.
*/
static struct label *construct_label(char *component, u8 varos, u8 *name,
u16 namelen)
{
struct label *label;
size_t slen = 0;
if (!name || namelen > PLPKS_MAX_NAME_SIZE)
return ERR_PTR(-EINVAL);
// Support NULL component for signed updates
if (component) {
slen = strlen(component);
if (slen > sizeof(label->attr.prefix))
return ERR_PTR(-EINVAL);
}
// The label structure must not cross a page boundary, so we align to the next power of 2
label = kzalloc(roundup_pow_of_two(sizeof(*label)), GFP_KERNEL);
if (!label)
return ERR_PTR(-ENOMEM);
if (component)
memcpy(&label->attr.prefix, component, slen);
label->attr.version = PLPKS_LABEL_VERSION;
label->attr.os = varos;
label->attr.length = PLPKS_MAX_LABEL_ATTR_SIZE;
memcpy(&label->name, name, namelen);
label->size = sizeof(struct label_attr) + namelen;
return label;
}
static int _plpks_get_config(void)
{
unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 };
struct config {
u8 version;
u8 flags;
__be16 rsvd0;
__be16 objoverhead;
__be16 maxpwsize;
__be16 maxobjlabelsize;
__be16 maxobjsize;
__be32 totalsize;
__be32 usedspace;
__be32 supportedpolicies;
__be32 maxlargeobjectsize;
__be64 signedupdatealgorithms;
__be64 wrappingfeatures;
u8 rsvd1[476];
} __packed * config;
size_t size;
int rc = 0;
size = sizeof(*config);
// Config struct must not cross a page boundary. So long as the struct
// size is a power of 2, this should be fine as alignment is guaranteed
config = kzalloc(size, GFP_KERNEL);
if (!config) {
rc = -ENOMEM;
goto err;
}
rc = plpar_hcall(H_PKS_GET_CONFIG, retbuf, virt_to_phys(config), size);
if (rc != H_SUCCESS) {
rc = pseries_status_to_err(rc);
goto err;
}
version = config->version;
objoverhead = be16_to_cpu(config->objoverhead);
maxpwsize = be16_to_cpu(config->maxpwsize);
maxobjsize = be16_to_cpu(config->maxobjsize);
maxobjlabelsize = be16_to_cpu(config->maxobjlabelsize);
totalsize = be32_to_cpu(config->totalsize);
usedspace = be32_to_cpu(config->usedspace);
supportedpolicies = be32_to_cpu(config->supportedpolicies);
maxlargeobjectsize = be32_to_cpu(config->maxlargeobjectsize);
signedupdatealgorithms = be64_to_cpu(config->signedupdatealgorithms);
wrappingfeatures = be64_to_cpu(config->wrappingfeatures);
wrapsupport = config->flags & PPC_BIT8(PLPKS_WRAP_INTERFACE_BIT);
// Validate that the numbers we get back match the requirements of the spec
if (maxpwsize < 32) {
pr_err("Invalid Max Password Size received from hypervisor (%d < 32)\n", maxpwsize);
rc = -EIO;
goto err;
}
if (maxobjlabelsize < 255) {
pr_err("Invalid Max Object Label Size received from hypervisor (%d < 255)\n",
maxobjlabelsize);
rc = -EIO;
goto err;
}
if (totalsize < 4096) {
pr_err("Invalid Total Size received from hypervisor (%d < 4096)\n", totalsize);
rc = -EIO;
goto err;
}
if (version >= 3 && maxlargeobjectsize >= 65536 && maxobjsize != 0xFFFF) {
pr_err("Invalid Max Object Size (0x%x != 0xFFFF)\n", maxobjsize);
rc = -EIO;
goto err;
}
err:
kfree(config);
return rc;
}
/**
* plpks_get_version() - Get the version of the PLPKS config structure.
*
* Successful execution of the H_PKS_GET_CONFIG HCALL during initialization
* reads the PLPKS config structure version and saves it in a file local static
* version variable.
*
* Returns: On success the saved PLPKS config structure version is returned, 0
* if not.
*/
u8 plpks_get_version(void)
{
return version;
}
/**
* plpks_get_objoverhead() - Get the hypervisor storage overhead per object.
*
* Successful execution of the H_PKS_GET_CONFIG HCALL during initialization
* reads the per object hypervisor storage overhead in bytes into the local
* static objoverhead variable, excluding the size of the object or the label.
* This value can be treated as valid only when the PLPKS config structure
* version >= 2.
*
* Returns: If PLPKS config structure version >= 2 then the storage overhead is
* returned, 0 otherwise.
