forked from Minki/linux
2702809a4a
While secure boot permits only properly verified signed kernels to be booted, trusted boot calculates the file hash of the kernel image and stores the measurement prior to boot, that can be subsequently compared against good known values via attestation services. This patch reads the trusted boot state of a PowerNV system. The state is used to conditionally enable additional measurement rules in the IMA arch-specific policies. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Signed-off-by: Eric Richter <erichte@linux.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/e9eeee6b-b9bf-1e41-2954-61dbd6fbfbcf@linux.ibm.com
51 lines
1.0 KiB
C
51 lines
1.0 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* Copyright (C) 2019 IBM Corporation
|
|
* Author: Nayna Jain
|
|
*/
|
|
#include <linux/types.h>
|
|
#include <linux/of.h>
|
|
#include <asm/secure_boot.h>
|
|
|
|
static struct device_node *get_ppc_fw_sb_node(void)
|
|
{
|
|
static const struct of_device_id ids[] = {
|
|
{ .compatible = "ibm,secureboot", },
|
|
{ .compatible = "ibm,secureboot-v1", },
|
|
{ .compatible = "ibm,secureboot-v2", },
|
|
{},
|
|
};
|
|
|
|
return of_find_matching_node(NULL, ids);
|
|
}
|
|
|
|
bool is_ppc_secureboot_enabled(void)
|
|
{
|
|
struct device_node *node;
|
|
bool enabled = false;
|
|
|
|
node = get_ppc_fw_sb_node();
|
|
enabled = of_property_read_bool(node, "os-secureboot-enforcing");
|
|
|
|
of_node_put(node);
|
|
|
|
pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled");
|
|
|
|
return enabled;
|
|
}
|
|
|
|
bool is_ppc_trustedboot_enabled(void)
|
|
{
|
|
struct device_node *node;
|
|
bool enabled = false;
|
|
|
|
node = get_ppc_fw_sb_node();
|
|
enabled = of_property_read_bool(node, "trusted-enabled");
|
|
|
|
of_node_put(node);
|
|
|
|
pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled");
|
|
|
|
return enabled;
|
|
}
|