1What: /sys/firmware/secvar 2Date: August 2019 3Contact: Nayna Jain <nayna@linux.ibm.com> 4Description: This directory is created if the POWER firmware supports OS 5 secureboot, thereby secure variables. It exposes interface 6 for reading/writing the secure variables 7 8What: /sys/firmware/secvar/vars 9Date: August 2019 10Contact: Nayna Jain <nayna@linux.ibm.com> 11Description: This directory lists all the secure variables that are supported 12 by the firmware. 13 14What: /sys/firmware/secvar/format 15Date: August 2019 16Contact: Nayna Jain <nayna@linux.ibm.com> 17Description: A string indicating which backend is in use by the firmware. 18 This determines the format of the variable and the accepted 19 format of variable updates. 20 21 On powernv/OPAL, this value is provided by the OPAL firmware 22 and is expected to be "ibm,edk2-compat-v1". 23 24 On pseries/PLPKS, this is generated by the kernel based on the 25 version number in the SB_VERSION variable in the keystore. The 26 version numbering in the SB_VERSION variable starts from 1. The 27 format string takes the form "ibm,plpks-sb-v<version>" in the 28 case of dynamic key management mode. If the SB_VERSION variable 29 does not exist (or there is an error while reading it), it takes 30 the form "ibm,plpks-sb-v0", indicating that the key management 31 mode is static. 32 33What: /sys/firmware/secvar/vars/<variable name> 34Date: August 2019 35Contact: Nayna Jain <nayna@linux.ibm.com> 36Description: Each secure variable is represented as a directory named as 37 <variable_name>. The variable name is unique and is in ASCII 38 representation. The data and size can be determined by reading 39 their respective attribute files. 40 41 Only secvars relevant to the key management mode are exposed. 42 Only in the dynamic key management mode should the user have 43 access (read and write) to the secure boot secvars db, dbx, 44 grubdb, grubdbx, and sbat. These secvars are not consumed in the 45 static key management mode. PK, trustedcadb and moduledb are the 46 secvars common to both static and dynamic key management modes. 47 48What: /sys/firmware/secvar/vars/<variable_name>/size 49Date: August 2019 50Contact: Nayna Jain <nayna@linux.ibm.com> 51Description: An integer representation of the size of the content of the 52 variable. In other words, it represents the size of the data. 53 54What: /sys/firmware/secvar/vars/<variable_name>/data 55Date: August 2019 56Contact: Nayna Jain <nayna@linux.ibm.com> 57Description: A read-only file containing the value of the variable. The size 58 of the file represents the maximum size of the variable data. 59 60What: /sys/firmware/secvar/vars/<variable_name>/update 61Date: August 2019 62Contact: Nayna Jain <nayna@linux.ibm.com> 63Description: A write-only file that is used to submit the new value for the 64 variable. The size of the file represents the maximum size of 65 the variable data that can be written. 66 67What: /sys/firmware/secvar/config 68Date: February 2023 69Contact: Nayna Jain <nayna@linux.ibm.com> 70Description: This optional directory contains read-only config attributes as 71 defined by the secure variable implementation. All data is in 72 ASCII format. The directory is only created if the backing 73 implementation provides variables to populate it, which at 74 present is only PLPKS on the pseries platform. 75 76What: /sys/firmware/secvar/config/version 77Date: February 2023 78Contact: Nayna Jain <nayna@linux.ibm.com> 79Description: Config version as reported by the hypervisor in ASCII decimal 80 format. 81 82 Currently only provided by PLPKS on the pseries platform. 83 84What: /sys/firmware/secvar/config/max_object_size 85Date: February 2023 86Contact: Nayna Jain <nayna@linux.ibm.com> 87Description: Maximum allowed size of objects in the keystore in bytes, 88 represented in ASCII decimal format. 89 90 This is not necessarily the same as the max size that can be 91 written to an update file as writes can contain more than 92 object data, you should use the size of the update file for 93 that purpose. 94 95 Currently only provided by PLPKS on the pseries platform. 96 97What: /sys/firmware/secvar/config/total_size 98Date: February 2023 99Contact: Nayna Jain <nayna@linux.ibm.com> 100Description: Total size of the PLPKS in bytes, represented in ASCII decimal 101 format. 102 103 Currently only provided by PLPKS on the pseries platform. 104 105What: /sys/firmware/secvar/config/used_space 106Date: February 2023 107Contact: Nayna Jain <nayna@linux.ibm.com> 108Description: Current space consumed by the key store, in bytes, represented 109 in ASCII decimal format. 110 111 Currently only provided by PLPKS on the pseries platform. 112 113What: /sys/firmware/secvar/config/supported_policies 114Date: February 2023 115Contact: Nayna Jain <nayna@linux.ibm.com> 116Description: Bitmask of supported policy flags by the hypervisor, 117 represented as an 8 byte hexadecimal ASCII string. Consult the 118 hypervisor documentation for what these flags are. 119 120 Currently only provided by PLPKS on the pseries platform. 121 122What: /sys/firmware/secvar/config/signed_update_algorithms 123Date: February 2023 124Contact: Nayna Jain <nayna@linux.ibm.com> 125Description: Bitmask of flags indicating which algorithms the hypervisor 126 supports for signed update of objects, represented as a 16 byte 127 hexadecimal ASCII string. Consult the hypervisor documentation 128 for what these flags mean. 129 130 Currently only provided by PLPKS on the pseries platform. 131