*/
u16 plpks_get_objoverhead(void)
{
return objoverhead;
}
/**
* plpks_get_maxpwsize() - Get the maximum password size.
*
* Successful execution of the H_PKS_GET_CONFIG HCALL during initialization
* reads the maximum password size and checks if it is 32 bytes at the least
* before storing it in the local static maxpwsize variable.
*
* Returns: On success the maximum password size is returned, 0 if not.
*/
u16 plpks_get_maxpwsize(void)
{
return maxpwsize;
}
/**
* plpks_get_maxobjectsize() - Get the maximum object size supported by the
* PLPKS.
*
* Successful execution of the H_PKS_GET_CONFIG HCALL during initialization
* reads the maximum object size into the file local static maxobjsize variable.
*
* Returns: On success the maximum object size is returned, 0 if not.
*/
u16 plpks_get_maxobjectsize(void)
{
return maxobjsize;
}
/**
* plpks_get_maxobjectlabelsize() - Get the maximum object label size supported
* by the PLPKS.
*
* Successful execution of the H_PKS_GET_CONFIG HCALL during initialization
* reads the maximum object label size into the local static maxobjlabelsize
* variable.
*
* Returns: On success the maximum object label size is returned, 0 if not.
*/
u16 plpks_get_maxobjectlabelsize(void)
{
return maxobjlabelsize;
}
/**
* plpks_get_totalsize() - Get the total size of the PLPKS that is configured.
*
* Successful execution of the H_PKS_GET_CONFIG HCALL during initialization
* reads the total size of the PLPKS that is configured for the LPAR into the
* file local static totalsize variable.
*
* Returns: On success the total size of the PLPKS configured is returned, 0 if
* not.
*/
u32 plpks_get_totalsize(void)
{
return totalsize;
}
/**
* plpks_get_usedspace() - Get the used space from the total size of the PLPKS.
*
* Invoke the H_PKS_GET_CONFIG HCALL to refresh the latest value for the used
* space as this keeps changing with the creation and removal of objects in the
* PLPKS.
*
* Returns: On success the used space is returned, 0 if not.
*/
u32 plpks_get_usedspace(void)
{
int rc = _plpks_get_config();
if (rc) {
pr_err("Couldn't get config, rc: %d\n", rc);
return 0;
}
return usedspace;
}
/**
* plpks_get_supportedpolicies() - Get a bitmask of the policies supported by
* the hypervisor.
*
* Successful execution of the H_PKS_GET_CONFIG HCALL during initialization
* reads a bitmask of the policies supported by the hypervisor into the file
* local static supportedpolicies variable.
*
* Returns: On success the bitmask of the policies supported by the hypervisor
* are returned, 0 if not.
*/
u32 plpks_get_supportedpolicies(void)
{
return supportedpolicies;
}
/**
* plpks_get_maxlargeobjectsize() - Get the maximum object size supported for
* PLPKS config structure version >= 3
*
* Successful execution of the H_PKS_GET_CONFIG HCALL during initialization
* reads the maximum object size into the local static maxlargeobjectsize
* variable for PLPKS config structure version >= 3. This was introduced
* starting with PLPKS config structure version 3 to allow for objects of
* size >= 64K.
*
* Returns: If PLPKS config structure version >= 3 then the new maximum object
* size is returned, 0 if not.
*/
u32 plpks_get_maxlargeobjectsize(void)
{
return maxlargeobjectsize;
}
/**
* plpks_get_signedupdatealgorithms() - Get a bitmask of the signature
* algorithms supported for signed updates.
*
* Successful execution of the H_PKS_GET_CONFIG HCALL during initialization
* reads a bitmask of the signature algorithms supported for signed updates into
* the file local static signedupdatealgorithms variable. This is valid only
* when the PLPKS config structure version >= 3.
*
* Returns: On success the bitmask of the signature algorithms supported for
* signed updates is returned, 0 if not.
*/
u64 plpks_get_signedupdatealgorithms(void)
{
return signedupdatealgorithms;
}
/**
* plpks_get_wrappingfeatures() - Returns a bitmask of the wrapping features
* supported by the hypervisor.
*
* Successful execution of the H_PKS_GET_CONFIG HCALL during initialization
* reads a bitmask of the wrapping features supported by the hypervisor into the
* file local static wrappingfeatures variable. This is valid only when the
* PLPKS config structure version >= 3.
*
* Return:
* bitmask of the wrapping features supported by the hypervisor
*/
u64 plpks_get_wrappingfeatures(void)
{
return wrappingfeatures;
}
/**
* plpks_get_passwordlen() - Get the length of the PLPKS password in bytes.
