190b74e30SRussell Currey /* SPDX-License-Identifier: GPL-2.0 */ 290b74e30SRussell Currey /* 390b74e30SRussell Currey * Copyright (C) 2022 IBM Corporation 490b74e30SRussell Currey * Author: Nayna Jain <nayna@linux.ibm.com> 590b74e30SRussell Currey * 690b74e30SRussell Currey * Platform keystore for pseries LPAR(PLPKS). 790b74e30SRussell Currey */ 890b74e30SRussell Currey 990b74e30SRussell Currey #ifndef _ASM_POWERPC_PLPKS_H 1090b74e30SRussell Currey #define _ASM_POWERPC_PLPKS_H 1190b74e30SRussell Currey 1290b74e30SRussell Currey #ifdef CONFIG_PSERIES_PLPKS 1390b74e30SRussell Currey 1490b74e30SRussell Currey #include <linux/types.h> 1590b74e30SRussell Currey #include <linux/list.h> 1690b74e30SRussell Currey 173def7a3eSRussell Currey // Object policy flags from supported_policies 183def7a3eSRussell Currey #define PLPKS_OSSECBOOTAUDIT PPC_BIT32(1) // OS secure boot must be audit/enforce 193def7a3eSRussell Currey #define PLPKS_OSSECBOOTENFORCE PPC_BIT32(2) // OS secure boot must be enforce 203def7a3eSRussell Currey #define PLPKS_PWSET PPC_BIT32(3) // No access without password set 213def7a3eSRussell Currey #define PLPKS_WORLDREADABLE PPC_BIT32(4) // Readable without authentication 223def7a3eSRussell Currey #define PLPKS_IMMUTABLE PPC_BIT32(5) // Once written, object cannot be removed 233def7a3eSRussell Currey #define PLPKS_TRANSIENT PPC_BIT32(6) // Object does not persist through reboot 243def7a3eSRussell Currey #define PLPKS_SIGNEDUPDATE PPC_BIT32(7) // Object can only be modified by signed updates 253def7a3eSRussell Currey #define PLPKS_HVPROVISIONED PPC_BIT32(28) // Hypervisor has provisioned this object 2690b74e30SRussell Currey 273def7a3eSRussell Currey // Signature algorithm flags from signed_update_algorithms 283def7a3eSRussell Currey #define PLPKS_ALG_RSA2048 PPC_BIT(0) 293def7a3eSRussell Currey #define PLPKS_ALG_RSA4096 PPC_BIT(1) 303def7a3eSRussell Currey 313def7a3eSRussell Currey // Object label OS metadata flags 3290b74e30SRussell Currey #define PLPKS_VAR_LINUX 0x02 3390b74e30SRussell Currey #define PLPKS_VAR_COMMON 0x04 3490b74e30SRussell Currey 353def7a3eSRussell Currey // Flags for which consumer owns an object is owned by 363def7a3eSRussell Currey #define PLPKS_FW_OWNER 0x1 373def7a3eSRussell Currey #define PLPKS_BOOTLOADER_OWNER 0x2 383def7a3eSRussell Currey #define PLPKS_OS_OWNER 0x3 393def7a3eSRussell Currey 403def7a3eSRussell Currey // Flags for label metadata fields 413def7a3eSRussell Currey #define PLPKS_LABEL_VERSION 0 423def7a3eSRussell Currey #define PLPKS_MAX_LABEL_ATTR_SIZE 16 433def7a3eSRussell Currey #define PLPKS_MAX_NAME_SIZE 239 443def7a3eSRussell Currey #define PLPKS_MAX_DATA_SIZE 4000 453def7a3eSRussell Currey 463def7a3eSRussell Currey // Timeouts for PLPKS operations 473b59a759SNayna Jain #define PLPKS_MAX_TIMEOUT (5 * USEC_PER_SEC) 483b59a759SNayna Jain #define PLPKS_FLUSH_SLEEP 10000 // usec 493def7a3eSRussell Currey 5090b74e30SRussell Currey struct plpks_var { 5190b74e30SRussell Currey char *component; 5290b74e30SRussell Currey u8 *name; 5390b74e30SRussell Currey u8 *data; 5490b74e30SRussell Currey u32 policy; 5590b74e30SRussell Currey u16 namelen; 5690b74e30SRussell Currey u16 datalen; 5790b74e30SRussell Currey u8 os; 5890b74e30SRussell Currey }; 5990b74e30SRussell Currey 6090b74e30SRussell Currey struct plpks_var_name { 6190b74e30SRussell Currey u8 *name; 6290b74e30SRussell Currey u16 namelen; 6390b74e30SRussell Currey }; 6490b74e30SRussell Currey 6590b74e30SRussell Currey struct plpks_var_name_list { 6690b74e30SRussell Currey u32 varcount; 6790b74e30SRussell Currey struct plpks_var_name varlist[]; 6890b74e30SRussell Currey }; 6990b74e30SRussell Currey 7090b74e30SRussell Currey /** 71899d9b8fSNayna Jain * Updates the authenticated variable. It expects NULL as the component. 