libstb/secvar: add secure variable internal abstraction

This patch implements a platform-independent abstraction for storing and
retrieving secure variables, as required for host OS secure boot. This
serves as the main entry point for initializing the in-memory cache of the
secure variables, which also kicks off any platform-specific logic that may
be needed. This patch also provides core functions for the subsequent
patches in this series to utilize.

The base secure variable implementation makes use of two types of
drivers, to be selected by the platform: "storage" drivers, and
"backend" drivers. The storage driver implements the hooks required to
write the secure variables to some form of non-volatile memory, and load
the variables on boot. The backend driver defines how the variables
should be interpreted, and processed.

Secure variables are stored in two types of banks, the "variable" bank
and the "update" bank. Variables that have been validated and processed
are stored in the variable bank. This bank is effectively read-only
after the base secvar initialization. Any proposed variable updates are
instead stored in the update bank. During secvar initialization, the
backend driver processes variables from the update bank, and if valid,
adds the new variable to the variable bank.

NOTE: The name "backend" is subject to change. It operates more like a
scheme, so unless a better name comes along, it will likely change to
"scheme" or "schema" in the future.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
[oliver: added missing SPDX tags, removed unused definitions, style fixes]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
---
V2:
 - added secvar device tree node as child of ibm,secureboot
 - added version and compatible properties to backend driver struct
 - added secvar_ready flag for the API to detect if secvar
    initialized successfully
 - moved pre-process step to after initial variable load
 - moved flags field from secvar struct to secvar node

V3:
 - remove the metadata secvar field
 - add probe_secvar() to bump compatible flag
 - add device tree property for backend-agnostic secure mode setting
 - remove backend minor version field
 - remove static data allocation in secvar struct

V4:
 - add alloc_secvar helpers
 - removed ibm,secureboot version bump to v3
 - secvars now store their allocated size seperate from the
   data size (to permit overallocating)
 - split device tree functions into their own file
 - device tree changes:
   - secvar now a child of ibm,opal
   - compatible is "ibm,secvar-v1", backend creates its own node
   - secure-mode is now a boolean os-secure-enforcing property
   - storage and backends now have their own nodes

V5:
 - removed storage device tree subnode
 - moved max-var-size to secvar node
 - added max-var-key-len
 - fixed SPDX header in include/secvar.h
 - removed obsolete enum
 - removed unused devtree wrappers
 - set secvar status prop earlier

V6:
 - moved os-secureboot-enforcing to ibm,secureboot
 - set secvar compatible based on backend
 - removed backend node

9 files changed, 363 insertions, 1 deletions

diff --git a/libstb/Makefile.inc b/libstb/Makefile.inc
index 6d54c5c..d3f6849 100644
--- a/libstb/Makefile.inc
+++ b/libstb/Makefile.inc
@@ -8,11 +8,12 @@ LIBSTB_SRCS = container.c tpm_chip.c cvc.c secureboot.c trustedboot.c
 LIBSTB_OBJS = $(LIBSTB_SRCS:%.c=%.o)
 LIBSTB = $(LIBSTB_DIR)/built-in.a
 
+include $(SRC)/$(LIBSTB_DIR)/secvar/Makefile.inc
 include $(SRC)/$(LIBSTB_DIR)/mbedtls/Makefile.inc
 include $(SRC)/$(LIBSTB_DIR)/drivers/Makefile.inc
 include $(SRC)/$(LIBSTB_DIR)/tss/Makefile.inc
 
-$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(MBEDTLS)
+$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(SECVAR) $(MBEDTLS)
 
