tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

powerpc/pseries: move the PLPKS config inside its own sysfs directory

The /sys/firmware/secvar/config directory represents Power LPAR Platform
KeyStore (PLPKS) configuration properties such as max_object_size, signed_
update_algorithms, supported_policies, total_size, used_space, and version.
These attributes describe the PLPKS, and not the secure boot variables
(secvars).

Create /sys/firmware/plpks directory and move the PLPKS config inside this
directory. For backwards compatibility, create a soft link from the secvar
sysfs directory to this config and emit a warning stating that the older
sysfs path has been deprecated. Separate out the plpks specific
documentation from secvar.

Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260127145228.48320-3-ssrish@linux.ibm.com

authored by

Srish Srinivasan and committed by
Madhavan Srinivasan 40850c90 88372ad4

+156 -111
+50
Documentation/ABI/testing/sysfs-firmware-plpks
··· 1 + What: /sys/firmware/plpks/config 2 + Date: February 2023 3 + Contact: Nayna Jain <nayna@linux.ibm.com> 4 + Description: This optional directory contains read-only config attributes as 5 + defined by the PLPKS implementation. All data is in ASCII 6 + format. 7 + 8 + What: /sys/firmware/plpks/config/version 9 + Date: February 2023 10 + Contact: Nayna Jain <nayna@linux.ibm.com> 11 + Description: Config version as reported by the hypervisor in ASCII decimal 12 + format. 13 + 14 + What: /sys/firmware/plpks/config/max_object_size 15 + Date: February 2023 16 + Contact: Nayna Jain <nayna@linux.ibm.com> 17 + Description: Maximum allowed size of objects in the keystore in bytes, 18 + represented in ASCII decimal format. 19 + 20 + This is not necessarily the same as the max size that can be 21 + written to an update file as writes can contain more than 22 + object data, you should use the size of the update file for 23 + that purpose. 24 + 25 + What: /sys/firmware/plpks/config/total_size 26 + Date: February 2023 27 + Contact: Nayna Jain <nayna@linux.ibm.com> 28 + Description: Total size of the PLPKS in bytes, represented in ASCII decimal 29 + format. 30 + 31 + What: /sys/firmware/plpks/config/used_space 32 + Date: February 2023 33 + Contact: Nayna Jain <nayna@linux.ibm.com> 34 + Description: Current space consumed by the key store, in bytes, represented 35 + in ASCII decimal format. 36 + 37 + What: /sys/firmware/plpks/config/supported_policies 38 + Date: February 2023 39 + Contact: Nayna Jain <nayna@linux.ibm.com> 40 + Description: Bitmask of supported policy flags by the hypervisor, represented 41 + as an 8 byte hexadecimal ASCII string. Consult the hypervisor 42 + documentation for what these flags are. 43 + 44 + What: /sys/firmware/plpks/config/signed_update_algorithms 45 + Date: February 2023 46 + Contact: Nayna Jain <nayna@linux.ibm.com> 47 + Description: Bitmask of flags indicating which algorithms the hypervisor 48 + supports for signed update of objects, represented as a 16 byte 49 + hexadecimal ASCII string. Consult the hypervisor documentation 50 + for what these flags mean.
-65
Documentation/ABI/testing/sysfs-secvar
