| .. _secvar/edk2: |
| |
| Skiboot edk2-compatible Secure Variable Backend |
| =============================================== |
| |
| Overview |
| -------- |
| |
| The edk2 secure variable backend for skiboot borrows from edk2 concepts |
| such as the three key hierarchy (PK, KEK, and db), and a similar |
| structure. In general, variable updates must be signed with a key |
| of a higher level. So, updates to the db must be signed with a key stored |
| in the KEK; updates to the KEK must be signed with the PK. Updates to the |
| PK must be signed with the previous PK (if any). |
| |
| Variables are stored in the efi signature list format, and updates are a |
| signed variant that includes an authentication header. |
| |
| If no PK is currently enrolled, the system is considered to be in "Setup |
| Mode". Any key can be enrolled without signature checks. However, once a |
| PK is enrolled, the system switches to "User Mode", and each update must |
| now be signed according to the hierarchy. Furthermore, when in "User |
| Mode", the backend initialized the ``os-secure-mode`` device tree flag, |
| signaling to the kernel that we are in secure mode. |
| |
| Updates are processed sequentially, in the order that they were provided |
| in the update queue. If any update fails to validate, appears to be |
| malformed, or any other error occurs, NO updates will not be applied. |
| This includes updates that may have successfully applied prior to the |
| error. The system will continue in an error state, reporting the error |
| reason via the ``update-status`` device tree property. |
| |
| P9 Special Case for the Platform Key |
| ------------------------------------ |
| |
| Due to the powerful nature of the platform key and the lack of lockable |
| flash, the edk2 backend will store the PK in TPM NV rather than PNOR on |
| P9 systems. (TODO expand on this) |
| |
| Update Status Return Codes |
| -------------------------- |
| |
| TODO, edk2 driver needs to actually return these properly first |
| |
| |
| Device Tree Bindings |
| -------------------- |
| |
| TODO |