*
* The H_PKS_GEN_PASSWORD HCALL makes the hypervisor generate a random password
* for the specified consumer, apply that password to the PLPKS and return it to
* the caller. In this process, the password length for the OS consumer is
* stored in the local static ospasswordlength variable.
*
* Returns: On success the password length for the OS consumer in bytes is
* returned, 0 if not.
*/
u16 plpks_get_passwordlen(void)
{
return ospasswordlength;
}
/**
* plpks_is_available() - Get the PLPKS availability status for the LPAR.
*
* The availability of PLPKS is inferred based upon the successful execution of
* the H_PKS_GET_CONFIG HCALL provided the firmware supports this feature. The
* H_PKS_GET_CONFIG HCALL reads the configuration and status information related
* to the PLPKS. The configuration structure provides a version number to inform
* the caller of the supported features.
*
* Returns: true is returned if PLPKS is available, false if not.
*/
bool plpks_is_available(void)
{
int rc;
if (!firmware_has_feature(FW_FEATURE_PLPKS))
return false;
rc = _plpks_get_config();
if (rc)
return false;
return true;
}
static int plpks_confirm_object_flushed(struct label *label,
struct plpks_auth *auth)
{
unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 };
bool timed_out = true;
u64 timeout = 0;
u8 status;
int rc;
do {
rc = plpar_hcall(H_PKS_CONFIRM_OBJECT_FLUSHED, retbuf,
virt_to_phys(auth), virt_to_phys(label),
label->size);
status = retbuf[0];
if (rc) {
timed_out = false;
if (rc == H_NOT_FOUND && status == 1)
rc = 0;
break;
}
if (!rc && status == 1) {
timed_out = false;
break;
}
fsleep(PLPKS_FLUSH_SLEEP);
timeout = timeout + PLPKS_FLUSH_SLEEP;
} while (timeout < PLPKS_MAX_TIMEOUT);
if (timed_out)
return -ETIMEDOUT;
return pseries_status_to_err(rc);
}
/**
* plpks_signed_update_var() - Update the specified authenticated variable.
* @var: authenticated variable to be updated
* @flags: signed update request operation flags
*
* The H_PKS_SIGNED_UPDATE HCALL performs a signed update to an object in the
* PLPKS. The object must have the signed update policy flag set.
*
* Possible reasons for the returned errno values:
*
* -ENXIO if PLPKS is not supported
* -EIO if PLPKS access is blocked due to the LPAR's state
* if PLPKS modification is blocked due to the LPAR's state
* if an error occurred while processing the request
* -EINVAL if invalid authorization parameter
* if invalid object label parameter
* if invalid object label len parameter
* if invalid or unsupported policy declaration
* if invalid signed update flags
* if invalid input data parameter
* if invalid input data len parameter
* if invalid continue token parameter
* -EPERM if access is denied
* -ENOMEM if there is inadequate memory to perform the operation
* -EBUSY if unable to handle the request or long running operation
* initiated, retry later
*
* Returns: On success 0 is returned, a negative errno if not.
*/
int plpks_signed_update_var(struct plpks_var *var, u64 flags)
{
unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0};
int rc;
struct label *label;
struct plpks_auth *auth;
u64 continuetoken = 0;
u64 timeout = 0;
if (!var->data || var->datalen <= 0 || var->namelen > PLPKS_MAX_NAME_SIZE)
return -EINVAL;
if (!(var->policy & PLPKS_SIGNEDUPDATE))
return -EINVAL;
if (var->policy & PLPKS_WRAPPINGKEY)
return -EINVAL;
// Signed updates need the component to be NULL.
if (var->component)
return -EINVAL;
auth = construct_auth(PLPKS_OS_OWNER);
if (IS_ERR(auth))
return PTR_ERR(auth);
label = construct_label(var->component, var->os, var->name, var->namelen);
if (IS_ERR(label)) {
rc = PTR_ERR(label);
goto out;
}
do {
rc = plpar_hcall9(H_PKS_SIGNED_UPDATE, retbuf,
virt_to_phys(auth), virt_to_phys(label),
label->size, var->policy, flags,
virt_to_phys(var->data), var->datalen,
continuetoken);
continuetoken = retbuf[0];
if (pseries_status_to_err(rc) == -EBUSY) {
int delay_us = get_longbusy_msecs(rc) * 1000;
fsleep(delay_us);
timeout += delay_us;
}
rc = pseries_status_to_err(rc);
} while (rc == -EBUSY && timeout < PLPKS_MAX_TIMEOUT);
if (!rc)
rc = plpks_confirm_object_flushed(label, auth);
kfree(label);
out:
kfree(auth);
return rc;
}
/**
* plpks_write_var() - Write the specified variable and its data to PLPKS.
