1bd5d9c74SNayna JainWhat: /sys/firmware/secvar 2bd5d9c74SNayna JainDate: August 2019 3bd5d9c74SNayna JainContact: Nayna Jain <nayna@linux.ibm.com> 4bd5d9c74SNayna JainDescription: This directory is created if the POWER firmware supports OS 5bd5d9c74SNayna Jain secureboot, thereby secure variables. It exposes interface 6bd5d9c74SNayna Jain for reading/writing the secure variables 7bd5d9c74SNayna Jain 8bd5d9c74SNayna JainWhat: /sys/firmware/secvar/vars 9bd5d9c74SNayna JainDate: August 2019 10bd5d9c74SNayna JainContact: Nayna Jain <nayna@linux.ibm.com> 11bd5d9c74SNayna JainDescription: This directory lists all the secure variables that are supported 12bd5d9c74SNayna Jain by the firmware. 13bd5d9c74SNayna Jain 14bd5d9c74SNayna JainWhat: /sys/firmware/secvar/format 15bd5d9c74SNayna JainDate: August 2019 16bd5d9c74SNayna JainContact: Nayna Jain <nayna@linux.ibm.com> 17bd5d9c74SNayna JainDescription: A string indicating which backend is in use by the firmware. 18bd5d9c74SNayna Jain This determines the format of the variable and the accepted 19bd5d9c74SNayna Jain format of variable updates. 20bd5d9c74SNayna Jain 21ccadf154SRussell Currey On powernv/OPAL, this value is provided by the OPAL firmware 22ccadf154SRussell Currey and is expected to be "ibm,edk2-compat-v1". 23ccadf154SRussell Currey 24ccadf154SRussell Currey On pseries/PLPKS, this is generated by the kernel based on the 25*fbf355f3SSrish Srinivasan version number in the SB_VERSION variable in the keystore. The 26*fbf355f3SSrish Srinivasan version numbering in the SB_VERSION variable starts from 1. The 27*fbf355f3SSrish Srinivasan format string takes the form "ibm,plpks-sb-v<version>" in the 28*fbf355f3SSrish Srinivasan case of dynamic key management mode. If the SB_VERSION variable 29*fbf355f3SSrish Srinivasan does not exist (or there is an error while reading it), it takes 30*fbf355f3SSrish Srinivasan the form "ibm,plpks-sb-v0", indicating that the key management 31*fbf355f3SSrish Srinivasan mode is static. 32ccadf154SRussell Currey 33bd5d9c74SNayna JainWhat: /sys/firmware/secvar/vars/<variable name> 34bd5d9c74SNayna JainDate: August 2019 35bd5d9c74SNayna JainContact: Nayna Jain <nayna@linux.ibm.com> 36bd5d9c74SNayna JainDescription: Each secure variable is represented as a directory named as 37bd5d9c74SNayna Jain <variable_name>. The variable name is unique and is in ASCII 38bd5d9c74SNayna Jain representation. The data and size can be determined by reading 39bd5d9c74SNayna Jain their respective attribute files. 40bd5d9c74SNayna Jain 41bd5d9c74SNayna JainWhat: /sys/firmware/secvar/vars/<variable_name>/size 42bd5d9c74SNayna JainDate: August 2019 43bd5d9c74SNayna JainContact: Nayna Jain <nayna@linux.ibm.com> 44bd5d9c74SNayna JainDescription: An integer representation of the size of the content of the 45bd5d9c74SNayna Jain variable. In other words, it represents the size of the data. 46bd5d9c74SNayna Jain 47bd5d9c74SNayna JainWhat: /sys/firmware/secvar/vars/<variable_name>/data 48bd5d9c74SNayna JainDate: August 2019 49ccadf154SRussell CurreyContact: Nayna Jain <nayna@linux.ibm.com> 50bd5d9c74SNayna JainDescription: A read-only file containing the value of the variable. The size 51bd5d9c74SNayna Jain of the file represents the maximum size of the variable data. 52bd5d9c74SNayna Jain 53bd5d9c74SNayna JainWhat: /sys/firmware/secvar/vars/<variable_name>/update 54bd5d9c74SNayna JainDate: August 2019 55bd5d9c74SNayna JainContact: Nayna Jain <nayna@linux.ibm.com> 56bd5d9c74SNayna JainDescription: A write-only file that is used to submit the new value for the 57bd5d9c74SNayna Jain variable. The size of the file represents the maximum size of 58bd5d9c74SNayna Jain the variable data that can be written. 59ccadf154SRussell Currey 60ccadf154SRussell CurreyWhat: /sys/firmware/secvar/config 61ccadf154SRussell CurreyDate: February 2023 62ccadf154SRussell CurreyContact: Nayna Jain <nayna@linux.ibm.com> 63ccadf154SRussell CurreyDescription: This optional directory contains read-only config attributes as 64ccadf154SRussell Currey defined by the secure variable implementation. All data is in 65ccadf154SRussell Currey ASCII format. The directory is only created if the backing 66ccadf154SRussell Currey implementation provides variables to populate it, which at 67ccadf154SRussell Currey present is only PLPKS on the pseries platform. 68ccadf154SRussell Currey 69ccadf154SRussell CurreyWhat: /sys/firmware/secvar/config/version 70ccadf154SRussell CurreyDate: February 2023 71ccadf154SRussell CurreyContact: Nayna Jain <nayna@linux.ibm.com> 72ccadf154SRussell CurreyDescription: Config version as reported by the hypervisor in ASCII decimal 73ccadf154SRussell Currey format. 74ccadf154SRussell Currey 75ccadf154SRussell Currey Currently only provided by PLPKS on the pseries platform. 76ccadf154SRussell Currey 77ccadf154SRussell CurreyWhat: /sys/firmware/secvar/config/max_object_size 78ccadf154SRussell CurreyDate: February 2023 79ccadf154SRussell CurreyContact: Nayna Jain <nayna@linux.ibm.com> 80ccadf154SRussell CurreyDescription: Maximum allowed size of objects in the keystore in bytes, 81ccadf154SRussell Currey represented in ASCII decimal format. 82ccadf154SRussell Currey 83ccadf154SRussell Currey This is not necessarily the same as the max size that can be 84ccadf154SRussell Currey written to an update file as writes can contain more than 85ccadf154SRussell Currey object data, you should use the size of the update file for 86ccadf154SRussell Currey that purpose. 87ccadf154SRussell Currey 88ccadf154SRussell Currey Currently only provided by PLPKS on the pseries platform. 89ccadf154SRussell Currey 90ccadf154SRussell CurreyWhat: /sys/firmware/secvar/config/total_size 91ccadf154SRussell CurreyDate: February 2023 92ccadf154SRussell CurreyContact: Nayna Jain <nayna@linux.ibm.com> 93ccadf154SRussell CurreyDescription: Total size of the PLPKS in bytes, represented in ASCII decimal 94ccadf154SRussell Currey format. 95ccadf154SRussell Currey 96ccadf154SRussell Currey Currently only provided by PLPKS on the pseries platform. 97ccadf154SRussell Currey 98ccadf154SRussell CurreyWhat: /sys/firmware/secvar/config/used_space 99ccadf154SRussell CurreyDate: February 2023 100ccadf154SRussell CurreyContact: Nayna Jain <nayna@linux.ibm.com> 101ccadf154SRussell CurreyDescription: Current space consumed by the key store, in bytes, represented 102ccadf154SRussell Currey in ASCII decimal format. 103ccadf154SRussell Currey 104ccadf154SRussell Currey Currently only provided by PLPKS on the pseries platform. 105ccadf154SRussell Currey 106ccadf154SRussell CurreyWhat: /sys/firmware/secvar/config/supported_policies 107ccadf154SRussell CurreyDate: February 2023 108ccadf154SRussell CurreyContact: Nayna Jain <nayna@linux.ibm.com> 109ccadf154SRussell CurreyDescription: Bitmask of supported policy flags by the hypervisor, 110ccadf154SRussell Currey represented as an 8 byte hexadecimal ASCII string. Consult the 111ccadf154SRussell Currey hypervisor documentation for what these flags are. 112ccadf154SRussell Currey 113ccadf154SRussell Currey Currently only provided by PLPKS on the pseries platform. 114ccadf154SRussell Currey 115ccadf154SRussell CurreyWhat: /sys/firmware/secvar/config/signed_update_algorithms 116ccadf154SRussell CurreyDate: February 2023 117ccadf154SRussell CurreyContact: Nayna Jain <nayna@linux.ibm.com> 118ccadf154SRussell CurreyDescription: Bitmask of flags indicating which algorithms the hypervisor 119ccadf154SRussell Currey supports for signed update of objects, represented as a 16 byte 120ccadf154SRussell Currey hexadecimal ASCII string. Consult the hypervisor documentation 121ccadf154SRussell Currey for what these flags mean. 122ccadf154SRussell Currey 123ccadf154SRussell Currey Currently only provided by PLPKS on the pseries platform. 124