72899d9b8fSNayna Jain */ 73899d9b8fSNayna Jain int plpks_signed_update_var(struct plpks_var *var, u64 flags); 74899d9b8fSNayna Jain 75899d9b8fSNayna Jain /** 7690b74e30SRussell Currey * Writes the specified var and its data to PKS. 7790b74e30SRussell Currey * Any caller of PKS driver should present a valid component type for 7890b74e30SRussell Currey * their variable. 7990b74e30SRussell Currey */ 8090b74e30SRussell Currey int plpks_write_var(struct plpks_var var); 8190b74e30SRussell Currey 8290b74e30SRussell Currey /** 8390b74e30SRussell Currey * Removes the specified var and its data from PKS. 8490b74e30SRussell Currey */ 8590b74e30SRussell Currey int plpks_remove_var(char *component, u8 varos, 8690b74e30SRussell Currey struct plpks_var_name vname); 8790b74e30SRussell Currey 8890b74e30SRussell Currey /** 8990b74e30SRussell Currey * Returns the data for the specified os variable. 900cf2cc1fSAndrew Donnellan * 910cf2cc1fSAndrew Donnellan * Caller must allocate a buffer in var->data with length in var->datalen. 920cf2cc1fSAndrew Donnellan * If no buffer is provided, var->datalen will be populated with the object's 930cf2cc1fSAndrew Donnellan * size. 9490b74e30SRussell Currey */ 9590b74e30SRussell Currey int plpks_read_os_var(struct plpks_var *var); 9690b74e30SRussell Currey 9790b74e30SRussell Currey /** 9890b74e30SRussell Currey * Returns the data for the specified firmware variable. 990cf2cc1fSAndrew Donnellan * 1000cf2cc1fSAndrew Donnellan * Caller must allocate a buffer in var->data with length in var->datalen. 1010cf2cc1fSAndrew Donnellan * If no buffer is provided, var->datalen will be populated with the object's 1020cf2cc1fSAndrew Donnellan * size. 10390b74e30SRussell Currey */ 10490b74e30SRussell Currey int plpks_read_fw_var(struct plpks_var *var); 10590b74e30SRussell Currey 10690b74e30SRussell Currey /** 10790b74e30SRussell Currey * Returns the data for the specified bootloader variable. 1080cf2cc1fSAndrew Donnellan * 1090cf2cc1fSAndrew Donnellan * Caller must allocate a buffer in var->data with length in var->datalen. 1100cf2cc1fSAndrew Donnellan * If no buffer is provided, var->datalen will be populated with the object's 1110cf2cc1fSAndrew Donnellan * size. 11290b74e30SRussell Currey */ 11390b74e30SRussell Currey int plpks_read_bootloader_var(struct plpks_var *var); 11490b74e30SRussell Currey 115119da30dSNayna Jain /** 116119da30dSNayna Jain * Returns if PKS is available on this LPAR. 117119da30dSNayna Jain */ 118119da30dSNayna Jain bool plpks_is_available(void); 119119da30dSNayna Jain 120119da30dSNayna Jain /** 121119da30dSNayna Jain * Returns version of the Platform KeyStore. 