Skip to content

IBM/libstb-secvar

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

70 Commits

.github/workflows

.github/workflows

 
 

external

external

 
 

include

include

 
 

src

src

 
 

test

test

 
 

.gitignore

.gitignore

 
 

CMakeLists.txt

CMakeLists.txt

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

Repository files navigation

libstb-secvar

Linux on Power LPAR Secure Boot Authenticated Variable Processing Library

What is libstb-secvar

This library makes it easier to process data from variable authentication files and to update variables' data in the platform keystore with a timestamp. It is supporting the following 9 predefined secure boot variables and an arbitrary variables.

Secure Boot Variables:

  1. PK
  2. KEK
  3. db
  4. dbx
  5. grubdb
  6. grubdbx
  7. sbat
  8. moduledb
  9. trustedcadb

Moreover, it makes it easier to update and append variables, delete variables using PK, and delete keys using KEK.

Metadata for Auth file

Variables auth file is generated by secvarct tool, which will be pushed by user to platform keystore. Also, providing that a variable update with no data (with the append Header zero) represents deletion of the variable.

The auth file data format is:

            |-----------------------------------|
            |                                   |
            |          Append Header            |
            |           (8 bytes)               |
            |-----------------------------------|
            |                                   |
            |          Auth Info                |
            |                                   |
            |   |-------------------------------|
            |   |      Auth Header              |
            |   |       (40 byte)               |
            |   |-------------------------------|
            |   |      PKCS7 data               |
            |---|-------------------------------|
            |                                   |
            |          Variable Info            |
            |                                   |
            |   |-------------------------------|
            |   |     ESL Header                |
            |   |      (44 byte)                |
            |   |-------------------------------|
            |   |      ESL Data                 |
            |-----------------------------------|

Metadata for signed variables at Platform Keystore

Variables have replay/rollback protection via a timestamp which is stored with the variable. It will be used by firmware and grub to verify the signed grub and kernel respectively.

The signed variable format is:

            |-----------------------------------|
            |                                   |
            |            timesatamp             |
            |            (8 bytes)              |
            |-----------------------------------|
            |                                   |
            |            Variable Data          |
            |   |-------------------------------|
            |   |      ESL Datas                |
            |-----------------------------------|

Quick Start

Build:
    cd libstb-secvar
    make

UnitTest:
    make test
    make check

Note:-
   after building libstb-secvar, the library file is placed in the lib directory.

   libstb-secvar/lib

Copyright

All code in this repository is Copyright IBM, and provided under the BSD 2-Clause license, with the exception of code included in the external/ directory. Externally sourced source files have their respective licenses provided in the containing directory.

About

Linux on Power LPAR Secure Boot Authenticated Variable Processing Library

Resources

Readme

License

BSD-2-Clause license
Activity
Custom properties

Stars

0 stars

Watchers

7 watching

Forks

4 forks
Report repository

Releases

1 tags

Packages

No packages published

Contributors 5

Languages