mirror of
https://github.com/Dasharo/skiboot.git
synced 2026-03-06 14:50:44 -08:00
Nayna Jain
87562bc5c1
As part of secureboot key management, the scheme for handling key updates is derived from tianocore reference implementation[1]. The wrappers for holding the signed update is the Authentication Header and for holding the public key certificate is ESL (EFI Signature List), both derived from tianocore reference implementation[1]. This patch adds the support to process update queue. This involves: 1. Verification of the update signature using the key authorized as per the key hierarchy 2. Handling addition/deletion of the keys 3. Support for dbx (blacklisting of hashes) 4. Validation checks for the updates 5. Supporting multiple ESLs for single variable both for update/verification 6. Timestamp check 7. Allowing only single PK 8. Failure Handling 9. Resetting keystore if the hardware key hash changes [1] https://github.com/tianocore/edk2-staging.git Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Signed-off-by: Eric Richter <erichte@linux.ibm.com> Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
45 lines
1.2 KiB
C
45 lines
1.2 KiB
C
// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
|
/* Copyright 2019 IBM Corp. */
|
|
|
|
#ifndef _SECVAR_DRIVER_
|
|
#define _SECVAR_DRIVER_
|
|
|
|
#include <stdint.h>
|
|
|
|
struct secvar;
|
|
|
|
struct secvar_storage_driver {
|
|
int (*load_bank)(struct list_head *bank, int section);
|
|
int (*write_bank)(struct list_head *bank, int section);
|
|
int (*store_init)(void);
|
|
void (*lockdown)(void);
|
|
uint64_t max_var_size;
|
|
};
|
|
|
|
struct secvar_backend_driver {
|
|
/* Perform any pre-processing stuff (e.g. determine secure boot state) */
|
|
int (*pre_process)(struct list_head *variable_bank,
|
|
struct list_head *update_bank);
|
|
|
|
/* Process all updates */
|
|
int (*process)(struct list_head *variable_bank,
|
|
struct list_head *update_bank);
|
|
|
|
/* Perform any post-processing stuff (e.g. derive/update variables)*/
|
|
int (*post_process)(struct list_head *variable_bank,
|
|
struct list_head *update_bank);
|
|
|
|
/* Validate a single variable, return boolean */
|
|
int (*validate)(struct secvar *var);
|
|
|
|
/* String to use for compatible in secvar node */
|
|
const char *compatible;
|
|
};
|
|
|
|
extern struct secvar_storage_driver secboot_tpm_driver;
|
|
extern struct secvar_backend_driver edk2_compatible_v1;
|
|
|
|
int secvar_main(struct secvar_storage_driver, struct secvar_backend_driver);
|
|
|
|
#endif
|