122119da30dSNayna Jain */ 123119da30dSNayna Jain u8 plpks_get_version(void); 124119da30dSNayna Jain 125119da30dSNayna Jain /** 126119da30dSNayna Jain * Returns hypervisor storage overhead per object, not including the size of 127119da30dSNayna Jain * the object or label. Only valid for config version >= 2 128119da30dSNayna Jain */ 129119da30dSNayna Jain u16 plpks_get_objoverhead(void); 130119da30dSNayna Jain 131119da30dSNayna Jain /** 132119da30dSNayna Jain * Returns maximum password size. Must be >= 32 bytes 133119da30dSNayna Jain */ 134119da30dSNayna Jain u16 plpks_get_maxpwsize(void); 135119da30dSNayna Jain 136119da30dSNayna Jain /** 137119da30dSNayna Jain * Returns maximum object size supported by Platform KeyStore. 138119da30dSNayna Jain */ 139119da30dSNayna Jain u16 plpks_get_maxobjectsize(void); 140119da30dSNayna Jain 141119da30dSNayna Jain /** 142119da30dSNayna Jain * Returns maximum object label size supported by Platform KeyStore. 143119da30dSNayna Jain */ 144119da30dSNayna Jain u16 plpks_get_maxobjectlabelsize(void); 145119da30dSNayna Jain 146119da30dSNayna Jain /** 147119da30dSNayna Jain * Returns total size of the configured Platform KeyStore. 148119da30dSNayna Jain */ 149119da30dSNayna Jain u32 plpks_get_totalsize(void); 150119da30dSNayna Jain 151119da30dSNayna Jain /** 152119da30dSNayna Jain * Returns used space from the total size of the Platform KeyStore. 153119da30dSNayna Jain */ 154119da30dSNayna Jain u32 plpks_get_usedspace(void); 155119da30dSNayna Jain 156119da30dSNayna Jain /** 157119da30dSNayna Jain * Returns bitmask of policies supported by the hypervisor. 158119da30dSNayna Jain */ 159119da30dSNayna Jain u32 plpks_get_supportedpolicies(void); 160119da30dSNayna Jain 161119da30dSNayna Jain /** 162119da30dSNayna Jain * Returns maximum byte size of a single object supported by the hypervisor. 163119da30dSNayna Jain * Only valid for config version >= 3 164119da30dSNayna Jain */ 165119da30dSNayna Jain u32 plpks_get_maxlargeobjectsize(void); 166119da30dSNayna Jain 167119da30dSNayna Jain /** 168119da30dSNayna Jain * Returns bitmask of signature algorithms supported for signed updates. 169119da30dSNayna Jain * Only valid for config version >= 3 170119da30dSNayna Jain */ 171119da30dSNayna Jain u64 plpks_get_signedupdatealgorithms(void); 172119da30dSNayna Jain 1739ee76bd5SRussell Currey /** 1749ee76bd5SRussell Currey * Returns the length of the PLPKS password in bytes. 1759ee76bd5SRussell Currey */ 1769ee76bd5SRussell Currey u16 plpks_get_passwordlen(void); 1779ee76bd5SRussell Currey 17891361b51SRussell Currey /** 17991361b51SRussell Currey * Called in early init to retrieve and clear the PLPKS password from the DT. 18091361b51SRussell Currey */ 18191361b51SRussell Currey void plpks_early_init_devtree(void); 18291361b51SRussell Currey 18391361b51SRussell Currey /** 18491361b51SRussell Currey * Populates the FDT with the PLPKS password to prepare for kexec. 18591361b51SRussell Currey */ 18691361b51SRussell Currey int plpks_populate_fdt(void *fdt); 18791361b51SRussell Currey #else // CONFIG_PSERIES_PLPKS plpks_is_available(void)18891361b51SRussell Curreystatic inline bool plpks_is_available(void) { return false; } plpks_get_passwordlen(void)18991361b51SRussell Curreystatic inline u16 plpks_get_passwordlen(void) { BUILD_BUG(); } plpks_early_init_devtree(void)19091361b51SRussell Curreystatic inline void plpks_early_init_devtree(void) { } plpks_populate_fdt(void * fdt)19191361b51SRussell Curreystatic inline int plpks_populate_fdt(void *fdt) { BUILD_BUG(); } 19290b74e30SRussell Currey #endif // CONFIG_PSERIES_PLPKS 19390b74e30SRussell Currey 19490b74e30SRussell Currey #endif // _ASM_POWERPC_PLPKS_H 195