 libstb/create-container: libstb/create-container.c libstb/container-utils.c
 	$(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) \
diff --git a/libstb/secvar/Makefile.inc b/libstb/secvar/Makefile.inc
new file mode 100644
index 0000000..25785a2
--- /dev/null
+++ b/libstb/secvar/Makefile.inc
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: Apache-2.0
+# -*-Makefile-*-
+
+SECVAR_DIR = libstb/secvar
+
+SUBDIRS += $(SECVAR_DIR)
+
+include $(SECVAR_DIR)/storage/Makefile.inc
+include $(SECVAR_DIR)/backend/Makefile.inc
+
+SECVAR_SRCS = secvar_main.c secvar_util.c secvar_devtree.c
+SECVAR_OBJS = $(SECVAR_SRCS:%.c=%.o)
+SECVAR = $(SECVAR_DIR)/built-in.a
+
+$(SECVAR): $(SECVAR_OBJS:%=$(SECVAR_DIR)/%) $(SECVAR_STORAGE) $(SECVAR_BACKEND)
diff --git a/libstb/secvar/backend/Makefile.inc b/libstb/secvar/backend/Makefile.inc
new file mode 100644
index 0000000..cc1a49f
--- /dev/null
+++ b/libstb/secvar/backend/Makefile.inc
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: Apache-2.0
+# -*-Makefile-*-
+
+SECVAR_BACKEND_DIR = libstb/secvar/backend
+
+SUBDIRS += $(SECVAR_BACKEND_DIR)
+
+SECVAR_BACKEND_SRCS =
+SECVAR_BACKEND_OBJS = $(SECVAR_BACKEND_SRCS:%.c=%.o)
+SECVAR_BACKEND = $(SECVAR_BACKEND_DIR)/built-in.a
+
+$(SECVAR_BACKEND): $(SECVAR_BACKEND_OBJS:%=$(SECVAR_BACKEND_DIR)/%)
diff --git a/libstb/secvar/secvar.h b/libstb/secvar/secvar.h
new file mode 100644
index 0000000..771ff64
--- /dev/null
+++ b/libstb/secvar/secvar.h
@@ -0,0 +1,52 @@
+// SPDX-License-Identifier: Apache-2.0
+/* Copyright 2013-2019 IBM Corp. */
+
+#ifndef _SECVAR_H_
+#define _SECVAR_H_
+
+#include <ccan/list/list.h>
+#include <stdint.h>
+#include <secvar.h>
+
+#define SECVAR_MAX_KEY_LEN		1024
+
+enum {
+	SECVAR_VARIABLE_BANK,
+	SECVAR_UPDATE_BANK,
+};
+
+
+struct secvar_node {
+	struct list_node link;
+	struct secvar *var;
+	uint64_t flags;		// Flag for how *var should be stored
+	uint64_t size;		// How much space was allocated for data
+};
+
+#define SECVAR_FLAG_VOLATILE		0x1 // Instructs storage driver to ignore variable on writes
+#define SECVAR_FLAG_SECURE_STORAGE	0x2 // Hint for storage driver to select storage location
+
+struct secvar {
+	uint64_t key_len;
+	uint64_t data_size;
+	char key[SECVAR_MAX_KEY_LEN];
+	char data[0];
+};
+
+
+extern struct list_head variable_bank;
+extern struct list_head update_bank;
+extern int secvar_enabled;
+extern int secvar_ready;
+extern struct secvar_storage_driver secvar_storage;
+extern struct secvar_backend_driver secvar_backend;
+
+// Helper functions
+void clear_bank_list(struct list_head *bank);
+struct secvar_node *alloc_secvar(uint64_t size);
+int realloc_secvar(struct secvar_node *node, uint64_t size);
+struct secvar_node *find_secvar(const char *key, uint64_t key_len, struct list_head *bank);
+int is_key_empty(const char *key, uint64_t key_len);
+int list_length(struct list_head *bank);
+
+#endif
diff --git a/libstb/secvar/secvar_devtree.c b/libstb/secvar/secvar_devtree.c
new file mode 100644
index 0000000..fcff711
--- /dev/null
+++ b/libstb/secvar/secvar_devtree.c
@@ -0,0 +1,68 @@
+// SPDX-License-Identifier: Apache-2.0
+/* Copyright 2013-2019 IBM Corp. */
+
+#include <device.h>
+#include <string.h>
+#include "secvar.h"
+#include "secvar_devtree.h"
+
+struct dt_node *secvar_node;
+
+int secvar_set_secure_mode(void)
