Documentation/ABI/testing/sysfs-secvar


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

What:		/sys/firmware/secvar
Date:		August 2019
Contact:	Nayna Jain <nayna@linux.ibm.com>
Description:	This directory is created if the POWER firmware supports OS
		secureboot, thereby secure variables. It exposes interface
		for reading/writing the secure variables

What:		/sys/firmware/secvar/vars
Date:		August 2019
Contact:	Nayna Jain <nayna@linux.ibm.com>
Description:	This directory lists all the secure variables that are supported
		by the firmware.

What:		/sys/firmware/secvar/format
Date:		August 2019
Contact:	Nayna Jain <nayna@linux.ibm.com>
Description:	A string indicating which backend is in use by the firmware.
		This determines the format of the variable and the accepted
		format of variable updates.

		On powernv/OPAL, this value is provided by the OPAL firmware
		and is expected to be "ibm,edk2-compat-v1".

		On pseries/PLPKS, this is generated by the kernel based on the
		version number in the SB_VERSION variable in the keystore. The
		version numbering in the SB_VERSION variable starts from 1. The
		format string takes the form "ibm,plpks-sb-v<version>" in the
		case of dynamic key management mode. If the SB_VERSION variable
		does not exist (or there is an error while reading it), it takes
		the form "ibm,plpks-sb-v0", indicating that the key management
		mode is static.

What:		/sys/firmware/secvar/vars/<variable name>
Date:		August 2019
Contact:	Nayna Jain <nayna@linux.ibm.com>
Description:	Each secure variable is represented as a directory named as
		<variable_name>. The variable name is unique and is in ASCII
		representation. The data and size can be determined by reading
		their respective attribute files.

		Only secvars relevant to the key management mode are exposed.
		Only in the dynamic key management mode should the user have
		access (read and write) to the secure boot secvars db, dbx,
		grubdb, grubdbx, and sbat. These secvars are not consumed in the
		static key management mode. PK, trustedcadb and moduledb are the
		secvars common to both static and dynamic key management modes.

What:		/sys/firmware/secvar/vars/<variable_name>/size
Date:		August 2019
Contact:	Nayna Jain <nayna@linux.ibm.com>
Description:	An integer representation of the size of the content of the
		variable. In other words, it represents the size of the data.

What:		/sys/firmware/secvar/vars/<variable_name>/data
Date:		August 2019
Contact:	Nayna Jain <nayna@linux.ibm.com>
Description:	A read-only file containing the value of the variable. The size
		of the file represents the maximum size of the variable data.

What:		/sys/firmware/secvar/vars/<variable_name>/update
Date:		August 2019
Contact:	Nayna Jain <nayna@linux.ibm.com>
Description:	A write-only file that is used to submit the new value for the
		variable. The size of the file represents the maximum size of
		the variable data that can be written.