* @var: variable to be written into the PLPKS
*
* The H_PKS_WRITE_OBJECT HCALL writes an object into the PLPKS. The caller must
* provide a valid component type for the variable, and the signed update policy
* flag must not be set.
*
* Possible reasons for the returned errno values:
*
* -ENXIO if PLPKS is not supported
* -EIO if PLPKS access is blocked due to the LPAR's state
* if PLPKS modification is blocked due to the LPAR's state
* if an error occurred while processing the request
* -EINVAL if invalid authorization parameter
* if invalid object label parameter
* if invalid object label len parameter
* if invalid or unsupported policy declaration
* if invalid input data parameter
* if invalid input data len parameter
* -EPERM if access is denied
* -ENOMEM if unable to store the requested object in the space available
* -EBUSY if unable to handle the request
* -EEXIST if the object label already exists
*
* Returns: On success 0 is returned, a negative errno if not.
*/
int plpks_write_var(struct plpks_var var)
{
unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 };
struct plpks_auth *auth;
struct label *label;
int rc;
if (!var.component || !var.data || var.datalen <= 0 ||
var.namelen > PLPKS_MAX_NAME_SIZE || var.datalen > PLPKS_MAX_DATA_SIZE)
return -EINVAL;
if (var.policy & PLPKS_SIGNEDUPDATE)
return -EINVAL;
if (var.policy & PLPKS_WRAPPINGKEY)
return -EINVAL;
auth = construct_auth(PLPKS_OS_OWNER);
if (IS_ERR(auth))
return PTR_ERR(auth);
label = construct_label(var.component, var.os, var.name, var.namelen);
if (IS_ERR(label)) {
rc = PTR_ERR(label);
goto out;
}
rc = plpar_hcall(H_PKS_WRITE_OBJECT, retbuf, virt_to_phys(auth),
virt_to_phys(label), label->size, var.policy,
virt_to_phys(var.data), var.datalen);
if (!rc)
rc = plpks_confirm_object_flushed(label, auth);
rc = pseries_status_to_err(rc);
kfree(label);
out:
kfree(auth);
return rc;
}
/**
* plpks_remove_var() - Remove the specified variable and its data from PLPKS.
* @component: metadata prefix in the object label metadata structure
* @varos: metadata OS flags in the object label metadata structure
* @vname: object label for the object that needs to be removed
*
* The H_PKS_REMOVE_OBJECT HCALL removes an object from the PLPKS. The removal
* is independent of the policy bits that are set.
*
* Possible reasons for the returned errno values:
*
* -ENXIO if PLPKS is not supported
* -EIO if PLPKS access is blocked due to the LPAR's state
* if PLPKS modification is blocked due to the LPAR's state
* if an error occurred while processing the request
* -EINVAL if invalid authorization parameter
* if invalid object label parameter
* if invalid object label len parameter
* -EPERM if access is denied
* -ENOENT if the requested object was not found
* -EBUSY if unable to handle the request
*
* Returns: On success 0 is returned, a negative errno if not.
