platforms/pseries/plpks-secvar.c

// SPDX-License-Identifier: GPL-2.0-only

// Secure variable implementation using the PowerVM LPAR Platform KeyStore (PLPKS)
//
// Copyright 2022, 2023 IBM Corporation
// Authors: Russell Currey
//          Andrew Donnellan
//          Nayna Jain

#define pr_fmt(fmt) "secvar: "fmt

#include <linux/printk.h>
#include <linux/init.h>
#include <linux/types.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/kobject.h>
#include <linux/nls.h>
#include <asm/machdep.h>
#include <asm/secvar.h>
#include <asm/plpks.h>

// Config attributes for sysfs
#define PLPKS_CONFIG_ATTR(name, fmt, func)			\
	static ssize_t name##_show(struct kobject *kobj,	\
				   struct kobj_attribute *attr,	\
				   char *buf)			\
	{							\
		return sysfs_emit(buf, fmt, func());		\
	}							\
	static struct kobj_attribute attr_##name = __ATTR_RO(name)

PLPKS_CONFIG_ATTR(version, "%u\n", plpks_get_version);
PLPKS_CONFIG_ATTR(max_object_size, "%u\n", plpks_get_maxobjectsize);
PLPKS_CONFIG_ATTR(total_size, "%u\n", plpks_get_totalsize);
PLPKS_CONFIG_ATTR(used_space, "%u\n", plpks_get_usedspace);
PLPKS_CONFIG_ATTR(supported_policies, "%08x\n", plpks_get_supportedpolicies);
PLPKS_CONFIG_ATTR(signed_update_algorithms, "%016llx\n", plpks_get_signedupdatealgorithms);

static const struct attribute *config_attrs[] = {
	&attr_version.attr,
	&attr_max_object_size.attr,
	&attr_total_size.attr,
	&attr_used_space.attr,
	&attr_supported_policies.attr,
	&attr_signed_update_algorithms.attr,
	NULL,
};

static u32 get_policy(const char *name)
{
	if ((strcmp(name, "db") == 0) ||
	    (strcmp(name, "dbx") == 0) ||
	    (strcmp(name, "grubdb") == 0) ||
	    (strcmp(name, "grubdbx") == 0) ||
	    (strcmp(name, "sbat") == 0))
		return (PLPKS_WORLDREADABLE | PLPKS_SIGNEDUPDATE);
	else
		return PLPKS_SIGNEDUPDATE;
}

static const char * const plpks_var_names[] = {
	"PK",
	"KEK",
	"db",
	"dbx",
	"grubdb",
	"grubdbx",
	"sbat",
	"moduledb",
	"trustedcadb",
	NULL,
};

static int plpks_get_variable(const char *key, u64 key_len, u8 *data,
			      u64 *data_size)
{
	struct plpks_var var = {0};
	int rc = 0;

	// We subtract 1 from key_len because we don't need to include the
	// null terminator at the end of the string
	var.name = kcalloc(key_len - 1, sizeof(wchar_t), GFP_KERNEL);
	if (!var.name)
		return -ENOMEM;
	rc = utf8s_to_utf16s(key, key_len - 1, UTF16_LITTLE_ENDIAN, (wchar_t *)var.name,
			     key_len - 1);
	if (rc < 0)
		goto err;
	var.namelen = rc * 2;

	var.os = PLPKS_VAR_LINUX;
	if (data) {
		var.data = data;
		var.datalen = *data_size;
	}
	rc = plpks_read_os_var(&var);

	if (rc)
		goto err;

	*data_size = var.datalen;

err:
	kfree(var.name);
	if (rc && rc != -ENOENT) {
		pr_err("Failed to read variable '%s': %d\n", key, rc);
		// Return -EIO since userspace probably doesn't care about the
		// specific error
		rc = -EIO;
	}
	return rc;
}

static int plpks_set_variable(const char *key, u64 key_len, u8 *data,
			      u64 data_size)
{
	struct plpks_var var = {0};
	int rc = 0;
	u64 flags;

	// Secure variables need to be prefixed with 8 bytes of flags.
	// We only want to perform the write if we have at least one byte of data.
	if (data_size <= sizeof(flags))
		return -EINVAL;

	// We subtract 1 from key_len because we don't need to include the
	// null terminator at the end of the string
	var.name = kcalloc(key_len - 1, sizeof(wchar_t), GFP_KERNEL);
	if (!var.name)
		return -ENOMEM;
	rc = utf8s_to_utf16s(key, key_len - 1, UTF16_LITTLE_ENDIAN, (wchar_t *)var.name,
			     key_len - 1);
	if (rc < 0)
		goto err;
	var.namelen = rc * 2;

	// Flags are contained in the first 8 bytes of the buffer, and are always big-endian
	flags = be64_to_cpup((__be64 *)data);

	var.datalen = data_size - sizeof(flags);
	var.data = data + sizeof(flags);
	var.os = PLPKS_VAR_LINUX;
	var.policy = get_policy(key);

	// Unlike in the read case, the plpks error code can be useful to
	// userspace on write, so we return it rather than just -EIO
	rc = plpks_signed_update_var(&var, flags);

err:
	kfree(var.name);
	return rc;
}

// PLPKS dynamic secure boot doesn't give us a format string in the same way OPAL does.
// Instead, report the format using the SB_VERSION variable in the keystore.
// The string is made up by us, and takes the form "ibm,plpks-sb-v<n>" (or "ibm,plpks-sb-unknown"
// if the SB_VERSION variable doesn't exist). Hypervisor defines the SB_VERSION variable as a
// "1 byte unsigned integer value".
static ssize_t plpks_secvar_format(char *buf, size_t bufsize)
{
	struct plpks_var var = {0};
	ssize_t ret;
	u8 version;

	var.component = NULL;
	// Only the signed variables have null bytes in their names, this one doesn't
	var.name = "SB_VERSION";
	var.namelen = strlen(var.name);
	var.datalen = 1;
	var.data = &version;

	// Unlike the other vars, SB_VERSION is owned by firmware instead of the OS
	ret = plpks_read_fw_var(&var);
	if (ret) {
		if (ret == -ENOENT) {
			ret = snprintf(buf, bufsize, "ibm,plpks-sb-unknown");
		} else {
			pr_err("Error %ld reading SB_VERSION from firmware\n", ret);
			ret = -EIO;
		}
		goto err;
	}

	ret = snprintf(buf, bufsize, "ibm,plpks-sb-v%hhu", version);
err:
	return ret;
}

static int plpks_max_size(u64 *max_size)
{
	// The max object size reported by the hypervisor is accurate for the
	// object itself, but we use the first 8 bytes of data on write as the
	// signed update flags, so the max size a user can write is larger.
	*max_size = (u64)plpks_get_maxobjectsize() + sizeof(u64);

	return 0;
}


static const struct secvar_operations plpks_secvar_ops = {
	.get = plpks_get_variable,
	.set = plpks_set_variable,
	.format = plpks_secvar_format,
	.max_size = plpks_max_size,
	.config_attrs = config_attrs,
	.var_names = plpks_var_names,
};

static int plpks_secvar_init(void)
{
	if (!plpks_is_available())
		return -ENODEV;

	return set_secvar_ops(&plpks_secvar_ops);
}
machine_device_initcall(pseries, plpks_secvar_init);