+{
+	struct dt_node *sb_root;
+	struct dt_property *prop;
+
+	if (!secvar_node)
+		return -1;
+
+	sb_root = dt_find_by_path(dt_root, "/ibm,secureboot/");
+
+	prop = (struct dt_property *) dt_find_property(sb_root, "os-secureboot-enforcing");
+	if (prop)
+		return 0;
+
+	prop = dt_add_property(sb_root, "os-secureboot-enforcing", 0, 0);
+	if (!prop)
+		return -2;
+
+	return 0;
+}
+
+void secvar_init_devnode(const char *compatible)
+{
+	struct dt_node *sb_root;
+
+	sb_root = dt_find_by_path(dt_root, "/ibm,opal/");
+
+	secvar_node = dt_new(sb_root, "secvar");
+
+	dt_add_property_string(secvar_node, "compatible", compatible);
+	dt_add_property_u64(secvar_node, "max-var-size", secvar_storage.max_var_size);
+	dt_add_property_u64(secvar_node, "max-var-key-len", SECVAR_MAX_KEY_LEN);
+}
+
+void secvar_set_status(const char *status)
+{
+	if (!secvar_node)
+		return; // Fail boot?
+
+	if (dt_find_property(secvar_node, "status"))
+		return;
+
+	dt_add_property_string(secvar_node, "status", status);
+	// Fail boot if not successful?
+}
+
+
+void secvar_set_update_status(uint64_t val)
+{
+	if (!secvar_node)
+		return;
+
+	if (dt_find_property(secvar_node, "update-status"))
+		return;
+
+	dt_add_property_u64(secvar_node, "update-status", val);
+}
+
diff --git a/libstb/secvar/secvar_devtree.h b/libstb/secvar/secvar_devtree.h
new file mode 100644
index 0000000..d383884
--- /dev/null
+++ b/libstb/secvar/secvar_devtree.h
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: Apache-2.0
+/* Copyright 2013-2019 IBM Corp. */
+
+#ifndef _SECVAR_DEVTREE_H_
+#define _SECVAR_DEVTREE_H_
+
+int secvar_set_secure_mode(void);
+void secvar_init_devnode(const char *compatible);
+
+void secvar_set_status(const char *status);
+void secvar_set_update_status(uint64_t val);
+
+#endif
diff --git a/libstb/secvar/secvar_main.c b/libstb/secvar/secvar_main.c
new file mode 100644
index 0000000..fc5527a
--- /dev/null
+++ b/libstb/secvar/secvar_main.c
@@ -0,0 +1,87 @@
+// SPDX-License-Identifier: Apache-2.0
+/* Copyright 2019 IBM Corp. */
+
+#ifndef pr_fmt
+#define pr_fmt(fmt) "SECVAR: " fmt
+#endif
+
+#include <stdlib.h>
+#include <skiboot.h>
+#include <opal.h>
+#include "secvar.h"
+#include "secvar_devtree.h"
+
+struct list_head variable_bank;
+struct list_head update_bank;
+
+int secvar_enabled = 0;	// Set to 1 if secvar is supported
+int secvar_ready = 0;	// Set to 1 when base secvar inits correctly
+
+// To be filled in by platform.secvar_init
+struct secvar_storage_driver secvar_storage = {0};
+struct secvar_backend_driver secvar_backend = {0};
+
+
+int secvar_main(struct secvar_storage_driver storage_driver,
+               struct secvar_backend_driver backend_driver)
+{
+	int rc = OPAL_UNSUPPORTED;
+
+	secvar_storage = storage_driver;
+	secvar_backend = backend_driver;
+
+	secvar_init_devnode(secvar_backend.compatible);
+
+	secvar_enabled = 1;
+
+	list_head_init(&variable_bank);
+	list_head_init(&update_bank);
+
+	rc = secvar_storage.store_init();
+	if (rc)
+		goto fail;
+
+	// Failures here should indicate some kind of hardware problem
+	rc = secvar_storage.load_bank(&variable_bank, SECVAR_VARIABLE_BANK);
+	if (rc)
+		goto fail;
+
+	rc = secvar_storage.load_bank(&update_bank, SECVAR_UPDATE_BANK);
+	if (rc)
+		goto fail;
+
+	// At this point, base secvar is functional. Rest is up to the backend