*/
int plpks_remove_var(char *component, u8 varos, struct plpks_var_name vname)
{
unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 };
struct plpks_auth *auth;
struct label *label;
int rc;
if (vname.namelen > PLPKS_MAX_NAME_SIZE)
return -EINVAL;
auth = construct_auth(PLPKS_OS_OWNER);
if (IS_ERR(auth))
return PTR_ERR(auth);
label = construct_label(component, varos, vname.name, vname.namelen);
if (IS_ERR(label)) {
rc = PTR_ERR(label);
goto out;
}
rc = plpar_hcall(H_PKS_REMOVE_OBJECT, retbuf, virt_to_phys(auth),
virt_to_phys(label), label->size);
if (!rc)
rc = plpks_confirm_object_flushed(label, auth);
rc = pseries_status_to_err(rc);
kfree(label);
out:
kfree(auth);
return rc;
}
static int plpks_read_var(u8 consumer, struct plpks_var *var)
{
unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 };
struct plpks_auth *auth;
struct label *label = NULL;
u8 *output;
int rc;
if (var->namelen > PLPKS_MAX_NAME_SIZE)
return -EINVAL;
if (var->policy & PLPKS_WRAPPINGKEY)
return -EINVAL;
auth = construct_auth(consumer);
if (IS_ERR(auth))
return PTR_ERR(auth);
if (consumer == PLPKS_OS_OWNER) {
label = construct_label(var->component, var->os, var->name,
var->namelen);
if (IS_ERR(label)) {
rc = PTR_ERR(label);
goto out_free_auth;
}
}
output = kzalloc(maxobjsize, GFP_KERNEL);
if (!output) {
rc = -ENOMEM;
goto out_free_label;
}
if (consumer == PLPKS_OS_OWNER)
rc = plpar_hcall(H_PKS_READ_OBJECT, retbuf, virt_to_phys(auth),
virt_to_phys(label), label->size, virt_to_phys(output),
maxobjsize);
else
rc = plpar_hcall(H_PKS_READ_OBJECT, retbuf, virt_to_phys(auth),
virt_to_phys(var->name), var->namelen, virt_to_phys(output),
maxobjsize);
if (rc != H_SUCCESS) {
rc = pseries_status_to_err(rc);
goto out_free_output;
}
if (!var->data || var->datalen > retbuf[0])
var->datalen = retbuf[0];
var->policy = retbuf[1];
if (var->data)
memcpy(var->data, output, var->datalen);
rc = 0;
out_free_output:
kfree(output);
out_free_label:
kfree(label);
out_free_auth:
kfree(auth);
return rc;
}
/**
* plpks_wrapping_is_supported() - Get the H_PKS_WRAP_OBJECT interface
* availability status for the LPAR.
*
* Successful execution of the H_PKS_GET_CONFIG HCALL during initialization
* sets bit 3 of the flags variable in the PLPKS config structure if the
* H_PKS_WRAP_OBJECT interface is supported.
*
* Returns: true if the H_PKS_WRAP_OBJECT interface is supported, false if not.
*/
bool plpks_wrapping_is_supported(void)
{
return wrapsupport;
}
EXPORT_SYMBOL_GPL(plpks_wrapping_is_supported);
/**
* plpks_gen_wrapping_key() - Generate a new random key with the 'wrapping key'
* policy set.
*
* The H_PKS_GEN_KEY HCALL makes the hypervisor generate a new random key and
* store the key in a PLPKS object with the provided object label. With the
* 'wrapping key' policy set, only the label to the newly generated random key
* would be visible to the user.
*
* Possible reasons for the returned errno values:
*
* -ENXIO if PLPKS is not supported
* -EIO if PLPKS access is blocked due to the LPAR's state
* if PLPKS modification is blocked due to the LPAR's state
* if an error occurred while processing the request
* -EINVAL if invalid authorization parameter
* if invalid object label parameter
* if invalid object label len parameter
* if invalid or unsupported policy declaration
* if invalid output buffer parameter
* if invalid output buffer length parameter
* -EPERM if access is denied
* -ENOMEM if there is inadequate memory to perform this operation
* -EBUSY if unable to handle the request
* -EEXIST if the object label already exists
*
* Returns: On success 0 is returned, a negative errno if not.
*/
int plpks_gen_wrapping_key(void)
{
unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 };
struct plpks_auth *auth;
struct label *label;
int rc = 0, pseries_status = 0;
struct plpks_var var = {
.name = PLPKS_WRAPKEY_NAME,
.namelen = strlen(var.name),
.policy = PLPKS_WRAPPINGKEY,
.os = PLPKS_VAR_LINUX,
.component = PLPKS_WRAPKEY_COMPONENT
};
auth = construct_auth(PLPKS_OS_OWNER);
if (IS_ERR(auth))
return PTR_ERR(auth);
label = construct_label(var.component, var.os, var.name, var.namelen);
if (IS_ERR(label)) {
rc = PTR_ERR(label);
goto out;
}
rc = plpar_hcall(H_PKS_GEN_KEY, retbuf,
virt_to_phys(auth), virt_to_phys(label),
label->size, var.policy,
NULL, PLPKS_WRAPPING_KEY_LENGTH);
if (!rc)
rc = plpks_confirm_object_flushed(label, auth);
pseries_status = rc;
rc = pseries_status_to_err(rc);
if (rc && rc != -EEXIST) {
pr_err("H_PKS_GEN_KEY failed. pseries_status=%d, rc=%d",
pseries_status, rc);
} else {
rc = 0;
}
kfree(label);
out:
kfree(auth);
return rc;
}
EXPORT_SYMBOL_GPL(plpks_gen_wrapping_key);
/**
* plpks_wrap_object() - Wrap an object using the default wrapping key stored in
* the PLPKS.
* @input_buf: buffer containing the data to be wrapped
* @input_len: length of the input buffer
* @wrap_flags: object wrapping flags
* @output_buf: buffer to store the wrapped data
* @output_len: length of the output buffer
*
* The H_PKS_WRAP_OBJECT HCALL wraps an object using a wrapping key stored in
* the PLPKS and returns the wrapped object to the caller. The caller provides a
* label to the wrapping key with the 'wrapping key' policy set that must have
* been previously created with the H_PKS_GEN_KEY HCALL. The provided object is
* then encrypted with the wrapping key and additional metadata and the result
* is returned to the user. The metadata includes the wrapping algorithm and the
* wrapping key name so those parameters are not required during unwrap.
*
* Possible reasons for the returned errno values:
*
* -ENXIO if PLPKS is not supported
* -EIO if PLPKS access is blocked due to the LPAR's state
* if PLPKS modification is blocked due to the LPAR's state
* if an error occurred while processing the request
* -EINVAL if invalid authorization parameter
* if invalid wrapping key label parameter
* if invalid wrapping key label length parameter
* if invalid or unsupported object wrapping flags
* if invalid input buffer parameter
* if invalid input buffer length parameter
* if invalid output buffer parameter
* if invalid output buffer length parameter
* if invalid continue token parameter
* if the wrapping key is not compatible with the wrapping
* algorithm
* -EPERM if access is denied
* -ENOENT if the requested wrapping key was not found
* -EBUSY if unable to handle the request or long running operation
* initiated, retry later.
*
* Returns: On success 0 is returned, a negative errno if not.
*/
int plpks_wrap_object(u8 **input_buf, u32 input_len, u16 wrap_flags,
u8 **output_buf, u32 *output_len)
{
unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = { 0 };
struct plpks_auth *auth;
struct label *label;
u64 continuetoken = 0;
u64 objwrapflags = 0;
int rc = 0, pseries_status = 0;
bool sb_audit_or_enforce_bit = wrap_flags & BIT(0);
bool sb_enforce_bit = wrap_flags & BIT(1);
struct plpks_var var = {
.name = PLPKS_WRAPKEY_NAME,
.namelen = strlen(var.name),
.os = PLPKS_VAR_LINUX,
.component = PLPKS_WRAPKEY_COMPONENT
};
auth = construct_auth(PLPKS_OS_OWNER);
if (IS_ERR(auth))
return PTR_ERR(auth);
label = construct_label(var.component, var.os, var.name, var.namelen);
if (IS_ERR(label)) {
rc = PTR_ERR(label);
goto out;
}
/* Set the consumer password requirement bit. A must have. */
objwrapflags |= WRAPFLAG_BE_BIT_SET(3);
/* Set the wrapping algorithm bit. Just one algorithm option for now */
objwrapflags |= WRAPFLAG_BE_FIELD_PREP(60, 63, 0x1);
if (sb_audit_or_enforce_bit & sb_enforce_bit) {
pr_err("Cannot set both audit/enforce and enforce bits.");
rc = -EINVAL;
goto out_free_label;
} else if (sb_audit_or_enforce_bit) {
objwrapflags |= WRAPFLAG_BE_BIT_SET(1);
} else if (sb_enforce_bit) {
objwrapflags |= WRAPFLAG_BE_BIT_SET(2);
}
*output_len = input_len + PLPKS_WRAPPING_BUF_DIFF;
*output_buf = kzalloc(ALIGN(*output_len, PLPKS_WRAPPING_BUF_ALIGN),
GFP_KERNEL);
if (!(*output_buf)) {
pr_err("Output buffer allocation failed. Returning -ENOMEM.");
rc = -ENOMEM;
goto out_free_label;
}
do {
rc = plpar_hcall9(H_PKS_WRAP_OBJECT, retbuf,
virt_to_phys(auth), virt_to_phys(label),
label->size, objwrapflags,
virt_to_phys(*input_buf), input_len,
virt_to_phys(*output_buf), *output_len,
continuetoken);
continuetoken = retbuf[0];
pseries_status = rc;
rc = pseries_status_to_err(rc);
} while (rc == -EBUSY);
if (rc) {
pr_err("H_PKS_WRAP_OBJECT failed. pseries_status=%d, rc=%d",
pseries_status, rc);
kfree(*output_buf);
*output_buf = NULL;
} else {
*output_len = retbuf[1];
}
out_free_label:
kfree(label);
out:
kfree(auth);
return rc;
}
EXPORT_SYMBOL_GPL(plpks_wrap_object);
/**
* plpks_unwrap_object() - Unwrap an object using the default wrapping key
* stored in the PLPKS.
