diff options
-rw-r--r-- | doc/device-tree/ibm,secureboot.rst | 17 | ||||
-rw-r--r-- | hdata/spira.c | 11 | ||||
-rw-r--r-- | hdata/spira.h | 7 |
3 files changed, 34 insertions, 1 deletions
diff --git a/doc/device-tree/ibm,secureboot.rst b/doc/device-tree/ibm,secureboot.rst index 3113b3f..42f69b2 100644 --- a/doc/device-tree/ibm,secureboot.rst +++ b/doc/device-tree/ibm,secureboot.rst @@ -39,6 +39,23 @@ Required properties images (e.g. kernels) to be signed by an appropriate key stored in secure variables. + physical-presence-asserted: + this property exists to indicate the physical presence + of user to request key clearance. + + clear-os-keys: this property exists when the firmware indicates that + physical presence is asserted to clear only Host OS + secure boot keys. + + clear-all-keys: this property exists when the firmware indicates that + physical presence is asserted to clear all sensistive + data controlled by platform firmware. + + clear-mfg-keys: this property exists only during manufacturing process + when the firmware indicates to clear all senstive data + during manufacturing. It is only valid on development + drivers. + Obsolete properties ------------------- diff --git a/hdata/spira.c b/hdata/spira.c index 35d6109..deb2dea 100644 --- a/hdata/spira.c +++ b/hdata/spira.c @@ -921,6 +921,7 @@ static void dt_init_secureboot_node(const struct iplparams_sysparams *sysparams) struct dt_node *node; u16 sys_sec_setting; u16 hw_key_hash_size; + u16 host_fw_key_clear; node = dt_new(dt_root, "ibm,secureboot"); assert(node); @@ -933,6 +934,16 @@ static void dt_init_secureboot_node(const struct iplparams_sysparams *sysparams) dt_add_property(node, "secure-enabled", NULL, 0); if (sys_sec_setting & SEC_HASHES_EXTENDED_TO_TPM) dt_add_property(node, "trusted-enabled", NULL, 0); + if (sys_sec_setting & PHYSICAL_PRESENCE_ASSERTED) + dt_add_property(node, "physical-presence-asserted", NULL, 0); + + host_fw_key_clear = be16_to_cpu(sysparams->host_fw_key_clear); + if (host_fw_key_clear & KEY_CLEAR_OS_KEYS) + dt_add_property(node, "clear-os-keys", NULL, 0); + if (host_fw_key_clear & KEY_CLEAR_MFG) + dt_add_property(node, "clear-mfg-keys", NULL, 0); + if (host_fw_key_clear & KEY_CLEAR_ALL) + dt_add_property(node, "clear-all-keys", NULL, 0); hw_key_hash_size = be16_to_cpu(sysparams->hw_key_hash_size); diff --git a/hdata/spira.h b/hdata/spira.h index ffe5394..f7a1b82 100644 --- a/hdata/spira.h +++ b/hdata/spira.h @@ -364,10 +364,15 @@ struct iplparams_sysparams { __be16 hv_disp_wheel; /* >= 0x58 */ __be32 nest_freq_mhz; /* >= 0x5b */ uint8_t split_core_mode; /* >= 0x5c */ - uint8_t reserved[3]; + uint8_t reserved[1]; +#define KEY_CLEAR_ALL PPC_BIT16(0) +#define KEY_CLEAR_OS_KEYS PPC_BIT16(1) +#define KEY_CLEAR_MFG PPC_BIT16(7) + __be16 host_fw_key_clear; uint8_t sys_vendor[64]; /* >= 0x5f */ #define SEC_CONTAINER_SIG_CHECKING PPC_BIT16(0) #define SEC_HASHES_EXTENDED_TO_TPM PPC_BIT16(1) +#define PHYSICAL_PRESENCE_ASSERTED PPC_BIT16(3) __be16 sys_sec_setting; /* >= 0x60 */ __be16 tpm_config_bit; /* >= 0x60 */ __be16 tpm_drawer; /* >= 0x60 */ |