1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * POWER LPAR Platform KeyStore(PLPKS) 4 * Copyright (C) 2022 IBM Corporation 5 * Author: Nayna Jain <nayna@linux.ibm.com> 6 * 7 * Provides access to variables stored in Power LPAR Platform KeyStore(PLPKS). 8 */ 9 10 #define pr_fmt(fmt) "plpks: " fmt 11 12 #include <linux/delay.h> 13 #include <linux/errno.h> 14 #include <linux/io.h> 15 #include <linux/printk.h> 16 #include <linux/slab.h> 17 #include <linux/string.h> 18 #include <linux/types.h> 19 #include <linux/of_fdt.h> 20 #include <linux/libfdt.h> 21 #include <linux/memblock.h> 22 #include <asm/hvcall.h> 23 #include <asm/machdep.h> 24 #include <asm/plpks.h> 25 #include <asm/firmware.h> 26 27 static u8 *ospassword; 28 static u16 ospasswordlength; 29 30 // Retrieved with H_PKS_GET_CONFIG 31 static u8 version; 32 static u16 objoverhead; 33 static u16 maxpwsize; 34 static u16 maxobjsize; 35 static s16 maxobjlabelsize; 36 static u32 totalsize; 37 static u32 usedspace; 38 static u32 supportedpolicies; 39 static u32 maxlargeobjectsize; 40 static u64 signedupdatealgorithms; 41 42 struct plpks_auth { 43 u8 version; 44 u8 consumer; 45 __be64 rsvd0; 46 __be32 rsvd1; 47 __be16 passwordlength; 48 u8 password[]; 49 } __packed __aligned(16); 50 51 struct label_attr { 52 u8 prefix[8]; 53 u8 version; 54 u8 os; 55 u8 length; 56 u8 reserved[5]; 57 }; 58 59 struct label { 60 struct label_attr attr; 61 u8 name[PLPKS_MAX_NAME_SIZE]; 62 size_t size; 63 }; 64 65 static int pseries_status_to_err(int rc) 66 { 67 int err; 68 69 switch (rc) { 70 case H_SUCCESS: 71 err = 0; 72 break; 73 case H_FUNCTION: 74 err = -ENXIO; 75 break; 76 case H_PARAMETER: 77 case H_P2: 78 case H_P3: 79 case H_P4: 80 case H_P5: 81 case H_P6: 82 err = -EINVAL; 83 break; 84 case H_NOT_FOUND: 85 err = -ENOENT; 86 break; 87 case H_BUSY: 88 case H_LONG_BUSY_ORDER_1_MSEC: 89 case H_LONG_BUSY_ORDER_10_MSEC: 90 case H_LONG_BUSY_ORDER_100_MSEC: 91 case H_LONG_BUSY_ORDER_1_SEC: 92 case H_LONG_BUSY_ORDER_10_SEC: 93 case H_LONG_BUSY_ORDER_100_SEC: 94 err = -EBUSY; 95 break; 96 case H_AUTHORITY: 97 err = -EPERM; 98 break; 99 case H_NO_MEM: 100 err = -ENOMEM; 101 break; 102 case H_RESOURCE: 103 err = -EEXIST; 104 break; 105 case H_TOO_BIG: 106 err = -EFBIG; 107 break; 108 case H_STATE: 109 err = -EIO; 110 break; 111 case H_R_STATE: 112 err = -EIO; 113 break; 114 case H_IN_USE: 115 err = -EEXIST; 116 break; 117 case H_ABORTED: 118 err = -EIO; 119 break; 120 default: 121 err = -EINVAL; 122 } 123 124 pr_debug("Converted hypervisor code %d to Linux %d\n", rc, err); 125 126 return err; 127 } 128 129 static int plpks_gen_password(void) 130 { 131 unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 }; 132 u8 *password, consumer = PLPKS_OS_OWNER; 133 int rc; 134 135 // If we booted from kexec, we could be reusing an existing password already 136 if (ospassword) { 137 pr_debug("Password of length %u already in use\n", ospasswordlength); 138 return 0; 139 } 140 141 // The password must not cross a page boundary, so we align to the next power of 2 142 password = kzalloc(roundup_pow_of_two(maxpwsize), GFP_KERNEL); 143 if (!password) 144 return -ENOMEM; 145 146 rc = plpar_hcall(H_PKS_GEN_PASSWORD, retbuf, consumer, 0, 147 virt_to_phys(password), maxpwsize); 148 149 if (!rc) { 150 ospasswordlength = maxpwsize; 151 ospassword = kzalloc(maxpwsize, GFP_KERNEL); 152 if (!ospassword) { 153 kfree_sensitive(password); 154 return -ENOMEM; 155 } 156 memcpy(ospassword, password, ospasswordlength); 157 } else { 158 if (rc == H_IN_USE) { 159 pr_warn("Password already set - authenticated operations will fail\n"); 160 rc = 0; 161 } else { 162 goto out; 163 } 164 } 165 out: 166 kfree_sensitive(password); 167 168 return pseries_status_to_err(rc); 169 } 170 171 static struct plpks_auth *construct_auth(u8 consumer) 172 { 173 struct plpks_auth *auth; 174 175 if (consumer > PLPKS_OS_OWNER) 176 return ERR_PTR(-EINVAL); 177 178 // The auth structure must not cross a page boundary and must be 179 // 16 byte aligned. We align to the next largest power of 2 180 auth = kzalloc(roundup_pow_of_two(struct_size(auth, password, maxpwsize)), GFP_KERNEL); 181 if (!auth) 182 return ERR_PTR(-ENOMEM); 183 184 auth->version = 1; 185 auth->consumer = consumer; 186 187 if (consumer == PLPKS_FW_OWNER || consumer == PLPKS_BOOTLOADER_OWNER) 188 return auth; 189 190 memcpy(auth->password, ospassword, ospasswordlength); 191 192 auth->passwordlength = cpu_to_be16(ospasswordlength); 193 194 return auth; 195 } 196 197 /* 198 * Label is combination of label attributes + name. 199 * Label attributes are used internally by kernel and not exposed to the user. 200 */ 201 static struct label *construct_label(char *component, u8 varos, u8 *name, 202 u16 namelen) 203 { 204 struct label *label; 205 size_t slen = 0; 206 207 if (!name || namelen > PLPKS_MAX_NAME_SIZE) 208 return ERR_PTR(-EINVAL); 209 210 // Support NULL component for signed updates 211 if (component) { 212 slen = strlen(component); 213 if (slen > sizeof(label->attr.prefix)) 214 return ERR_PTR(-EINVAL); 215 } 216 217 // The label structure must not cross a page boundary, so we align to the next power of 2 218 label = kzalloc(roundup_pow_of_two(sizeof(*label)), GFP_KERNEL); 219 if (!label) 220 return ERR_PTR(-ENOMEM); 221 222 if (component) 223 memcpy(&label->attr.prefix, component, slen); 224 225 label->attr.version = PLPKS_LABEL_VERSION; 226 label->attr.os = varos; 227 label->attr.length = PLPKS_MAX_LABEL_ATTR_SIZE; 228 memcpy(&label->name, name, namelen); 229 230 label->size = sizeof(struct label_attr) + namelen; 231 232 return label; 233 } 234 235 static int _plpks_get_config(void) 236 { 237 unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 }; 238 struct config { 239 u8 version; 240 u8 flags; 241 __be16 rsvd0; 242 __be16 objoverhead; 243 __be16 maxpwsize; 244 __be16 maxobjlabelsize; 245 __be16 maxobjsize; 246 __be32 totalsize; 247 __be32 usedspace; 248 __be32 supportedpolicies; 249 __be32 maxlargeobjectsize; 250 __be64 signedupdatealgorithms; 251 u8 rsvd1[476]; 252 } __packed * config; 253 size_t size; 254 int rc = 0; 255 256 size = sizeof(*config); 257 258 // Config struct must not cross a page boundary. So long as the struct 259 // size is a power of 2, this should be fine as alignment is guaranteed 260 config = kzalloc(size, GFP_KERNEL); 261 if (!config) { 262 rc = -ENOMEM; 263 goto err; 264 } 265 266 rc = plpar_hcall(H_PKS_GET_CONFIG, retbuf, virt_to_phys(config), size); 267 268 if (rc != H_SUCCESS) { 269 rc = pseries_status_to_err(rc); 270 goto err; 271 } 272 273 version = config->version; 274 objoverhead = be16_to_cpu(config->objoverhead); 275 maxpwsize = be16_to_cpu(config->maxpwsize); 276 maxobjsize = be16_to_cpu(config->maxobjsize); 277 maxobjlabelsize = be16_to_cpu(config->maxobjlabelsize); 278 totalsize = be32_to_cpu(config->totalsize); 279 usedspace = be32_to_cpu(config->usedspace); 280 supportedpolicies = be32_to_cpu(config->supportedpolicies); 281 