+	secvar_ready = 1;
+	secvar_set_status("okay");
+
+	if (secvar_backend.pre_process)
+		rc = secvar_backend.pre_process();
+
+	// Process is required, error if it doesn't exist
+	if (!secvar_backend.process)
+		goto out;
+
+	rc = secvar_backend.process();
+		secvar_set_update_status(rc);
+	if (rc == OPAL_SUCCESS) {
+		rc = secvar_storage.write_bank(&variable_bank, SECVAR_VARIABLE_BANK);
+		if (rc)
+			goto out;
+
+		rc = secvar_storage.write_bank(&update_bank, SECVAR_UPDATE_BANK);
+		if (rc)
+			goto out;
+	}
+
+	if (secvar_backend.post_process)
+		rc = secvar_backend.post_process();
+	if (rc)
+		goto out;
+
+	return OPAL_SUCCESS;
+fail:
+	secvar_set_status("fail");
+out:
+	printf("Secure Variables Status %04x\n", rc);
+	return rc;
+}
diff --git a/libstb/secvar/secvar_util.c b/libstb/secvar/secvar_util.c
new file mode 100644
index 0000000..a143d0b
--- /dev/null
+++ b/libstb/secvar/secvar_util.c
@@ -0,0 +1,102 @@
+// SPDX-License-Identifier: Apache-2.0
+/* Copyright 2019 IBM Corp. */
+
+#ifndef pr_fmt
+#define pr_fmt(fmt) "SECVAR: " fmt
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+#include <skiboot.h>
+#include <opal.h>
+#include "secvar.h"
+
+void clear_bank_list(struct list_head *bank)
+{
+	struct secvar_node *node, *next;
+
+	if (!bank)
+		return;
+
+	list_for_each_safe(bank, node, next, link) {
+		list_del(&node->link);
+
+		if (node->var)
+			free(node->var);
+		free(node);
+	}
+}
+
+struct secvar_node *alloc_secvar(uint64_t size)
+{
+	struct secvar_node *ret;
+
+	ret = zalloc(sizeof(struct secvar_node));
+	if (!ret)
+		return NULL;
+
+	ret->var = zalloc(sizeof(struct secvar) + size);
+	if (!ret->var) {
+		free(ret);
+		return NULL;
+	}
+
+	ret->size = size;
+
+	return ret;
+}
+
+int realloc_secvar(struct secvar_node *node, uint64_t size)
+{
+	void *tmp;
+
+	if (node->size >= size)
+		return 0;
+
+	tmp = zalloc(sizeof(struct secvar) + size);
+	if (!tmp)
+		return -1;
+
+	memcpy(tmp, node->var, sizeof(struct secvar) + node->size);
+	free(node->var);
+	node->var = tmp;
+
+	return 0;
+}
+
+struct secvar_node *find_secvar(const char *key, uint64_t key_len, struct list_head *bank)
+{
+	struct secvar_node *node = NULL;
+
+	list_for_each(bank, node, link) {
+		// Prevent matching shorter key subsets / bail early
+		if (key_len != node->var->key_len)
+			continue;
+		if (!memcmp(key, node->var->key, key_len))
+			return node;
+	}
+
+	return NULL;
+}
+
+int is_key_empty(const char *key, uint64_t key_len)
+{
+	int i;
+	for (i = 0; i < key_len; i++) {
+		if (key[i] != 0)
+			return 0;
+	}
+
+	return 1;
+}
+
+int list_length(struct list_head *bank)
+{
+	int ret = 0;
+	struct secvar_node *node;
+
+	list_for_each(bank, node, link)
+		ret++;
+
+	return ret;
+}
diff --git a/libstb/secvar/storage/Makefile.inc b/libstb/secvar/storage/Makefile.inc
new file mode 100644
index 0000000..b7a821e
--- /dev/null
+++ b/libstb/secvar/storage/Makefile.inc
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: Apache-2.0
+# -*-Makefile-*-
+
+SECVAR_STORAGE_DIR = libstb/secvar/storage
+
+SUBDIRS += $(SECVAR_STORAGE_DIR)
+
+SECVAR_STORAGE_SRCS =
+SECVAR_STORAGE_OBJS = $(SECVAR_STORAGE_SRCS:%.c=%.o)
+SECVAR_STORAGE = $(SECVAR_STORAGE_DIR)/built-in.a
+
+$(SECVAR_STORAGE): $(SECVAR_STORAGE_OBJS:%=$(SECVAR_STORAGE_DIR)/%)