summaryrefslogtreecommitdiff
path: root/arch/powerpc/kexec
diff options
context:
space:
mode:
authorRussell Currey <ruscur@russell.cc>2023-02-10 19:03:58 +1100
committerMichael Ellerman <mpe@ellerman.id.au>2023-02-12 22:12:39 +1100
commit91361b5175d2b3704f7e436d0071893c839e1199 (patch)
tree3318c548606a0ca8d7a20a848c4a8e3941ff0b15 /arch/powerpc/kexec
parent9ee76bd5c7e39b622660cc14833ead1967f2038d (diff)
downloadlwn-91361b5175d2b3704f7e436d0071893c839e1199.tar.gz
lwn-91361b5175d2b3704f7e436d0071893c839e1199.zip
powerpc/pseries: Pass PLPKS password on kexec
Before interacting with the PLPKS, we ask the hypervisor to generate a password for the current boot, which is then required for most further PLPKS operations. If we kexec into a new kernel, the new kernel will try and fail to generate a new password, as the password has already been set. Pass the password through to the new kernel via the device tree, in /chosen/ibm,plpks-pw. Check for the presence of this property before trying to generate a new password - if it exists, use the existing password and remove it from the device tree. This only works with the kexec_file_load() syscall, not the older kexec_load() syscall, however if you're using Secure Boot then you want to be using kexec_file_load() anyway. Signed-off-by: Russell Currey <ruscur@russell.cc> Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20230210080401.345462-24-ajd@linux.ibm.com
Diffstat (limited to 'arch/powerpc/kexec')
-rw-r--r--arch/powerpc/kexec/file_load_64.c18
1 files changed, 13 insertions, 5 deletions
diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
index 9be3e818a240..ab80c492da31 100644
--- a/arch/powerpc/kexec/file_load_64.c
+++ b/arch/powerpc/kexec/file_load_64.c
@@ -28,6 +28,7 @@
#include <asm/crashdump-ppc64.h>
#include <asm/mmzone.h>
#include <asm/prom.h>
+#include <asm/plpks.h>
struct umem_info {
u64 *buf; /* data buffer for usable-memory property */
@@ -978,12 +979,17 @@ static unsigned int cpu_node_size(void)
*/
unsigned int kexec_extra_fdt_size_ppc64(struct kimage *image)
{
- unsigned int cpu_nodes, extra_size;
+ unsigned int cpu_nodes, extra_size = 0;
struct device_node *dn;
u64 usm_entries;
+ // Budget some space for the password blob. There's already extra space
+ // for the key name
+ if (plpks_is_available())
+ extra_size += (unsigned int)plpks_get_passwordlen();
+
if (image->type != KEXEC_TYPE_CRASH)
- return 0;
+ return extra_size;
/*
* For kdump kernel, account for linux,usable-memory and
@@ -993,9 +999,7 @@ unsigned int kexec_extra_fdt_size_ppc64(struct kimage *image)
if (drmem_lmb_size()) {
usm_entries = ((memory_hotplug_max() / drmem_lmb_size()) +
(2 * (resource_size(&crashk_res) / drmem_lmb_size())));
- extra_size = (unsigned int)(usm_entries * sizeof(u64));
- } else {
- extra_size = 0;
+ extra_size += (unsigned int)(usm_entries * sizeof(u64));
}
/*
@@ -1234,6 +1238,10 @@ int setup_new_fdt_ppc64(const struct kimage *image, void *fdt,
}
}
+ // If we have PLPKS active, we need to provide the password to the new kernel
+ if (plpks_is_available())
+ ret = plpks_populate_fdt(fdt);
+
out:
kfree(rmem);
kfree(umem);