maxlargeobjectsize = be32_to_cpu(config->maxlargeobjectsize); 282 signedupdatealgorithms = be64_to_cpu(config->signedupdatealgorithms); 283 284 // Validate that the numbers we get back match the requirements of the spec 285 if (maxpwsize < 32) { 286 pr_err("Invalid Max Password Size received from hypervisor (%d < 32)\n", maxpwsize); 287 rc = -EIO; 288 goto err; 289 } 290 291 if (maxobjlabelsize < 255) { 292 pr_err("Invalid Max Object Label Size received from hypervisor (%d < 255)\n", 293 maxobjlabelsize); 294 rc = -EIO; 295 goto err; 296 } 297 298 if (totalsize < 4096) { 299 pr_err("Invalid Total Size received from hypervisor (%d < 4096)\n", totalsize); 300 rc = -EIO; 301 goto err; 302 } 303 304 if (version >= 3 && maxlargeobjectsize >= 65536 && maxobjsize != 0xFFFF) { 305 pr_err("Invalid Max Object Size (0x%x != 0xFFFF)\n", maxobjsize); 306 rc = -EIO; 307 goto err; 308 } 309 310 err: 311 kfree(config); 312 return rc; 313 } 314 315 u8 plpks_get_version(void) 316 { 317 return version; 318 } 319 320 u16 plpks_get_objoverhead(void) 321 { 322 return objoverhead; 323 } 324 325 u16 plpks_get_maxpwsize(void) 326 { 327 return maxpwsize; 328 } 329 330 u16 plpks_get_maxobjectsize(void) 331 { 332 return maxobjsize; 333 } 334 335 u16 plpks_get_maxobjectlabelsize(void) 336 { 337 return maxobjlabelsize; 338 } 339 340 u32 plpks_get_totalsize(void) 341 { 342 return totalsize; 343 } 344 345 u32 plpks_get_usedspace(void) 346 { 347 // Unlike other config values, usedspace regularly changes as objects 348 // are updated, so we need to refresh. 349 int rc = _plpks_get_config(); 350 if (rc) { 351 pr_err("Couldn't get config, rc: %d\n", rc); 352 return 0; 353 } 354 return usedspace; 355 } 356 357 u32 plpks_get_supportedpolicies(void) 358 { 359 return supportedpolicies; 360 } 361 362 u32 plpks_get_maxlargeobjectsize(void) 363 { 364 return maxlargeobjectsize; 365 } 366 367 u64 plpks_get_signedupdatealgorithms(void) 368 { 369 return signedupdatealgorithms; 370 } 371 372 u16 plpks_get_passwordlen(void) 373 { 374 return ospasswordlength; 375 } 376 377 bool plpks_is_available(void) 378 { 379 int rc; 380 381 if (!firmware_has_feature(FW_FEATURE_PLPKS)) 382 return false; 383 384 rc = _plpks_get_config(); 385 if (rc) 386 return false; 387 388 return true; 389 } 390 391 static int plpks_confirm_object_flushed(struct label *label, 392 struct plpks_auth *auth) 393 { 394 unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 }; 395 bool timed_out = true; 396 u64 timeout = 0; 397 u8 status; 398 int rc; 399 400 do { 401 rc = plpar_hcall(H_PKS_CONFIRM_OBJECT_FLUSHED, retbuf, 402 virt_to_phys(auth), virt_to_phys(label), 403 label->size); 404 405 status = retbuf[0]; 406 if (rc) { 407 timed_out = false; 408 if (rc == H_NOT_FOUND && status == 1) 409 rc = 0; 410 break; 411 } 412 413 if (!rc && status == 1) { 414 timed_out = false; 415 break; 416 } 417 418 fsleep(PLPKS_FLUSH_SLEEP); 419 timeout = timeout + PLPKS_FLUSH_SLEEP; 420 } while (timeout < PLPKS_MAX_TIMEOUT); 421 422 if (timed_out) 423 return -ETIMEDOUT; 424 425 return pseries_status_to_err(rc); 426 } 427 428 int plpks_signed_update_var(struct plpks_var *var, u64 flags) 429 { 430 unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0}; 431 int rc; 432 struct label *label; 433 struct plpks_auth *auth; 434 u64 continuetoken = 0; 435 u64 timeout = 0; 436 437 if (!var->data || var->datalen <= 0 || var->namelen > PLPKS_MAX_NAME_SIZE) 438 return -EINVAL; 439 440 if (!(var->policy & PLPKS_SIGNEDUPDATE)) 441 return -EINVAL; 442 443 // Signed updates need the component to be NULL. 444 if (var->component) 445 return -EINVAL; 446 447 auth = construct_auth(PLPKS_OS_OWNER); 448 if (IS_ERR(auth)) 449 return PTR_ERR(auth); 450 451 label = construct_label(var->component, var->os, var->name, var->namelen); 452 if (IS_ERR(label)) { 453 rc = PTR_ERR(label); 454 goto out; 455 } 456 457 do { 458 rc = plpar_hcall9(H_PKS_SIGNED_UPDATE, retbuf, 459 virt_to_phys(auth), virt_to_phys(label), 460 label->size, var->policy, flags, 461 virt_to_phys(var->data), var->datalen, 462 continuetoken); 463 464 continuetoken = retbuf[0]; 465 if (pseries_status_to_err(rc) == -EBUSY) { 466 int delay_us = get_longbusy_msecs(rc) * 1000; 467 468 fsleep(delay_us); 469 timeout += delay_us; 470 } 471 rc = pseries_status_to_err(rc); 472 } while (rc == -EBUSY && timeout < PLPKS_MAX_TIMEOUT); 473 474 if (!rc) 475 rc = plpks_confirm_object_flushed(label, auth); 476 477 kfree(label); 478 out: 479 kfree(auth); 480 481 return rc; 482 } 483 484 int plpks_write_var(struct plpks_var var) 485 { 486 unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 }; 487 struct plpks_auth *auth; 488 struct label *label; 489 int rc; 490 491 if (!var.component || !var.data || var.datalen <= 0 || 492 var.namelen > PLPKS_MAX_NAME_SIZE || var.datalen > PLPKS_MAX_DATA_SIZE) 493 return -EINVAL; 494 495 if (var.policy & PLPKS_SIGNEDUPDATE) 496 return -EINVAL; 497 498 auth = construct_auth(PLPKS_OS_OWNER); 499 if (IS_ERR(auth)) 500 return PTR_ERR(auth); 501 502 label = construct_label(var.component, var.os, var.name, var.namelen); 503 if (IS_ERR(label)) { 504 rc = PTR_ERR(label); 505 goto out; 506 } 507 508 rc = plpar_hcall(H_PKS_WRITE_OBJECT, retbuf, virt_to_phys(auth), 509 virt_to_phys(label), label->size, var.policy, 510 virt_to_phys(var.data), var.datalen); 511 512 if (!rc) 513 rc = plpks_confirm_object_flushed(label, auth); 514 515 rc = pseries_status_to_err(rc); 516 kfree(label); 517 out: 518 kfree(auth); 519 520 return rc; 521 } 522 523 int plpks_remove_var(char *component, u8 varos, struct plpks_var_name vname) 524 { 525 unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 }; 526 struct plpks_auth *auth; 527 struct label *label; 528 int rc; 529 530 if (vname.namelen > PLPKS_MAX_NAME_SIZE) 531 return -EINVAL; 532 533 auth = construct_auth(PLPKS_OS_OWNER); 534 if (IS_ERR(auth)) 535 return PTR_ERR(auth); 536 537 label = construct_label(component, varos, vname.name, vname.namelen); 538 if (IS_ERR(label)) { 539 rc = PTR_ERR(label); 540 goto out; 541 } 542 543 rc = plpar_hcall(H_PKS_REMOVE_OBJECT, retbuf, virt_to_phys(auth), 544 virt_to_phys(label), label->size); 545 546 if (!rc) 547 rc = plpks_confirm_object_flushed(label, auth); 548 549 rc = pseries_status_to_err(rc); 550 kfree(label); 551 out: 552 kfree(auth); 553 554 return rc; 555 } 556 557 static int plpks_read_var(u8 consumer, struct plpks_var *var) 558 { 559 unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 }; 560 struct plpks_auth *auth; 561 struct label *label = NULL; 562 u8 *output; 563 int rc; 564 565 if (var->namelen > PLPKS_MAX_NAME_SIZE) 566 return -EINVAL; 567 568 auth = construct_auth(consumer); 569 if (IS_ERR(auth)) 570 return PTR_ERR(auth); 571 572 if (consumer == PLPKS_OS_OWNER) { 573 label = construct_label(var->component, var->os, var->name, 574 var->namelen); 575 if (IS_ERR(label)) { 576 rc = PTR_ERR(label); 577 goto out_free_auth; 578 } 579 } 580 581 output = kzalloc(maxobjsize, GFP_KERNEL); 