From nobody Mon Jun 29 23:25:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A166AC433F5 for ; Tue, 1 Feb 2022 05:05:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231912AbiBAFFS (ORCPT ); Tue, 1 Feb 2022 00:05:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38850 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231557AbiBAFFO (ORCPT ); Tue, 1 Feb 2022 00:05:14 -0500 Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A22AC06173B for ; Mon, 31 Jan 2022 21:05:14 -0800 (PST) Received: by mail-pl1-x635.google.com with SMTP id l13so5785233plg.9 for ; Mon, 31 Jan 2022 21:05:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=8HhN0Mo5AAEuJ7GLyfzVMfqoylDTPvGZrezMx4WuD1Y=; b=pQcqzwBzTMUt9lhcStTT9fwKTd+uM9KFGW/Xynp4UnrxScTW2VG33Teyi7PCL+v98j 6POqQnKQFswISlLtU1hDylQGsrJ0qYsaq8Fp6JhEs66Of+MKNRPSZneIImArPfuYgUn+ zdaF5/zKLPBZ77KtJF6uiTeUHGew/VLxlM3EFtTaz4Z926PX9SiXhaXButFkPqlVyWng 3eNlSiowJnArQTA46mnNNUkJtYWdXFQmJmkDIVTUrr7omZAivB/M4amoSlDdUx1iVUPa yAv9WWxSRi3tnMczSWHJyHkwcEhuIRWpBwSaoSDhBHx8pXgsfZK97aGdfPRMhVKs1Ect RQuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=8HhN0Mo5AAEuJ7GLyfzVMfqoylDTPvGZrezMx4WuD1Y=; b=0giSZGWZfDv3EWxKae8gS4us0Bk/JvvPE1OLnKEy8tABVDfm0kXfbnogUHd2rUDFbS 4sYK99clW1GEfHxF48xRvL62C88ylCzGD5uumgZqj/bPnIbTtaTeY1TXmwH/PV4b0PH/ dmPxG68bOh1HXbJnI1AGiyVB2wLx6dMXmUIoChAqHTRAU5CtHpBfMk4wljS2LAK5OFT7 6U8mSlrW3oL7y36BnfqzolmjAirtY6whTcy+CnbQtmX11Fscv6TSHRq7JrKPHGu8ex74 iIf5cCbmQPLlKsnVDdWrSTNUl8HGYB3YHdvPYfB4h7AaEB1z50+bQx4uat+DnqW4XqWO s3Uw== X-Gm-Message-State: AOAM532S14LHXN34uCaJs+T7oax5X/14ANh3c6WRT4xaM1BLuongQbwm RSToN27f2ujYnMITvy0+qKU= X-Google-Smtp-Source: ABdhPJz5avUIU4+X4vd3nMCzoEWBcmSaRvczxUqWfR52EfwhLQGqxyCpeHdGLQIZDWK9NzHJ6jgwxQ== X-Received: by 2002:a17:90a:f298:: with SMTP id fs24mr350977pjb.75.1643691913680; Mon, 31 Jan 2022 21:05:13 -0800 (PST) Received: from voyager.lan ([45.124.203.14]) by smtp.gmail.com with ESMTPSA id u37sm6181991pga.2.2022.01.31.21.05.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 21:05:13 -0800 (PST) Sender: "joel.stan@gmail.com" From: Joel Stanley To: Arnd Bergmann , Andrew Jeffery , Greg Kroah-Hartman , "Rafael J . Wysocki" Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-aspeed@lists.ozlabs.org Subject: [PATCH 1/2] firmware: Add boot information sysfs Date: Tue, 1 Feb 2022 15:35:00 +1030 Message-Id: <20220201050501.182961-2-joel@jms.id.au> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220201050501.182961-1-joel@jms.id.au> References: <20220201050501.182961-1-joel@jms.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Machines often have firmware that perform some action before Linux is loaded. It's useful to know how this firmware is configured, so create a sysfs directory and some example properties that a system can choose to expose to describe how the system was started. Currently the intended use describes five files, relating to hardware root of trust configuration. Signed-off-by: Joel Stanley --- .../ABI/testing/sysfs-firmware-bootinfo | 43 +++++++++++++++++++ drivers/base/firmware.c | 14 ++++++ include/linux/firmware_bootinfo.h | 8 ++++ 3 files changed, 65 insertions(+) create mode 100644 Documentation/ABI/testing/sysfs-firmware-bootinfo create mode 100644 include/linux/firmware_bootinfo.h diff --git a/Documentation/ABI/testing/sysfs-firmware-bootinfo b/Documentat= ion/ABI/testing/sysfs-firmware-bootinfo new file mode 100644 index 000000000000..cd6c42316345 --- /dev/null +++ b/Documentation/ABI/testing/sysfs-firmware-bootinfo @@ -0,0 +1,43 @@ +What: /sys/firmware/bootinfo/* +Date: Jan 2022 +Description: + A system can expose information about how it was started in + this directory. + + This information is agnostic as to the firmware implementation. + + A system may expose a subset of these properties as applicable. + + +What: /sys/firmware/bootinfo/secure_boot +Date: Jan 2022 +Description: + Indicates the system was started with secure boot enabled in + the firmware. + + +What: /sys/firmware/bootinfo/abr_image +Date: Jan 2022 +Description: + Indicates the system was started from the alternate image + loaded from an Alternate Boot Region. Often this is a result of + the primary firmware image failing to start the system. + + +What: /sys/firmware/bootinfo/low_security_key +Date: Jan 2022 +Description: + Indicates the system's secure boot was verified with a low + security or development key. + +What: /sys/firmware/bootinfo/otp_protected +Date: Jan 2022 +Description: + Indicates the system's boot configuration region is write + protected and cannot be modified. + +What: /sys/firmware/bootinfo/uart_boot +Date: Jan 2022 +Description: + Indicates the system firmware was loaded from a UART instead of + an internal boot device. diff --git a/drivers/base/firmware.c b/drivers/base/firmware.c index 8dff940e0db9..2a6478aa178d 100644 --- a/drivers/base/firmware.c +++ b/drivers/base/firmware.c @@ -11,6 +11,7 @@ #include #include #include +#include =20 #include "base.h" =20 @@ -24,3 +25,16 @@ int __init firmware_init(void) return -ENOMEM; return 0; } + +/* + * Exposes attributes documented in Documentation/ABI/testing/sysfs-firmwa= re-bootinfo + */ +int __init firmware_bootinfo_init(const struct attribute_group *attr_group) +{ + struct kobject *kobj=3D kobject_create_and_add("bootinfo", firmware_kobj); + if (!kobj) + return -ENOMEM; + + return sysfs_create_group(kobj, attr_group); +} +EXPORT_SYMBOL_GPL(firmware_bootinfo_init); diff --git a/include/linux/firmware_bootinfo.h b/include/linux/firmware_boo= tinfo.h new file mode 100644 index 000000000000..581b68508ec8 --- /dev/null +++ b/include/linux/firmware_bootinfo.h @@ -0,0 +1,8 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +// Copyright 2022 IBM Corp + +#include +#include + +int __init firmware_bootinfo_init(const struct attribute_group *attr_group= ); + --=20 2.34.1 From nobody Mon Jun 29 23:25:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0ED54C433F5 for ; Tue, 1 Feb 2022 05:05:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233522AbiBAFFU (ORCPT ); Tue, 1 Feb 2022 