··· 63 63 Description: A write-only file that is used to submit the new value for the 64 64 variable. The size of the file represents the maximum size of 65 65 the variable data that can be written. 66 - 67 - What: /sys/firmware/secvar/config 68 - Date: February 2023 69 - Contact: Nayna Jain <nayna@linux.ibm.com> 70 - Description: This optional directory contains read-only config attributes as 71 - defined by the secure variable implementation. All data is in 72 - ASCII format. The directory is only created if the backing 73 - implementation provides variables to populate it, which at 74 - present is only PLPKS on the pseries platform. 75 - 76 - What: /sys/firmware/secvar/config/version 77 - Date: February 2023 78 - Contact: Nayna Jain <nayna@linux.ibm.com> 79 - Description: Config version as reported by the hypervisor in ASCII decimal 80 - format. 81 - 82 - Currently only provided by PLPKS on the pseries platform. 83 - 84 - What: /sys/firmware/secvar/config/max_object_size 85 - Date: February 2023 86 - Contact: Nayna Jain <nayna@linux.ibm.com> 87 - Description: Maximum allowed size of objects in the keystore in bytes, 88 - represented in ASCII decimal format. 89 - 90 - This is not necessarily the same as the max size that can be 91 - written to an update file as writes can contain more than 92 - object data, you should use the size of the update file for 93 - that purpose. 94 - 95 - Currently only provided by PLPKS on the pseries platform. 96 - 97 - What: /sys/firmware/secvar/config/total_size 98 - Date: February 2023 99 - Contact: Nayna Jain <nayna@linux.ibm.com> 100 - Description: Total size of the PLPKS in bytes, represented in ASCII decimal 101 - format. 102 - 103 - Currently only provided by PLPKS on the pseries platform. 104 - 105 - What: /sys/firmware/secvar/config/used_space 106 - Date: February 2023 107 - Contact: Nayna Jain <nayna@linux.ibm.com> 108 - Description: Current space consumed by the key store, in bytes, represented 109 - in ASCII decimal format. 110 - 111 - Currently only provided by PLPKS on the pseries platform. 112 - 113 - What: /sys/firmware/secvar/config/supported_policies 114 - Date: February 2023 115 - Contact: Nayna Jain <nayna@linux.ibm.com> 116 - Description: Bitmask of supported policy flags by the hypervisor, 117 - represented as an 8 byte hexadecimal ASCII string. Consult the 118 - hypervisor documentation for what these flags are. 119 - 120 - Currently only provided by PLPKS on the pseries platform. 121 - 122 - What: /sys/firmware/secvar/config/signed_update_algorithms 123 - Date: February 2023 124 - Contact: Nayna Jain <nayna@linux.ibm.com> 125 - Description: Bitmask of flags indicating which algorithms the hypervisor 126 - supports for signed update of objects, represented as a 16 byte 127 - hexadecimal ASCII string. Consult the hypervisor documentation 128 - for what these flags mean. 129 - 130 - Currently only provided by PLPKS on the pseries platform.
+5
arch/powerpc/include/asm/plpks.h
··· 13 13 14 14 #include <linux/types.h> 15 15 #include <linux/list.h> 16 + #include <linux/kobject.h> 16 17 17 18 // Object policy flags from supported_policies 18 19 #define PLPKS_OSSECBOOTAUDIT PPC_BIT32(1) // OS secure boot must be audit/enforce ··· 108 107 void plpks_early_init_devtree(void); 109 108 110 109 int plpks_populate_fdt(void *fdt); 110 + 111 + int plpks_config_create_softlink(struct kobject *from); 111 112 #else // CONFIG_PSERIES_PLPKS 112 113 static inline bool plpks_is_available(void) { return false; } 113 114 static inline u16 plpks_get_passwordlen(void) { BUILD_BUG(); } 114 115 static inline void plpks_early_init_devtree(void) { } 115 116 static inline int plpks_populate_fdt(void *fdt) { BUILD_BUG(); } 117 + static inline int plpks_config_create_softlink(struct kobject *from) 118 + { return 0; } 116 119 #endif // CONFIG_PSERIES_PLPKS 117 120 118 121 #endif // _ASM_POWERPC_PLPKS_H
