xref: /linux/Documentation/ABI/testing/sysfs-secvar (revision 40850c909fcf2a66237dea6b96c8e12003cf6d43)
1What:		/sys/firmware/secvar
2Date:		August 2019
3Contact:	Nayna Jain <nayna@linux.ibm.com>
4Description:	This directory is created if the POWER firmware supports OS
5		secureboot, thereby secure variables. It exposes interface
6		for reading/writing the secure variables
7
8What:		/sys/firmware/secvar/vars
9Date:		August 2019
10Contact:	Nayna Jain <nayna@linux.ibm.com>
11Description:	This directory lists all the secure variables that are supported
12		by the firmware.
13
14What:		/sys/firmware/secvar/format
15Date:		August 2019
16Contact:	Nayna Jain <nayna@linux.ibm.com>
17Description:	A string indicating which backend is in use by the firmware.
18		This determines the format of the variable and the accepted
19		format of variable updates.
20
21		On powernv/OPAL, this value is provided by the OPAL firmware
22		and is expected to be "ibm,edk2-compat-v1".
23
24		On pseries/PLPKS, this is generated by the kernel based on the
25		version number in the SB_VERSION variable in the keystore. The
26		version numbering in the SB_VERSION variable starts from 1. The
27		format string takes the form "ibm,plpks-sb-v<version>" in the
28		case of dynamic key management mode. If the SB_VERSION variable
29		does not exist (or there is an error while reading it), it takes
30		the form "ibm,plpks-sb-v0", indicating that the key management
31		mode is static.
32
33What:		/sys/firmware/secvar/vars/<variable name>
34Date:		August 2019
35Contact:	Nayna Jain <nayna@linux.ibm.com>
36Description:	Each secure variable is represented as a directory named as
37		<variable_name>. The variable name is unique and is in ASCII
38		representation. The data and size can be determined by reading
39		their respective attribute files.
40
41		Only secvars relevant to the key management mode are exposed.
42		Only in the dynamic key management mode should the user have
43		access (read and write) to the secure boot secvars db, dbx,
44		grubdb, grubdbx, and sbat. These secvars are not consumed in the
45		static key management mode. PK, trustedcadb and moduledb are the
46		secvars common to both static and dynamic key management modes.
47
48What:		/sys/firmware/secvar/vars/<variable_name>/size
49Date:		August 2019
50Contact:	Nayna Jain <nayna@linux.ibm.com>
51Description:	An integer representation of the size of the content of the
52		variable. In other words, it represents the size of the data.
53
54What:		/sys/firmware/secvar/vars/<variable_name>/data
55Date:		August 2019
56Contact:	Nayna Jain <nayna@linux.ibm.com>
57Description:	A read-only file containing the value of the variable. The size
58		of the file represents the maximum size of the variable data.
59
60What:		/sys/firmware/secvar/vars/<variable_name>/update
61Date:		August 2019
62Contact:	Nayna Jain <nayna@linux.ibm.com>
63Description:	A write-only file that is used to submit the new value for the
64		variable. The size of the file represents the maximum size of
65		the variable data that can be written.
66