00:05:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231557AbiBAFFS (ORCPT ); Tue, 1 Feb 2022 00:05:18 -0500 Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7835DC061714 for ; Mon, 31 Jan 2022 21:05:18 -0800 (PST) Received: by mail-pg1-x52f.google.com with SMTP id j10so14295557pgc.6 for ; Mon, 31 Jan 2022 21:05:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=KXZhXqP+hJTCEG0KLlnHSrSIKRsgu3yP6iR8K2/utRA=; b=cRTGOvUdVQ3VIpJHalZf12OyJMEycgkXop8Rx0kknHVuzOdzJ2MXCo9u3nKKw2GrGc PEZn8o0Xmseg8Zi1sphhHK9O1fd2s2IUN7UO/nY3Y6bqDFX6NtEZmqZqdGHdp9N9jKP6 i+Ls2/GRKXaFoYQvFXD5B/7aDkp7c4HzJh9a6tgunLySRbuB/xpwoXxxxCHaR4MUiktY 7dWUuETtJHy4bRiu1RRvaKHfEohjO18GsM2onAPSIa61wk0j7+GRgNzUcHVB/W2Wqd+i dSfoGiGC/iL8duI2rEPqjZyAV6AZMhm6L5zSoTyi5zdY0koHTXepGDEhtdQTUsrnsfxo MW0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=KXZhXqP+hJTCEG0KLlnHSrSIKRsgu3yP6iR8K2/utRA=; b=IOVfSoS9K1Eek+yg1Jcpn6BwwbxS0wFop6N2pRoz5qhkHdxbJVlbT5xq505bFF0yPr WKWg/GybvB2K9rLB5P9WSjmhNPr4E8oMmSrh3LyTT9CxlW9Q50xUL2cyYnXaBTNSmXo2 McRdAmacdceWhb+jEpTOncy7pyAJpiD6a0AQsv7zDTJ4jCPwIvWX/KxPQO0pLGBOt3FW BJakw6bxPaLwflPVy06dAoPkqVB4oDnrcX7MthugSf+sGeTUSVfLx2naD+xJdvz/Tjrb YYulY6homJ/ysM9/pYbnuDjFQY/0Wqktov8ku3/tRP0uUc0erE9G5R+FJl8OIPMM8PcQ pOoQ== X-Gm-Message-State: AOAM532hCctRXC/vKd/EtMzsqDevrl9lbp/UolSBfJn9WN9XBO7gJjLa foisgmc28jYsE5Au9chTpj/B1hpPZF2vHA== X-Google-Smtp-Source: ABdhPJyyiAnlj0jVqXEFutCAzEC/wZnZT8ZEHQEjaUAnr+6+PlrOSxgyRqfRvqoQBuDLXDpcscM7Lw== X-Received: by 2002:aa7:88c9:: with SMTP id k9mr23203828pff.58.1643691917941; Mon, 31 Jan 2022 21:05:17 -0800 (PST) Received: from voyager.lan ([45.124.203.14]) by smtp.gmail.com with ESMTPSA id u37sm6181991pga.2.2022.01.31.21.05.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 21:05:17 -0800 (PST) Sender: "joel.stan@gmail.com" From: Joel Stanley To: Arnd Bergmann , Andrew Jeffery , Greg Kroah-Hartman , "Rafael J . Wysocki" Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-aspeed@lists.ozlabs.org, Ryan Chen Subject: [PATCH 2/2] ARM: aspeed: Add secure boot controller support Date: Tue, 1 Feb 2022 15:35:01 +1030 Message-Id: <20220201050501.182961-3-joel@jms.id.au> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220201050501.182961-1-joel@jms.id.au> References: <20220201050501.182961-1-joel@jms.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" This reads out the status of the secure boot controller and exposes it in sysfs using the bootinfo sysfs api. An example on a AST2600A3 QEMU model: # grep -r . /sys/firmware/bootinfo/* /sys/firmware/bootinfo/abr_image:0 /sys/firmware/bootinfo/low_security_key:0 /sys/firmware/bootinfo/otp_protected:0 /sys/firmware/bootinfo/secure_boot:1 /sys/firmware/bootinfo/uart_boot:0 On boot the state of the system according to the secure boot controller will be printed: [ 0.037634] AST2600 secure boot enabled or [ 0.037935] AST2600 secure boot disabled The initialisation is changed from early_initcall to subsys_initcall because we need the firmware_kobj to be initialised, and because there's no requirement to