-1
arch/powerpc/include/asm/secvar.h
··· 20 20 int (*set)(const char *key, u64 key_len, u8 *data, u64 data_size); 21 21 ssize_t (*format)(char *buf, size_t bufsize); 22 22 int (*max_size)(u64 *max_size); 23 - const struct attribute **config_attrs; 24 23 25 24 // NULL-terminated array of fixed variable names 26 25 // Only used if get_next() isn't provided
+6 -15
arch/powerpc/kernel/secvar-sysfs.c
··· 12 12 #include <linux/string.h> 13 13 #include <linux/of.h> 14 14 #include <asm/secvar.h> 15 + #include <asm/plpks.h> 15 16 16 17 #define NAME_MAX_SIZE 1024 17 18 ··· 146 145 return 0; 147 146 } 148 147 149 - static __init int secvar_sysfs_config(struct kobject *kobj) 150 - { 151 - struct attribute_group config_group = { 152 - .name = "config", 153 - .attrs = (struct attribute **)secvar_ops->config_attrs, 154 - }; 155 - 156 - if (secvar_ops->config_attrs) 157 - return sysfs_create_group(kobj, &config_group); 158 - 159 - return 0; 160 - } 161 - 162 148 static __init int add_var(const char *name) 163 149 { 164 150 struct kobject *kobj; ··· 248 260 goto err; 249 261 } 250 262 251 - rc = secvar_sysfs_config(secvar_kobj); 263 + rc = plpks_config_create_softlink(secvar_kobj); 252 264 if (rc) { 253 - pr_err("Failed to create config directory\n"); 265 + pr_err("Failed to create softlink to PLPKS config directory"); 254 266 goto err; 255 267 } 268 + 269 + pr_info("/sys/firmware/secvar/config is now deprecated.\n"); 270 + pr_info("Will be removed in future versions.\n"); 256 271 257 272 if (secvar_ops->get_next) 258 273 rc = secvar_sysfs_load();
+1 -1
arch/powerpc/platforms/pseries/Makefile
··· 30 30 obj-$(CONFIG_PPC_SPLPAR) += vphn.o 31 31 obj-$(CONFIG_PPC_SVM) += svm.o 32 32 obj-$(CONFIG_FA_DUMP) += rtas-fadump.o 33 - obj-$(CONFIG_PSERIES_PLPKS) += plpks.o 33 + obj-$(CONFIG_PSERIES_PLPKS) += plpks.o plpks-sysfs.o 34 34 obj-$(CONFIG_PPC_SECURE_BOOT) += plpks-secvar.o 35 35 obj-$(CONFIG_PSERIES_PLPKS_SED) += plpks_sed_ops.o 36 36 obj-$(CONFIG_SUSPEND) += suspend.o
-29
arch/powerpc/platforms/pseries/plpks-secvar.c
··· 20 20 #include <asm/secvar.h> 21 21 #include <asm/plpks.h> 22 22 23 - // Config attributes for sysfs 24 - #define PLPKS_CONFIG_ATTR(name, fmt, func) \ 25 - static ssize_t name##_show(struct kobject *kobj, \ 26 - struct kobj_attribute *attr, \ 27 - char *buf) \ 28 - { \ 29 - return sysfs_emit(buf, fmt, func()); \ 30 - } \ 31 - static struct kobj_attribute attr_##name = __ATTR_RO(name) 32 - 33 - PLPKS_CONFIG_ATTR(version, "%u\n", plpks_get_version); 34 - PLPKS_CONFIG_ATTR(max_object_size, "%u\n", plpks_get_maxobjectsize); 35 - PLPKS_CONFIG_ATTR(total_size, "%u\n", plpks_get_totalsize); 36 - PLPKS_CONFIG_ATTR(used_space, "%u\n", plpks_get_usedspace); 37 - PLPKS_CONFIG_ATTR(supported_policies, "%08x\n", plpks_get_supportedpolicies); 38 - PLPKS_CONFIG_ATTR(signed_update_algorithms, "%016llx\n", plpks_get_signedupdatealgorithms); 39 - 40 - static const struct attribute *config_attrs[] = { 41 - &attr_version.attr, 42 - &attr_max_object_size.attr, 43 - &attr_total_size.attr, 44 - &attr_used_space.attr, 45 - &attr_supported_policies.attr, 46 - &attr_signed_update_algorithms.attr, 47 - NULL, 