summaryrefslogtreecommitdiff
path: root/Documentation/ABI/testing/sysfs-secvar
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/ABI/testing/sysfs-secvar')
-rw-r--r--Documentation/ABI/testing/sysfs-secvar82
1 files changed, 14 insertions, 68 deletions
diff --git a/Documentation/ABI/testing/sysfs-secvar b/Documentation/ABI/testing/sysfs-secvar
index 857cf12b0904..c52a5fd15709 100644
--- a/Documentation/ABI/testing/sysfs-secvar
+++ b/Documentation/ABI/testing/sysfs-secvar
@@ -22,9 +22,13 @@ Description: A string indicating which backend is in use by the firmware.
and is expected to be "ibm,edk2-compat-v1".
On pseries/PLPKS, this is generated by the kernel based on the
- version number in the SB_VERSION variable in the keystore, and
- has the form "ibm,plpks-sb-v<version>", or
- "ibm,plpks-sb-unknown" if there is no SB_VERSION variable.
+ version number in the SB_VERSION variable in the keystore. The
+ version numbering in the SB_VERSION variable starts from 1. The
+ format string takes the form "ibm,plpks-sb-v<version>" in the
+ case of dynamic key management mode. If the SB_VERSION variable
+ does not exist (or there is an error while reading it), it takes
+ the form "ibm,plpks-sb-v0", indicating that the key management
+ mode is static.
What: /sys/firmware/secvar/vars/<variable name>
Date: August 2019
@@ -34,6 +38,13 @@ Description: Each secure variable is represented as a directory named as
representation. The data and size can be determined by reading
their respective attribute files.
+ Only secvars relevant to the key management mode are exposed.
+ Only in the dynamic key management mode should the user have
+ access (read and write) to the secure boot secvars db, dbx,
+ grubdb, grubdbx, and sbat. These secvars are not consumed in the
+ static key management mode. PK, trustedcadb and moduledb are the
+ secvars common to both static and dynamic key management modes.
+
What: /sys/firmware/secvar/vars/<variable_name>/size
Date: August 2019
Contact: Nayna Jain <nayna@linux.ibm.com>
@@ -52,68 +63,3 @@ Contact: Nayna Jain <nayna@linux.ibm.com>
Description: A write-only file that is used to submit the new value for the
variable. The size of the file represents the maximum size of
the variable data that can be written.
-
-What: /sys/firmware/secvar/config
-Date: February 2023
-Contact: Nayna Jain <nayna@linux.ibm.com>
-Description: This optional directory contains read-only config attributes as
- defined by the secure variable implementation. All data is in
- ASCII format. The directory is only created if the backing
- implementation provides variables to populate it, which at
- present is only PLPKS on the pseries platform.
-
-What: /sys/firmware/secvar/config/version
-Date: February 2023
-Contact: Nayna Jain <nayna@linux.ibm.com>
-Description: Config version as reported by the hypervisor in ASCII decimal
- format.
-
- Currently only provided by PLPKS on the pseries platform.
-
-What: /sys/firmware/secvar/config/max_object_size
-Date: February 2023
-Contact: Nayna Jain <nayna@linux.ibm.com>
-Description: Maximum allowed size of objects in the keystore in bytes,
- represented in ASCII decimal format.
-
- This is not necessarily the same as the max size that can be
- written to an update file as writes can contain more than
- object data, you should use the size of the update file for
- that purpose.
-
- Currently only provided by PLPKS on the pseries platform.
-
-What: /sys/firmware/secvar/config/total_size
-Date: February 2023
-Contact: Nayna Jain <nayna@linux.ibm.com>
-Description: Total size of the PLPKS in bytes, represented in ASCII decimal
- format.
-
- Currently only provided by PLPKS on the pseries platform.
-
-What: /sys/firmware/secvar/config/used_space
-Date: February 2023
-Contact: Nayna Jain <nayna@linux.ibm.com>
-Description: Current space consumed by the key store, in bytes, represented
- in ASCII decimal format.
-
- Currently only provided by PLPKS on the pseries platform.
-
-What: /sys/firmware/secvar/config/supported_policies
-Date: February 2023
-Contact: Nayna Jain <nayna@linux.ibm.com>
-Description: Bitmask of supported policy flags by the hypervisor,
- represented as an 8 byte hexadecimal ASCII string. Consult the
- hypervisor documentation for what these flags are.
-
- Currently only provided by PLPKS on the pseries platform.
-
-What: /sys/firmware/secvar/config/signed_update_algorithms
-Date: February 2023
-Contact: Nayna Jain <nayna@linux.ibm.com>
-Description: Bitmask of flags indicating which algorithms the hypervisor
- supports for signed update of objects, represented as a 16 byte
- hexadecimal ASCII string. Consult the hypervisor documentation
- for what these flags mean.
-
- Currently only provided by PLPKS on the pseries platform.