* @input_buf: buffer containing the data to be unwrapped
* @input_len: length of the input buffer
* @output_buf: buffer to store the unwrapped data
* @output_len: length of the output buffer
*
* The H_PKS_UNWRAP_OBJECT HCALL unwraps an object that was previously wrapped
* using the H_PKS_WRAP_OBJECT HCALL.
*
* Possible reasons for the returned errno values:
*
* -ENXIO if PLPKS is not supported
* -EIO if PLPKS access is blocked due to the LPAR's state
* if PLPKS modification is blocked due to the LPAR's state
* if an error occurred while processing the request
* -EINVAL if invalid authorization parameter
* if invalid or unsupported object unwrapping flags
* if invalid input buffer parameter
* if invalid input buffer length parameter
* if invalid output buffer parameter
* if invalid output buffer length parameter
* if invalid continue token parameter
* if the wrapping key is not compatible with the wrapping
* algorithm
* if the wrapped object's format is not supported
* if the wrapped object is invalid
* -EPERM if access is denied
* -ENOENT if the wrapping key for the provided object was not found
* -EBUSY if unable to handle the request or long running operation
* initiated, retry later.
*
* Returns: On success 0 is returned, a negative errno if not.
*/
int plpks_unwrap_object(u8 **input_buf, u32 input_len, u8 **output_buf,
u32 *output_len)
{
unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = { 0 };
struct plpks_auth *auth;
u64 continuetoken = 0;
u64 objwrapflags = 0;
int rc = 0, pseries_status = 0;
auth = construct_auth(PLPKS_OS_OWNER);
if (IS_ERR(auth))
return PTR_ERR(auth);
*output_len = input_len - PLPKS_WRAPPING_BUF_DIFF;
*output_buf = kzalloc(ALIGN(*output_len, PLPKS_WRAPPING_BUF_ALIGN),
GFP_KERNEL);
if (!(*output_buf)) {
pr_err("Output buffer allocation failed. Returning -ENOMEM.");
rc = -ENOMEM;
goto out;
}
do {
rc = plpar_hcall9(H_PKS_UNWRAP_OBJECT, retbuf,
virt_to_phys(auth), objwrapflags,
virt_to_phys(*input_buf), input_len,
virt_to_phys(*output_buf), *output_len,
continuetoken);
continuetoken = retbuf[0];
pseries_status = rc;
rc = pseries_status_to_err(rc);
} while (rc == -EBUSY);
if (rc) {
pr_err("H_PKS_UNWRAP_OBJECT failed. pseries_status=%d, rc=%d",
pseries_status, rc);
kfree(*output_buf);
*output_buf = NULL;
} else {
*output_len = retbuf[1];
}
out:
kfree(auth);
return rc;
}
EXPORT_SYMBOL_GPL(plpks_unwrap_object);
/**
* plpks_read_os_var() - Fetch the data for the specified variable that is owned
* by the OS consumer.
* @var: variable to be read from the PLPKS
*
* The consumer or the owner of the object is the os kernel. The
* H_PKS_READ_OBJECT HCALL reads an object from the PLPKS. The caller must
* allocate the buffer var->data and specify the length for this buffer in
* var->datalen. If no buffer is provided, var->datalen will be populated with
* the requested object's size.
*
* Possible reasons for the returned errno values:
*
* -ENXIO if PLPKS is not supported
* -EIO if PLPKS access is blocked due to the LPAR's state
* if an error occurred while processing the request
* -EINVAL if invalid authorization parameter
* if invalid object label parameter
* if invalid object label len parameter
* if invalid output data parameter
* if invalid output data len parameter
* -EPERM if access is denied
* -ENOENT if the requested object was not found
* -EFBIG if the requested object couldn't be
* stored in the buffer provided
* -EBUSY if unable to handle the request
*
* Returns: On success 0 is returned, a negative errno if not.
*/
int plpks_read_os_var(struct plpks_var *var)
{
return plpks_read_var(PLPKS_OS_OWNER, var);
}
/**
* plpks_read_fw_var() - Fetch the data for the specified variable that is
* owned by the firmware consumer.
* @var: variable to be read from the PLPKS
*
* The consumer or the owner of the object is the firmware. The
* H_PKS_READ_OBJECT HCALL reads an object from the PLPKS. The caller must
* allocate the buffer var->data and specify the length for this buffer in
* var->datalen. If no buffer is provided, var->datalen will be populated with
* the requested object's size.
*
* Possible reasons for the returned errno values:
*
* -ENXIO if PLPKS is not supported
* -EIO if PLPKS access is blocked due to the LPAR's state
* if an error occurred while processing the request
* -EINVAL if invalid authorization parameter
* if invalid object label parameter
* if invalid object label len parameter
* if invalid output data parameter
* if invalid output data len parameter
* -EPERM if access is denied
* -ENOENT if the requested object was not found
* -EFBIG if the requested object couldn't be
* stored in the buffer provided
* -EBUSY if unable to handle the request
*
* Returns: On success 0 is returned, a negative errno if not.
*/
int plpks_read_fw_var(struct plpks_var *var)
{
return plpks_read_var(PLPKS_FW_OWNER, var);
}
/**
* plpks_read_bootloader_var() - Fetch the data for the specified variable
* owned by the bootloader consumer.
* @var: variable to be read from the PLPKS
*
* The consumer or the owner of the object is the bootloader. The
* H_PKS_READ_OBJECT HCALL reads an object from the PLPKS. The caller must
* allocate the buffer var->data and specify the length for this buffer in
* var->datalen. If no buffer is provided, var->datalen will be populated with
* the requested object's size.
*
* Possible reasons for the returned errno values:
*
* -ENXIO if PLPKS is not supported
* -EIO if PLPKS access is blocked due to the LPAR's state
* if an error occurred while processing the request
* -EINVAL if invalid authorization parameter
* if invalid object label parameter
* if invalid object label len parameter
* if invalid output data parameter
* if invalid output data len parameter
* -EPERM if access is denied
* -ENOENT if the requested object was not found
* -EFBIG if the requested object couldn't be
* stored in the buffer provided
* -EBUSY if unable to handle the request
*
* Returns: On success 0 is returned, a negative errno if not.
*/
int plpks_read_bootloader_var(struct plpks_var *var)
{
return plpks_read_var(PLPKS_BOOTLOADER_OWNER, var);
}
/**
* plpks_populate_fdt(): Populates the FDT with the PLPKS password to prepare
* for kexec.
* @fdt: pointer to the device tree blob
*
* Upon confirming the existence of the chosen node, invoke fdt_setprop to
* populate the device tree with the PLPKS password in order to prepare for
* kexec.
*
* Returns: On success 0 is returned, a negative value if not.
*/
int plpks_populate_fdt(void *fdt)
{
int chosen_offset = fdt_path_offset(fdt, "/chosen");
if (chosen_offset < 0) {
pr_err("Can't find chosen node: %s\n",
fdt_strerror(chosen_offset));
return chosen_offset;
}
return fdt_setprop(fdt, chosen_offset, "ibm,plpks-pw", ospassword, ospasswordlength);
}
/**
* plpks_early_init_devtree() - Retrieves and clears the PLPKS password from the
* DT in early init.
*
* Once a password is registered with the hypervisor it cannot be cleared
* without rebooting the LPAR, so to keep using the PLPKS across kexec boots we
* need to recover the previous password from the FDT.
*
* There are a few challenges here. We don't want the password to be visible to
* users, so we need to clear it from the FDT. This has to be done in early
* boot. Clearing it from the FDT would make the FDT's checksum invalid, so we
* have to manually cause the checksum to be recalculated.
*/
void __init plpks_early_init_devtree(void)
{
void *fdt = initial_boot_params;
int chosen_node = fdt_path_offset(fdt, "/chosen");
const u8 *password;
int len;
if (chosen_node < 0)
return;
password = fdt_getprop(fdt, chosen_node, "ibm,plpks-pw", &len);
if (len <= 0) {
pr_debug("Couldn't find ibm,plpks-pw node.\n");
return;
}
ospassword = memblock_alloc_raw(len, SMP_CACHE_BYTES);
if (!ospassword) {
pr_err("Error allocating memory for password.\n");
goto out;
}
memcpy(ospassword, password, len);
ospasswordlength = (u16)len;
out:
fdt_nop_property(fdt, chosen_node, "ibm,plpks-pw");
// Since we've cleared the password, we must update the FDT checksum
early_init_dt_verify(fdt, __pa(fdt));
}
static __init int pseries_plpks_init(void)
{
int rc;
if (!firmware_has_feature(FW_FEATURE_PLPKS))
return -ENODEV;
rc = _plpks_get_config();
if (rc) {
pr_err("POWER LPAR Platform KeyStore is not supported or enabled\n");
return rc;
}
rc = plpks_gen_password();
if (rc)
pr_err("Failed setting POWER LPAR Platform KeyStore Password\n");
else
pr_info("POWER LPAR Platform KeyStore initialized successfully\n");
return rc;
}
machine_arch_initcall(pseries, pseries_plpks_init);
Reference in New Issue View Git Blame Copy Permalink