Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Kernel:tools
qemu
0003-ppc-make-secure-boot-and-trusted-boot-mode...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0003-ppc-make-secure-boot-and-trusted-boot-mode-configura.patch of Package qemu
From 91582a09ee1eab29e6597db8e8324dff91aed93c Mon Sep 17 00:00:00 2001 From: Daniel Axtens <dja@axtens.net> Date: Mon, 28 Sep 2020 10:47:50 +1000 Subject: [PATCH 3/3] ppc: make secure-boot and trusted-boot mode configurable Signed-off-by: Daniel Axtens <dja@axtens.net> --- hw/ppc/spapr.c | 50 +++++++++++++++++++++++++++++++++++++++--- include/hw/ppc/spapr.h | 4 ++++ 2 files changed, 51 insertions(+), 3 deletions(-) diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index a0514d4dc0..44a3acd715 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -1117,9 +1117,16 @@ static void spapr_dt_hypervisor(SpaprMachineState *spapr, void *fdt) static void spapr_dt_stb(SpaprMachineState *spapr, void *fdt) { - _FDT(fdt_setprop_cell(fdt, 0, "ibm,fw-secure-boot", 1)); - _FDT(fdt_setprop_cell(fdt, 0, "ibm,secure-boot", 2)); - _FDT(fdt_setprop_cell(fdt, 0, "ibm,trusted-boot", 1)); + /* + * This is not meaningful for KVM as there's no agreed semantics + * for what fw-secure-boot would mean (host secure boot only gives you + * integrity for the host kernel, not host qemu). Leave it off for now. + * _FDT(fdt_setprop_cell(fdt, 0, "ibm,fw-secure-boot", 1)); + */ + if (spapr->secure_boot) + _FDT(fdt_setprop_cell(fdt, 0, "ibm,secure-boot", 2)); + if (spapr->trusted_boot) + _FDT(fdt_setprop_cell(fdt, 0, "ibm,trusted-boot", 1)); } @@ -3326,6 +3333,34 @@ static void spapr_set_host_serial(Object *obj, const char *value, Error **errp) spapr->host_serial = g_strdup(value); } +static bool spapr_get_secure_boot(Object *obj, Error **errp) +{ + SpaprMachineState *spapr = SPAPR_MACHINE(obj); + + return spapr->secure_boot; +} + +static void spapr_set_secure_boot(Object *obj, bool value, Error **errp) +{ + SpaprMachineState *spapr = SPAPR_MACHINE(obj); + + spapr->secure_boot = value; +} + +static bool spapr_get_trusted_boot(Object *obj, Error **errp) +{ + SpaprMachineState *spapr = SPAPR_MACHINE(obj); + + return spapr->trusted_boot; +} + +static void spapr_set_trusted_boot(Object *obj, bool value, Error **errp) +{ + SpaprMachineState *spapr = SPAPR_MACHINE(obj); + + spapr->trusted_boot = value; +} + static void spapr_instance_init(Object *obj) { SpaprMachineState *spapr = SPAPR_MACHINE(obj); @@ -3404,6 +3439,15 @@ static void spapr_instance_init(Object *obj) spapr_get_host_serial, spapr_set_host_serial); object_property_set_description(obj, "host-serial", "Host serial number to advertise in guest device tree"); + + object_property_add_bool(obj, "secure-boot", + spapr_get_secure_boot, spapr_set_secure_boot); + object_property_set_description(obj, "secure-boot", + "Enforce secure boot (where supported by firmware)"); + object_property_add_bool(obj, "trusted-boot", + spapr_get_trusted_boot, spapr_set_trusted_boot); + object_property_set_description(obj, "trusted-boot", + "Enable trusted boot (where supported by firmware, requires TPM)"); } static void spapr_machine_finalizefn(Object *obj) diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h index 637652ad16..aae2137a5d 100644 --- a/include/hw/ppc/spapr.h +++ b/include/hw/ppc/spapr.h @@ -230,6 +230,10 @@ struct SpaprMachineState { /* Set by -boot */ char *boot_device; + /* Secure and Trusted Boot */ + bool secure_boot; + bool trusted_boot; + /*< public >*/ char *kvm_type; char *host_model; -- 2.33.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor