diff options
| author | Stewart Smith <stewart@linux.vnet.ibm.com> | 2017-12-13 19:38:33 +1100 |
|---|---|---|
| committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2017-12-20 08:54:07 +1100 |
| commit | 1ddf7e51936f82a5ba8b6145962fbc278d591cde (patch) | |
| tree | 7d4f1c369f80b72395a7d23f9b647905761bacb6 | |
| parent | 6e05c6f21b34f9c4f6597ace36dfca9624c7923c (diff) | |
| download | skiboot-1ddf7e51936f82a5ba8b6145962fbc278d591cde.zip skiboot-1ddf7e51936f82a5ba8b6145962fbc278d591cde.tar.gz skiboot-1ddf7e51936f82a5ba8b6145962fbc278d591cde.tar.bz2 | |
Mambo: run hello_world and sreset_world tests with Secure and Trusted Boot
We *disable* the secure boot part, but we keep the verified boot
part as we don't currently have container verification code for Mambo.
We can run a small part of the code currently though.
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
| -rw-r--r-- | core/init.c | 15 | ||||
| -rw-r--r-- | external/mambo/skiboot.tcl | 2 | ||||
| -rw-r--r-- | opal-ci/Dockerfile-centos7 | 2 | ||||
| -rw-r--r-- | opal-ci/Dockerfile-fedora24 | 2 | ||||
| -rw-r--r-- | test/hello_world/Makefile.check | 24 | ||||
| -rwxr-xr-x | test/hello_world/run_mambo_hello_world.sh | 7 | ||||
| -rwxr-xr-x | test/hello_world/run_mambo_p9_hello_world.sh | 7 | ||||
| -rw-r--r-- | test/sreset_world/Makefile.check | 16 | ||||
| -rwxr-xr-x | test/sreset_world/run_mambo_p9_sreset.sh | 6 | ||||
| -rwxr-xr-x | test/sreset_world/run_mambo_sreset.sh | 7 |
10 files changed, 75 insertions, 13 deletions
diff --git a/core/init.c b/core/init.c index 0405f5c..ec9f329 100644 --- a/core/init.c +++ b/core/init.c @@ -342,6 +342,7 @@ bool start_preload_kernel(void) static bool load_kernel(void) { + void *stb_container = NULL; struct elf_hdr *kh; int loaded; @@ -390,9 +391,10 @@ static bool load_kernel(void) /* Hack for STB in Mambo, assume at least 4kb in mem */ kernel_size = SECURE_BOOT_HEADERS_SIZE; } - if (stb_is_container(KERNEL_LOAD_BASE, kernel_size)) + if (stb_is_container(KERNEL_LOAD_BASE, kernel_size)) { + stb_container = KERNEL_LOAD_BASE; kh = (struct elf_hdr *) (KERNEL_LOAD_BASE + SECURE_BOOT_HEADERS_SIZE); - else + } else kh = (struct elf_hdr *) (KERNEL_LOAD_BASE); } @@ -417,6 +419,15 @@ static bool load_kernel(void) return false; } + if (chip_quirk(QUIRK_MAMBO_CALLOUTS)) { + secureboot_verify(RESOURCE_ID_KERNEL, + stb_container, + SECURE_BOOT_HEADERS_SIZE + kernel_size); + trustedboot_measure(RESOURCE_ID_KERNEL, + stb_container, + SECURE_BOOT_HEADERS_SIZE + kernel_size); + } + trustedboot_exit_boot_services(); return true; diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl index abceb74..38298bf 100644 --- a/external/mambo/skiboot.tcl +++ b/external/mambo/skiboot.tcl @@ -437,7 +437,7 @@ mconfig enable_stb SKIBOOT_ENABLE_MAMBO_STB 0 if { [info exists env(SKIBOOT_ENABLE_MAMBO_STB)] } { set stb_node [ mysim of addchild $root_node "ibm,secureboot" "" ] mysim of addprop $stb_node string "compatible" "ibm,secureboot-v1-softrom" - mysim of addprop $stb_node string "secure-enabled" "" +# mysim of addprop $stb_node string "secure-enabled" "" mysim of addprop $stb_node string "trusted-enabled" "" mysim of addprop $stb_node string "hash-algo" "sha512" set hw_key_hash {} diff --git a/opal-ci/Dockerfile-centos7 b/opal-ci/Dockerfile-centos7 index d30d129..7fd8c6c 100644 --- a/opal-ci/Dockerfile-centos7 +++ b/opal-ci/Dockerfile-centos7 @@ -1,6 +1,6 @@ FROM centos:7 RUN yum -y update && yum clean all -RUN yum -y install wget curl xterm gcc git xz make diffutils findutils expect valgrind valgrind-devel ccache dtc openssl-devel +RUN yum -y install wget curl xterm gcc git xz make diffutils findutils expect valgrind valgrind-devel ccache dtc openssl-devel openssl RUN wget https://www.kernel.org/pub/tools/crosstool/files/bin/x86_64/4.8.0/x86_64-gcc-4.8.0-nolibc_powerpc64-linux.tar.xz RUN mkdir /opt/cross RUN tar -C /opt/cross -xf x86_64-gcc-4.8.0-nolibc_powerpc64-linux.tar.xz diff --git a/opal-ci/Dockerfile-fedora24 b/opal-ci/Dockerfile-fedora24 index b601208..06e1b0f 100644 --- a/opal-ci/Dockerfile-fedora24 +++ b/opal-ci/Dockerfile-fedora24 @@ -1,5 +1,5 @@ FROM fedora:24 -RUN dnf -y install wget curl xterm gcc git xz make diffutils findutils expect valgrind valgrind-devel ccache dtc openssl-devel +RUN dnf -y install wget curl xterm gcc git xz make diffutils findutils expect valgrind valgrind-devel ccache dtc openssl-devel openssl RUN dnf -y install gcc-powerpc64-linux-gnu RUN dnf -y install http://public.dhe.ibm.com/software/server/powerfuncsim/p9/packages/v1.1-0/systemsim-p9-1.1-0.f22.x86_64.rpm COPY . /build/ diff --git a/test/hello_world/Makefile.check b/test/hello_world/Makefile.check index 10f48cc..e791ea7 100644 --- a/test/hello_world/Makefile.check +++ b/test/hello_world/Makefile.check @@ -1,4 +1,5 @@ HELLO_WORLD_TEST := test/hello_world/hello_kernel/hello_kernel +HELLO_WORLD_STB_TEST := test/hello_world/hello_kernel/hello_kernel.stb .PHONY: hello_world-tests hello_world-tests: $(HELLO_WORLD_TEST:%=%-check-smt-mambo) @@ -7,6 +8,11 @@ hello_world-tests: $(HELLO_WORLD_TEST:%=%-check-mambo) hello_world-tests: $(HELLO_WORLD_TEST:%=%-check-p9-mambo) hello_world-tests: $(HELLO_WORLD_TEST:%=%-check-qemu) +hello_world-tests: $(HELLO_WORLD_STB_TEST:%=%-check-stb-smt-mambo) +hello_world-tests: $(HELLO_WORLD_STB_TEST:%=%-check-stb-smt-p9-mambo) +hello_world-tests: $(HELLO_WORLD_STB_TEST:%=%-check-stb-mambo) +hello_world-tests: $(HELLO_WORLD_STB_TEST:%=%-check-stb-p9-mambo) + boot-tests: hello_world-tests check: hello_world-tests @@ -22,6 +28,21 @@ $(HELLO_WORLD_TEST:%=%-check-mambo): %-check-mambo: % skiboot.lid $(HELLO_WORLD_TEST:%=%-check-p9-mambo): %-check-p9-mambo: % skiboot.lid $(call Q , BOOT TEST , ./test/hello_world/run_mambo_p9_hello_world.sh, $@) +# and now, with secure and trusted boot: +$(HELLO_WORLD_STB_TEST:%=%-check-stb-smt-mambo): %-check-stb-smt-mambo: % skiboot.lid.stb + $(call Q , BOOT TEST , SKIBOOT_ENABLE_MAMBO_STB=1 THREADS=2 ./test/hello_world/run_mambo_hello_world.sh , $@) + +$(HELLO_WORLD_STB_TEST:%=%-check-stb-smt-p9-mambo): %-check-stb-smt-p9-mambo: % skiboot.lid.stb + $(call Q , BOOT TEST , SKIBOOT_ENABLE_MAMBO_STB=1 THREADS=2 ./test/hello_world/run_mambo_p9_hello_world.sh , $@) + +$(HELLO_WORLD_STB_TEST:%=%-check-stb-mambo): %-check-stb-mambo: % skiboot.lid.stb + $(call Q , BOOT TEST , SKIBOOT_ENABLE_MAMBO_STB=1 ./test/hello_world/run_mambo_hello_world.sh, $@) + +$(HELLO_WORLD_STB_TEST:%=%-check-stb-p9-mambo): %-check-stb-p9-mambo: % skiboot.lid.stb + $(call Q , BOOT TEST , SKIBOOT_ENABLE_MAMBO_STB=1 ./test/hello_world/run_mambo_p9_hello_world.sh, $@) + +# qemu + $(HELLO_WORLD_TEST:%=%-check-qemu): %-check-qemu: % skiboot.lid $(call Q , BOOT TEST , ./test/hello_world/run_qemu_hello_world.sh, $@) @@ -35,6 +56,9 @@ hello_kernel_LDFLAGS=-m64 -Wl,--build-id=none -T test/hello_world/hello_kernel/h test/hello_world/hello_kernel/hello_kernel: test/hello_world/hello_kernel/hello_kernel.o $(call Q,LD, $(CC) $(hello_kernel_LDFLAGS) -o $@ $^ , $@) +test/hello_world/hello_kernel/hello_kernel.stb: test/hello_world/hello_kernel/hello_kernel libstb/create-container + $(call Q,STB-DEVELOPMENT-SIGNED-CONTAINER,$(SRC)/libstb/sign-with-local-keys.sh $< $@ $(SRC)/libstb/keys/,$@) + clean: hello_world-test-clean hello_world-test-clean: diff --git a/test/hello_world/run_mambo_hello_world.sh b/test/hello_world/run_mambo_hello_world.sh index 5bb92bc..13112d0 100755 --- a/test/hello_world/run_mambo_hello_world.sh +++ b/test/hello_world/run_mambo_hello_world.sh @@ -24,8 +24,11 @@ if [ ! `command -v expect` ]; then exit 0; fi - -export SKIBOOT_ZIMAGE=`pwd`/test/hello_world/hello_kernel/hello_kernel +if [ -n "$SKIBOOT_ENABLE_MAMBO_STB" ]; then + export SKIBOOT_ZIMAGE=`pwd`/test/hello_world/hello_kernel/hello_kernel.stb +else + export SKIBOOT_ZIMAGE=`pwd`/test/hello_world/hello_kernel/hello_kernel +fi # Currently getting some core dumps from mambo, so disable them! OLD_ULIMIT_C=`ulimit -c` diff --git a/test/hello_world/run_mambo_p9_hello_world.sh b/test/hello_world/run_mambo_p9_hello_world.sh index 022c71e..f8b0dae 100755 --- a/test/hello_world/run_mambo_p9_hello_world.sh +++ b/test/hello_world/run_mambo_p9_hello_world.sh @@ -23,8 +23,11 @@ if [ ! `command -v expect` ]; then exit 0; fi - -export SKIBOOT_ZIMAGE=`pwd`/test/hello_world/hello_kernel/hello_kernel +if [ -n "$SKIBOOT_ENABLE_MAMBO_STB" ]; then + export SKIBOOT_ZIMAGE=`pwd`/test/hello_world/hello_kernel/hello_kernel.stb +else + export SKIBOOT_ZIMAGE=`pwd`/test/hello_world/hello_kernel/hello_kernel +fi # Currently getting some core dumps from mambo, so disable them! OLD_ULIMIT_C=`ulimit -c` diff --git a/test/sreset_world/Makefile.check b/test/sreset_world/Makefile.check index 02e03f3..289af8d 100644 --- a/test/sreset_world/Makefile.check +++ b/test/sreset_world/Makefile.check @@ -1,10 +1,14 @@ -SRESET_WORLD_TEST := test/sreset_world/sreset_kernel/sreset_kernel +SRESET_WORLD_TEST := test/sreset_world/sreset_kernel/sreset_kernel.stb +SRESET_WORLD_STB_TEST := test/sreset_world/sreset_kernel/sreset_kernel.stb .PHONY: sreset_world-tests # We only do the SMT tests as we don't do OPAL re-entry sreset_world-tests: $(SRESET_WORLD_TEST:%=%-check-smt-mambo) sreset_world-tests: $(SRESET_WORLD_TEST:%=%-check-smt-p9-mambo) +sreset_world-tests: $(SRESET_WORLD_STB_TEST:%=%-check-stb-smt-mambo) +sreset_world-tests: $(SRESET_WORLD_STB_TEST:%=%-check-stb-smt-p9-mambo) + boot-tests: sreset_world-tests check: sreset_world-tests @@ -14,6 +18,12 @@ $(SRESET_WORLD_TEST:%=%-check-smt-mambo): %-check-smt-mambo: % skiboot.lid $(SRESET_WORLD_TEST:%=%-check-smt-p9-mambo): %-check-smt-p9-mambo: % skiboot.lid $(call Q , BOOT TEST , THREADS=2 ./test/sreset_world/run_mambo_p9_sreset.sh , $@) +$(SRESET_WORLD_STB_TEST:%=%-check-stb-smt-mambo): %-check-stb-smt-mambo: % skiboot.lid.stb + $(call Q , BOOT TEST , SKIBOOT_ENABLE_MAMBO_STB=1 THREADS=2 ./test/sreset_world/run_mambo_sreset.sh , $@) + +$(SRESET_WORLD_STB_TEST:%=%-check-stb-smt-p9-mambo): %-check-stb-smt-p9-mambo: % skiboot.lid.stb + $(call Q , BOOT TEST , SKIBOOT_ENABLE_MAMBO_STB=1 THREADS=2 ./test/sreset_world/run_mambo_p9_sreset.sh , $@) + test/sreset_world/sreset_kernel/sreset_kernel.o: test/sreset_world/sreset_kernel/sreset_kernel.S test/sreset_world/sreset_kernel/sreset_kernel.ld $(call Q,CC, $(CC) -mbig-endian -m64 -c -MMD -o $@ $< ,$@) @@ -24,6 +34,10 @@ sreset_kernel_LDFLAGS=-m64 -Wl,--build-id=none -T test/sreset_world/sreset_kerne test/sreset_world/sreset_kernel/sreset_kernel: test/sreset_world/sreset_kernel/sreset_kernel.o $(call Q,LD, $(CC) $(sreset_kernel_LDFLAGS) -o $@ $^ , $@) +test/sreset_world/sreset_kernel/sreset_kernel.stb: test/sreset_world/sreset_kernel/sreset_kernel libstb/create-container + $(call Q,STB-DEVELOPMENT-SIGNED-CONTAINER,$(SRC)/libstb/sign-with-local-keys.sh $< $@ $(SRC)/libstb/keys/,$@) + + clean: sreset_world-test-clean sreset_world-test-clean: diff --git a/test/sreset_world/run_mambo_p9_sreset.sh b/test/sreset_world/run_mambo_p9_sreset.sh index 2d0d51a..9f61f1e 100755 --- a/test/sreset_world/run_mambo_p9_sreset.sh +++ b/test/sreset_world/run_mambo_p9_sreset.sh @@ -23,7 +23,11 @@ if [ ! `command -v expect` ]; then exit 0; fi -export SKIBOOT_ZIMAGE=`pwd`/test/sreset_world/sreset_kernel/sreset_kernel +if [ -n "$SKIBOOT_ENABLE_MAMBO_STB" ]; then + export SKIBOOT_ZIMAGE=`pwd`/test/sreset_world/sreset_kernel/sreset_kernel.stb +else + export SKIBOOT_ZIMAGE=`pwd`/test/sreset_world/sreset_kernel/sreset_kernel +fi # Currently getting some core dumps from mambo, so disable them! OLD_ULIMIT_C=`ulimit -c` diff --git a/test/sreset_world/run_mambo_sreset.sh b/test/sreset_world/run_mambo_sreset.sh index 281c466..10c7224 100755 --- a/test/sreset_world/run_mambo_sreset.sh +++ b/test/sreset_world/run_mambo_sreset.sh @@ -24,8 +24,11 @@ if [ ! `command -v expect` ]; then exit 0; fi - -export SKIBOOT_ZIMAGE=`pwd`/test/sreset_world/sreset_kernel/sreset_kernel +if [ -n "$SKIBOOT_ENABLE_MAMBO_STB" ]; then + export SKIBOOT_ZIMAGE=`pwd`/test/sreset_world/sreset_kernel/sreset_kernel.stb +else + export SKIBOOT_ZIMAGE=`pwd`/test/sreset_world/sreset_kernel/sreset_kernel +fi # Currently getting some core dumps from mambo, so disable them! OLD_ULIMIT_C=`ulimit -c` |