File 0003-ppc-make-secure-boot-and-trusted-boot-mode-configura.patch of Package qemu

From 91582a09ee1eab29e6597db8e8324dff91aed93c Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 28 Sep 2020 10:47:50 +1000
Subject: [PATCH 3/3] ppc: make secure-boot and trusted-boot mode configurable

Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 hw/ppc/spapr.c         | 50 +++++++++++++++++++++++++++++++++++++++---
 include/hw/ppc/spapr.h |  4 ++++
 2 files changed, 51 insertions(+), 3 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index a0514d4dc0..44a3acd715 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1117,9 +1117,16 @@ static void spapr_dt_hypervisor(SpaprMachineState *spapr, void *fdt)
 
 static void spapr_dt_stb(SpaprMachineState *spapr, void *fdt)
 {
-    _FDT(fdt_setprop_cell(fdt, 0, "ibm,fw-secure-boot", 1));
-    _FDT(fdt_setprop_cell(fdt, 0, "ibm,secure-boot", 2));
-    _FDT(fdt_setprop_cell(fdt, 0, "ibm,trusted-boot", 1));
+    /*
+     * This is not meaningful for KVM as there's no agreed semantics
+     * for what fw-secure-boot would mean (host secure boot only gives you
+     * integrity for the host kernel, not host qemu). Leave it off for now.
+     * _FDT(fdt_setprop_cell(fdt, 0, "ibm,fw-secure-boot", 1));
+     */
+    if (spapr->secure_boot)
+        _FDT(fdt_setprop_cell(fdt, 0, "ibm,secure-boot", 2));
+    if (spapr->trusted_boot)
+        _FDT(fdt_setprop_cell(fdt, 0, "ibm,trusted-boot", 1));
 }
 
 
@@ -3326,6 +3333,34 @@ static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
     spapr->host_serial = g_strdup(value);
 }
 
+static bool spapr_get_secure_boot(Object *obj, Error **errp)
+{
+    SpaprMachineState *spapr = SPAPR_MACHINE(obj);
+
+    return spapr->secure_boot;
+}
+
+static void spapr_set_secure_boot(Object *obj, bool value, Error **errp)
+{
+    SpaprMachineState *spapr = SPAPR_MACHINE(obj);
+
+    spapr->secure_boot = value;
+}
+
+static bool spapr_get_trusted_boot(Object *obj, Error **errp)
+{
+    SpaprMachineState *spapr = SPAPR_MACHINE(obj);
+
+    return spapr->trusted_boot;
+}
+
+static void spapr_set_trusted_boot(Object *obj, bool value, Error **errp)
+{
+    SpaprMachineState *spapr = SPAPR_MACHINE(obj);
+
+    spapr->trusted_boot = value;
+}
+
 static void spapr_instance_init(Object *obj)
 {
     SpaprMachineState *spapr = SPAPR_MACHINE(obj);
@@ -3404,6 +3439,15 @@ static void spapr_instance_init(Object *obj)
         spapr_get_host_serial, spapr_set_host_serial);
     object_property_set_description(obj, "host-serial",
         "Host serial number to advertise in guest device tree");
+
+    object_property_add_bool(obj, "secure-boot",
+                             spapr_get_secure_boot, spapr_set_secure_boot);
+    object_property_set_description(obj, "secure-boot",
+                              "Enforce secure boot (where supported by firmware)");
+    object_property_add_bool(obj, "trusted-boot",
+                             spapr_get_trusted_boot, spapr_set_trusted_boot);
+    object_property_set_description(obj, "trusted-boot",
+                              "Enable trusted boot (where supported by firmware, requires TPM)");
 }
 
 static void spapr_machine_finalizefn(Object *obj)
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 637652ad16..aae2137a5d 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -230,6 +230,10 @@ struct SpaprMachineState {
     /* Set by -boot */
     char *boot_device;
 
+    /* Secure and Trusted Boot */
+    bool secure_boot;
+    bool trusted_boot;
+
     /*< public >*/
     char *kvm_type;
     char *host_model;
-- 
2.33.1

openSUSE Build Service is sponsored by