xref: /openbmc/linux/arch/powerpc/include/asm/plpks.h (revision 3b59a759) 
1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3  * Copyright (C) 2022 IBM Corporation
4  * Author: Nayna Jain <nayna@linux.ibm.com>
5  *
6  * Platform keystore for pseries LPAR(PLPKS).
7  */
8 
9 #ifndef _ASM_POWERPC_PLPKS_H
10 #define _ASM_POWERPC_PLPKS_H
11 
12 #ifdef CONFIG_PSERIES_PLPKS
13 
14 #include <linux/types.h>
15 #include <linux/list.h>
16 
17 // Object policy flags from supported_policies
18 #define PLPKS_OSSECBOOTAUDIT	PPC_BIT32(1) // OS secure boot must be audit/enforce
19 #define PLPKS_OSSECBOOTENFORCE	PPC_BIT32(2) // OS secure boot must be enforce
20 #define PLPKS_PWSET		PPC_BIT32(3) // No access without password set
21 #define PLPKS_WORLDREADABLE	PPC_BIT32(4) // Readable without authentication
22 #define PLPKS_IMMUTABLE		PPC_BIT32(5) // Once written, object cannot be removed
23 #define PLPKS_TRANSIENT		PPC_BIT32(6) // Object does not persist through reboot
24 #define PLPKS_SIGNEDUPDATE	PPC_BIT32(7) // Object can only be modified by signed updates
25 #define PLPKS_HVPROVISIONED	PPC_BIT32(28) // Hypervisor has provisioned this object
26 
27 // Signature algorithm flags from signed_update_algorithms
28 #define PLPKS_ALG_RSA2048	PPC_BIT(0)
29 #define PLPKS_ALG_RSA4096	PPC_BIT(1)
30 
31 // Object label OS metadata flags
32 #define PLPKS_VAR_LINUX		0x02
33 #define PLPKS_VAR_COMMON	0x04
34 
35 // Flags for which consumer owns an object is owned by
36 #define PLPKS_FW_OWNER			0x1
37 #define PLPKS_BOOTLOADER_OWNER		0x2
38 #define PLPKS_OS_OWNER			0x3
39 
40 // Flags for label metadata fields
41 #define PLPKS_LABEL_VERSION		0
42 #define PLPKS_MAX_LABEL_ATTR_SIZE	16
43 #define PLPKS_MAX_NAME_SIZE		239
44 #define PLPKS_MAX_DATA_SIZE		4000
45 
46 // Timeouts for PLPKS operations
47 #define PLPKS_MAX_TIMEOUT		(5 * USEC_PER_SEC)
48 #define PLPKS_FLUSH_SLEEP		10000 // usec
49 
50 struct plpks_var {
51 	char *component;
52 	u8 *name;
53 	u8 *data;
54 	u32 policy;
55 	u16 namelen;
56 	u16 datalen;
57 	u8 os;
58 };
59 
60 struct plpks_var_name {
61 	u8  *name;
62 	u16 namelen;
63 };
64 
65 struct plpks_var_name_list {
66 	u32 varcount;
67 	struct plpks_var_name varlist[];
68 };
69 
70 /**
71  * Updates the authenticated variable. It expects NULL as the component.
72  */
73 int plpks_signed_update_var(struct plpks_var *var, u64 flags);
74 
75 /**
76  * Writes the specified var and its data to PKS.
77  * Any caller of PKS driver should present a valid component type for
78  * their variable.
79  */
80 int plpks_write_var(struct plpks_var var);
81 
82 /**
83  * Removes the specified var and its data from PKS.
84  */
85 int plpks_remove_var(char *component, u8 varos,
86 		     struct plpks_var_name vname);
87 
88 /**
89  * Returns the data for the specified os variable.
90  *
91  * Caller must allocate a buffer in var->data with length in var->datalen.
92  * If no buffer is provided, var->datalen will be populated with the object's
93  * size.
94  */
95 int plpks_read_os_var(struct plpks_var *var);
96 
97 /**
98  * Returns the data for the specified firmware variable.
99  *
100  * Caller must allocate a buffer in var->data with length in var->datalen.
101  * If no buffer is provided, var->datalen will be populated with the object's
102  * size.
103  */
104 int plpks_read_fw_var(struct plpks_var *var);
105 
106 /**
107  * Returns the data for the specified bootloader variable.
108  *
109  * Caller must allocate a buffer in var->data with length in var->datalen.
110  * If no buffer is provided, var->datalen will be populated with the object's
111  * size.
112  */
113 int plpks_read_bootloader_var(struct plpks_var *var);
114 
115 /**
116  * Returns if PKS is available on this LPAR.
117  */
118 bool plpks_is_available(void);
119 
120 /**
121  * Returns version of the Platform KeyStore.
122  */
123 u8 plpks_get_version(void);
124 
125 /**
126  * Returns hypervisor storage overhead per object, not including the size of
127  * the object or label. Only valid for config version >= 2
128  */
129 u16 plpks_get_objoverhead(void);
130 
131 /**
132  * Returns maximum password size. Must be >= 32 bytes
133  */
134 u16 plpks_get_maxpwsize(void);
135 
136 /**
137  * Returns maximum object size supported by Platform KeyStore.
138  */
139 u16 plpks_get_maxobjectsize(void);
140 
141 /**
142  * Returns maximum object label size supported by Platform KeyStore.
143  */
144 u16 plpks_get_maxobjectlabelsize(void);
145 
146 /**
147  * Returns total size of the configured Platform KeyStore.
148  */
149 u32 plpks_get_totalsize(void);
150 
151 /**
152  * Returns used space from the total size of the Platform KeyStore.
153  */
154 u32 plpks_get_usedspace(void);
155 
156 /**
157  * Returns bitmask of policies supported by the hypervisor.
158  */
159 u32 plpks_get_supportedpolicies(void);
160 
161 /**
162  * Returns maximum byte size of a single object supported by the hypervisor.
163  * Only valid for config version >= 3
164  */
165 u32 plpks_get_maxlargeobjectsize(void);
166 
167 /**
168  * Returns bitmask of signature algorithms supported for signed updates.
169  * Only valid for config version >= 3
170  */
171 u64 plpks_get_signedupdatealgorithms(void);
172 
173 /**
174  * Returns the length of the PLPKS password in bytes.
175  */
176 u16 plpks_get_passwordlen(void);
177 
178 /**
179  * Called in early init to retrieve and clear the PLPKS password from the DT.
180  */
181 void plpks_early_init_devtree(void);
182 
183 /**
184  * Populates the FDT with the PLPKS password to prepare for kexec.
185  */
186 int plpks_populate_fdt(void *fdt);
187 #else // CONFIG_PSERIES_PLPKS
plpks_is_available(void)188 static inline bool plpks_is_available(void) { return false; }
plpks_get_passwordlen(void)189 static inline u16 plpks_get_passwordlen(void) { BUILD_BUG(); }
plpks_early_init_devtree(void)190 static inline void plpks_early_init_devtree(void) { }
plpks_populate_fdt(void * fdt)191 static inline int plpks_populate_fdt(void *fdt) { BUILD_BUG(); }
192 #endif // CONFIG_PSERIES_PLPKS
193 
194 #endif // _ASM_POWERPC_PLPKS_H
195