diff options
author | Stewart Smith <stewart@linux.ibm.com> | 2019-07-29 11:44:29 +1000 |
---|---|---|
committer | Oliver O'Halloran <oohall@gmail.com> | 2019-11-27 11:27:48 +1100 |
commit | 700476617cb790604a29d1f16a3a6ec30668507c (patch) | |
tree | afe05a2c6a0ad2a89950283df6f020ff4b355a85 /external | |
parent | 12610da1bacf3578849eefe8f8d70cc289f4b87a (diff) | |
download | skiboot-700476617cb790604a29d1f16a3a6ec30668507c.zip skiboot-700476617cb790604a29d1f16a3a6ec30668507c.tar.gz skiboot-700476617cb790604a29d1f16a3a6ec30668507c.tar.bz2 |
mambo: enable use of real Container Verification Code
Make skiboot.tcl able to load and use a CVC blob from a real system.
This code comes from the src/securerom/ code in Hostboot.
we now use this in the sreset_world and hello_world test cases when we
do a secure boot run of them
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
[oliver: folded cvc.bin into this patch, misc fixes]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Diffstat (limited to 'external')
-rw-r--r-- | external/mambo/README.md | 11 | ||||
-rw-r--r-- | external/mambo/cvc.bin | bin | 0 -> 9984 bytes | |||
-rw-r--r-- | external/mambo/skiboot.tcl | 57 |
3 files changed, 67 insertions, 1 deletions
diff --git a/external/mambo/README.md b/external/mambo/README.md index 0390cc0..06a0f31 100644 --- a/external/mambo/README.md +++ b/external/mambo/README.md @@ -53,6 +53,17 @@ export SKIBOOT=$HOME/src/skiboot/skiboot.lid export SKIBOOT_AUTORUN=1 ``` +### Using Real Container Verification Code for Secure Boot + +The CVC code dump is from a real machine, and the code is from the Hostboot +project (see src/securerom). We just include the dump here for testing +purposes. + +``` +export SKIBOOT_CVC_CODE=$HOME/src/skiboot/external/mambo/cvc.bin +export SKIBOOT_ENABLE_MAMBO_STB=1 +``` + ### Run the simulator ``` /opt/ibm/systemsim-p8/run/pegasus/power8 -f $HOME/src/skiboot/external/mambo/skiboot.tcl diff --git a/external/mambo/cvc.bin b/external/mambo/cvc.bin Binary files differnew file mode 100644 index 0000000..8d4c7e7 --- /dev/null +++ b/external/mambo/cvc.bin diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl index 82209ad..f03ea4f 100644 --- a/external/mambo/skiboot.tcl +++ b/external/mambo/skiboot.tcl @@ -336,6 +336,34 @@ mysim of addprop $reserved_memory int "#size-cells" 2 mysim of addprop $reserved_memory int "#address-cells" 2 mysim of addprop $reserved_memory empty "ranges" "" +set cvc_code_start [expr $fake_nvram_start + $fake_nvram_size] +set cvc_code_end $cvc_code_start +set cvc_code_size 0 + +if { [info exists env(SKIBOOT_CVC_CODE)] } { + set cvc_file $env(SKIBOOT_CVC_CODE) + + set cvc_code_size [file size $cvc_file] + mysim mcm 0 memory fread $cvc_code_start $cvc_code_size $cvc_file + set cvc_code_end [expr $cvc_code_start + $cvc_code_size] + + # Set up Device Tree for Container Verification Code + set hb [mysim of addchild $root_node "ibm,hostboot" ""] + set hb_reserved_memory [mysim of addchild $hb "reserved-memory" ""] + mysim of addprop $hb_reserved_memory int "#address-cells" 2 + mysim of addprop $hb_reserved_memory int "#size-cells" 2 + + set hb_cvc_code_node [mysim of addchild $hb_reserved_memory "ibm,secure-crypt-algo-code" [format %x $cvc_code_start]] + set reg [list $cvc_code_start $cvc_code_size] + mysim of addprop $hb_cvc_code_node array64 "reg" reg + mysim of addprop $hb_cvc_code_node empty "name" "ibm,secure-crypt-algo-code" + + set cvc_code_node [mysim of addchild $reserved_memory "ibm,secure-crypt-algo-code" [format %x $cvc_code_start]] + set reg [list $cvc_code_start $cvc_code_size] + mysim of addprop $cvc_code_node array64 "reg" reg + mysim of addprop $cvc_code_node empty "name" "ibm,secure-crypt-algo-code" +} + set initramfs_res [mysim of addchild $reserved_memory "initramfs" ""] set reg [list $cpio_start $cpio_size ] mysim of addprop $initramfs_res array64 "reg" reg @@ -578,10 +606,18 @@ mconfig enable_stb SKIBOOT_ENABLE_MAMBO_STB 0 if { [info exists env(SKIBOOT_ENABLE_MAMBO_STB)] } { set stb_node [ mysim of addchild $root_node "ibm,secureboot" "" ] - mysim of addprop $stb_node string "compatible" "ibm,secureboot-v1-softrom" + + # For P8 we still use the softrom emulation + if { $default_config == "PEGASUS" || ! [info exists env(SKIBOOT_CVC_CODE)] } { + mysim of addprop $stb_node string "compatible" "ibm,secureboot-v1-softrom" + } else { + # on P9 we can use the real CVC + mysim of addprop $stb_node string "compatible" "ibm,secureboot-v2" + } # mysim of addprop $stb_node string "secure-enabled" "" mysim of addprop $stb_node string "trusted-enabled" "" mysim of addprop $stb_node string "hash-algo" "sha512" + mysim of addprop $stb_node int "hw-key-hash-size" 64 set hw_key_hash {} lappend hw_key_hash 0x40d487ff lappend hw_key_hash 0x7380ed6a @@ -600,6 +636,25 @@ if { [info exists env(SKIBOOT_ENABLE_MAMBO_STB)] } { lappend hw_key_hash 0xfb708535 lappend hw_key_hash 0x1d01d6d1 mysim of addprop $stb_node array "hw-key-hash" hw_key_hash + + if { $default_config != "PEGASUS" && [info exists env(SKIBOOT_CVC_CODE)] } { + set cvc_node [ mysim of addchild $stb_node "ibm,cvc" "" ] + mysim of addprop $cvc_node string "compatible" "ibm,container-verification-code" + mysim of addprop $cvc_node int "memory-region" $hb_cvc_code_node + + # I'm sure hardcoding these addresses will *never* cause us a problem... + set sha_node [ mysim of addchild $cvc_node "ibm,cvc-service" [format %x 0x40]] + mysim of addprop $sha_node string "name" "ibm,cvc-service" + mysim of addprop $sha_node string "compatible" "ibm,cvc-sha512" + mysim of addprop $sha_node int "reg" 0x40 + mysim of addprop $sha_node int "version" 1 + + set verify_node [ mysim of addchild $cvc_node "ibm,cvc-service" [format %x 0x50]] + mysim of addprop $verify_node string "name" "ibm,cvc-service" + mysim of addprop $verify_node string "compatible" "ibm,cvc-verify" + mysim of addprop $verify_node int "reg" 0x50 + mysim of addprop $verify_node int "version" 1 + } } # Kernel command line args, appended to any from the device tree |