48 - }; 49 - 50 23 static u32 get_policy(const char *name) 51 24 { 52 25 if ((strcmp(name, "db") == 0) || ··· 198 225 .set = plpks_set_variable, 199 226 .format = plpks_secvar_format, 200 227 .max_size = plpks_max_size, 201 - .config_attrs = config_attrs, 202 228 .var_names = plpks_var_names_static, 203 229 }; 204 230 ··· 206 234 .set = plpks_set_variable, 207 235 .format = plpks_secvar_format, 208 236 .max_size = plpks_max_size, 209 - .config_attrs = config_attrs, 210 237 .var_names = plpks_var_names_dynamic, 211 238 }; 212 239
+94
arch/powerpc/platforms/pseries/plpks-sysfs.c
··· 1 + // SPDX-License-Identifier: GPL-2.0-only 2 + /* 3 + * Copyright (C) 2025 IBM Corporation, Srish Srinivasan <ssrish@linux.ibm.com> 4 + * 5 + * This code exposes PLPKS config to user via sysfs 6 + */ 7 + 8 + #define pr_fmt(fmt) "plpks-sysfs: "fmt 9 + 10 + #include <linux/init.h> 11 + #include <linux/printk.h> 12 + #include <linux/types.h> 13 + #include <asm/machdep.h> 14 + #include <asm/plpks.h> 15 + 16 + /* config attributes for sysfs */ 17 + #define PLPKS_CONFIG_ATTR(name, fmt, func) \ 18 + static ssize_t name##_show(struct kobject *kobj, \ 19 + struct kobj_attribute *attr, \ 20 + char *buf) \ 21 + { \ 22 + return sysfs_emit(buf, fmt, func()); \ 23 + } \ 24 + static struct kobj_attribute attr_##name = __ATTR_RO(name) 25 + 26 + PLPKS_CONFIG_ATTR(version, "%u\n", plpks_get_version); 27 + PLPKS_CONFIG_ATTR(max_object_size, "%u\n", plpks_get_maxobjectsize); 28 + PLPKS_CONFIG_ATTR(total_size, "%u\n", plpks_get_totalsize); 29 + PLPKS_CONFIG_ATTR(used_space, "%u\n", plpks_get_usedspace); 30 + PLPKS_CONFIG_ATTR(supported_policies, "%08x\n", plpks_get_supportedpolicies); 31 + PLPKS_CONFIG_ATTR(signed_update_algorithms, "%016llx\n", 32 + plpks_get_signedupdatealgorithms); 33 + 34 + static const struct attribute *config_attrs[] = { 35 + &attr_version.attr, 36 + &attr_max_object_size.attr, 37 + &attr_total_size.attr, 38 + &attr_used_space.attr, 39 + &attr_supported_policies.attr, 40 + &attr_signed_update_algorithms.attr, 41 + NULL, 42 + }; 43 + 44 + static struct kobject *plpks_kobj, *plpks_config_kobj; 45 + 46 + int plpks_config_create_softlink(struct kobject *from) 47 + { 48 + if (!plpks_config_kobj) 49 + return -EINVAL; 50 + return sysfs_create_link(from, plpks_config_kobj, "config"); 51 + } 52 + 53 + static __init int plpks_sysfs_config(struct kobject *kobj) 54 + { 55 + struct attribute_group config_group = { 56 + .name = NULL, 57 + .attrs = (struct attribute **)config_attrs, 58 + }; 59 + 60 + return sysfs_create_group(kobj, &config_group); 61 + } 62 + 63 + static __init int plpks_sysfs_init(void) 64 + { 65 + int rc; 66 + 67 + if (!plpks_is_available()) 68 + return -ENODEV; 69 + 70 + plpks_kobj = kobject_create_and_add("plpks", firmware_kobj); 71 + if (!plpks_kobj) { 72 + pr_err("Failed to create plpks kobj\n"); 73 + return -ENOMEM; 74 + } 75 + 76 + plpks_config_kobj = kobject_create_and_add("config", plpks_kobj); 77 + if (!plpks_config_kobj) { 78 + pr_err("Failed to create plpks config kobj\n"); 79 + kobject_put(plpks_kobj); 80 + return -ENOMEM; 81 + } 82 + 83 + rc = plpks_sysfs_config(plpks_config_kobj); 84 + if (rc) { 85 + pr_err("Failed to create attribute group for plpks config\n"); 86 + kobject_put(plpks_config_kobj); 87 + kobject_put(plpks_kobj); 88 + return rc; 89 + } 90 + 91 + return 0; 92 + } 93 + 94 + machine_subsys_initcall(pseries, plpks_sysfs_init);