print this information early. Signed-off-by: Joel Stanley Reviewed-by: Ryan Chen --- drivers/soc/aspeed/aspeed-socinfo.c | 84 ++++++++++++++++++++++++++++- 1 file changed, 83 insertions(+), 1 deletion(-) diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspee= d-socinfo.c index 1ca140356a08..fe77b31e4d1d 100644 --- a/drivers/soc/aspeed/aspeed-socinfo.c +++ b/drivers/soc/aspeed/aspeed-socinfo.c @@ -8,6 +8,9 @@ #include #include #include +#include + +static u32 security_status; =20 static struct { const char *name; @@ -74,6 +77,83 @@ static const char *siliconid_to_rev(u32 siliconid) return "??"; } =20 +#define SEC_STATUS 0x14 +#define ABR_IMAGE_SOURCE BIT(13) +#define OTP_PROTECTED BIT(8) +#define LOW_SEC_KEY BIT(7) +#define SECURE_BOOT BIT(6) +#define UART_BOOT BIT(5) + +static ssize_t abr_image_show(struct device *dev, struct device_attribute = *attr, char *buf) +{ + return sprintf(buf, "%d\n", !!(security_status & ABR_IMAGE_SOURCE)); +} +static DEVICE_ATTR_RO(abr_image); + +static ssize_t low_security_key_show(struct device *dev, struct device_att= ribute *attr, char *buf) +{ + return sprintf(buf, "%d\n", !!(security_status & LOW_SEC_KEY)); +} +static DEVICE_ATTR_RO(low_security_key); + +static ssize_t otp_protected_show(struct device *dev, struct device_attrib= ute *attr, char *buf) +{ + return sprintf(buf, "%d\n", !!(security_status & OTP_PROTECTED)); +} +static DEVICE_ATTR_RO(otp_protected); + +static ssize_t secure_boot_show(struct device *dev, struct device_attribut= e *attr, char *buf) +{ + return sprintf(buf, "%d\n", !!(security_status & SECURE_BOOT)); +} +static DEVICE_ATTR_RO(secure_boot); + +static ssize_t uart_boot_show(struct device *dev, struct device_attribute = *attr, char *buf) +{ + /* Invert the bit, as 1 is boot from SPI/eMMC */ + return sprintf(buf, "%d\n", !(security_status & UART_BOOT)); +} +static DEVICE_ATTR_RO(uart_boot); + +static struct attribute *aspeed_attrs[] =3D { + &dev_attr_abr_image.attr, + &dev_attr_low_security_key.attr, + &dev_attr_otp_protected.attr, + &dev_attr_secure_boot.attr, + &dev_attr_uart_boot.attr, + NULL, +}; +ATTRIBUTE_GROUPS(aspeed); + +static int __init aspeed_bootinfo_init(void) +{ + struct device_node *np; + void __iomem *base; + + /* AST2600 only */ + np =3D of_find_compatible_node(NULL, NULL, "aspeed,ast2600-sbc"); + if (!of_device_is_available(np)) + return -ENODEV; + + base =3D of_iomap(np, 0); + if (!base) { + of_node_put(np); + return -ENODEV; + } + + security_status =3D readl(base + SEC_STATUS); + + iounmap(base); + of_node_put(np); + + firmware_bootinfo_init(aspeed_groups[0]); + + pr_info("AST2600 secure boot %s\n", + (security_status & SECURE_BOOT) ? "enabled" : "disabled"); + + return 0; +} + static int __init aspeed_socinfo_init(void) { struct soc_device_attribute *attrs; @@ -148,6 +228,8 @@ static int __init aspeed_socinfo_init(void) attrs->revision, attrs->soc_id); =20 + aspeed_bootinfo_init(); + return 0; } -early_initcall(aspeed_socinfo_init); +subsys_initcall(aspeed_socinfo_init); --=20 2.34.1