File 0003-ppc-make-secure-boot-and-trusted-boot-mode-configura.patch of Package qemu
From 91582a09ee1eab29e6597db8e8324dff91aed93c Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 28 Sep 2020 10:47:50 +1000
Subject: [PATCH 3/3] ppc: make secure-boot and trusted-boot mode configurable
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
hw/ppc/spapr.c | 50 +++++++++++++++++++++++++++++++++++++++---
include/hw/ppc/spapr.h | 4 ++++
2 files changed, 51 insertions(+), 3 deletions(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index a0514d4dc0..44a3acd715 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1117,9 +1117,16 @@ static void spapr_dt_hypervisor(SpaprMachineState *spapr, void *fdt)
static void spapr_dt_stb(SpaprMachineState *spapr, void *fdt)
{
- _FDT(fdt_setprop_cell(fdt, 0, "ibm,fw-secure-boot", 1));
- _FDT(fdt_setprop_cell(fdt, 0, "ibm,secure-boot", 2));
- _FDT(fdt_setprop_cell(fdt, 0, "ibm,trusted-boot", 1));
+ /*
+ * This is not meaningful for KVM as there's no agreed semantics
+ * for what fw-secure-boot would mean (host secure boot only gives you
+ * integrity for the host kernel, not host qemu). Leave it off for now.
+ * _FDT(fdt_setprop_cell(fdt, 0, "ibm,fw-secure-boot", 1));
+ */
+ if (spapr->secure_boot)
+ _FDT(fdt_setprop_cell(fdt, 0, "ibm,secure-boot", 2));
+ if (spapr->trusted_boot)
+ _FDT(fdt_setprop_cell(fdt, 0, "ibm,trusted-boot", 1));
}
@@ -3326,6 +3333,34 @@ static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
spapr->host_serial = g_strdup(value);
}
+static bool spapr_get_secure_boot(Object *obj, Error **errp)
+{
+ SpaprMachineState *spapr = SPAPR_MACHINE(obj);
+
+ return spapr->secure_boot;
+}
+
+static void spapr_set_secure_boot(Object *obj, bool value, Error **errp)
+{
+ SpaprMachineState *spapr = SPAPR_MACHINE(obj);
+
+ spapr->secure_boot = value;
+}
+
+static bool spapr_get_trusted_boot(Object *obj, Error **errp)
+{
+ SpaprMachineState *spapr = SPAPR_MACHINE(obj);
+
+ return spapr->trusted_boot;
+}
+
+static void spapr_set_trusted_boot(Object *obj, bool value, Error **errp)
+{
+ SpaprMachineState *spapr = SPAPR_MACHINE(obj);
+
+ spapr->trusted_boot = value;
+}
+
static void spapr_instance_init(Object *obj)
{
SpaprMachineState *spapr = SPAPR_MACHINE(obj);
@@ -3404,6 +3439,15 @@ static void spapr_instance_init(Object *obj)
spapr_get_host_serial, spapr_set_host_serial);
object_property_set_description(obj, "host-serial",
"Host serial number to advertise in guest device tree");
+
+ object_property_add_bool(obj, "secure-boot",
+ spapr_get_secure_boot, spapr_set_secure_boot);
+ object_property_set_description(obj, "secure-boot",
+ "Enforce secure boot (where supported by firmware)");
+ object_property_add_bool(obj, "trusted-boot",
+ spapr_get_trusted_boot, spapr_set_trusted_boot);
+ object_property_set_description(obj, "trusted-boot",
+ "Enable trusted boot (where supported by firmware, requires TPM)");
}
static void spapr_machine_finalizefn(Object *obj)
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 637652ad16..aae2137a5d 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -230,6 +230,10 @@ struct SpaprMachineState {
/* Set by -boot */
char *boot_device;
+ /* Secure and Trusted Boot */
+ bool secure_boot;
+ bool trusted_boot;
+
/*< public >*/
char *kvm_type;
char *host_model;
--
2.33.1