582 if (!output) { 583 rc = -ENOMEM; 584 goto out_free_label; 585 } 586 587 if (consumer == PLPKS_OS_OWNER) 588 rc = plpar_hcall(H_PKS_READ_OBJECT, retbuf, virt_to_phys(auth), 589 virt_to_phys(label), label->size, virt_to_phys(output), 590 maxobjsize); 591 else 592 rc = plpar_hcall(H_PKS_READ_OBJECT, retbuf, virt_to_phys(auth), 593 virt_to_phys(var->name), var->namelen, virt_to_phys(output), 594 maxobjsize); 595 596 597 if (rc != H_SUCCESS) { 598 rc = pseries_status_to_err(rc); 599 goto out_free_output; 600 } 601 602 if (!var->data || var->datalen > retbuf[0]) 603 var->datalen = retbuf[0]; 604 605 var->policy = retbuf[1]; 606 607 if (var->data) 608 memcpy(var->data, output, var->datalen); 609 610 rc = 0; 611 612 out_free_output: 613 kfree(output); 614 out_free_label: 615 kfree(label); 616 out_free_auth: 617 kfree(auth); 618 619 return rc; 620 } 621 622 int plpks_read_os_var(struct plpks_var *var) 623 { 624 return plpks_read_var(PLPKS_OS_OWNER, var); 625 } 626 627 int plpks_read_fw_var(struct plpks_var *var) 628 { 629 return plpks_read_var(PLPKS_FW_OWNER, var); 630 } 631 632 int plpks_read_bootloader_var(struct plpks_var *var) 633 { 634 return plpks_read_var(PLPKS_BOOTLOADER_OWNER, var); 635 } 636 637 int plpks_populate_fdt(void *fdt) 638 { 639 int chosen_offset = fdt_path_offset(fdt, "/chosen"); 640 641 if (chosen_offset < 0) { 642 pr_err("Can't find chosen node: %s\n", 643 fdt_strerror(chosen_offset)); 644 return chosen_offset; 645 } 646 647 return fdt_setprop(fdt, chosen_offset, "ibm,plpks-pw", ospassword, ospasswordlength); 648 } 649 650 // Once a password is registered with the hypervisor it cannot be cleared without 651 // rebooting the LPAR, so to keep using the PLPKS across kexec boots we need to 652 // recover the previous password from the FDT. 653 // 654 // There are a few challenges here. We don't want the password to be visible to 655 // users, so we need to clear it from the FDT. This has to be done in early boot. 656 // Clearing it from the FDT would make the FDT's checksum invalid, so we have to 657 // manually cause the checksum to be recalculated. 658 void __init plpks_early_init_devtree(void) 659 { 660 void *fdt = initial_boot_params; 661 int chosen_node = fdt_path_offset(fdt, "/chosen"); 662 const u8 *password; 663 int len; 664 665 if (chosen_node < 0) 666 return; 667 668 password = fdt_getprop(fdt, chosen_node, "ibm,plpks-pw", &len); 669 if (len <= 0) { 670 pr_debug("Couldn't find ibm,plpks-pw node.\n"); 671 return; 672 } 673 674 ospassword = memblock_alloc_raw(len, SMP_CACHE_BYTES); 675 if (!ospassword) { 676 pr_err("Error allocating memory for password.\n"); 677 goto out; 678 } 679 680 memcpy(ospassword, password, len); 681 ospasswordlength = (u16)len; 682 683 out: 684 fdt_nop_property(fdt, chosen_node, "ibm,plpks-pw"); 685 // Since we've cleared the password, we must update the FDT checksum 686 early_init_dt_verify(fdt); 687 } 688 689 static __init int pseries_plpks_init(void) 690 { 691 int rc; 692 693 if (!firmware_has_feature(FW_FEATURE_PLPKS)) 694 return -ENODEV; 695 696 rc = _plpks_get_config(); 697 698 if (rc) { 699 pr_err("POWER LPAR Platform KeyStore is not supported or enabled\n"); 700 return rc; 701 } 702 703 rc = plpks_gen_password(); 704 if (rc) 705 pr_err("Failed setting POWER LPAR Platform KeyStore Password\n"); 706 else 707 pr_info("POWER LPAR Platform KeyStore initialized successfully\n"); 708 709 return rc; 710 } 711 machine_arch_initcall(pseries, pseries_plpks_init); 712