diff options
author | Claudio Carvalho <cclaudio@linux.vnet.ibm.com> | 2017-12-09 02:52:19 -0200 |
---|---|---|
committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2017-12-18 21:30:57 -0600 |
commit | 3ab91fbec937830f184108a244795a2e05cb275c (patch) | |
tree | b98fb42fb1d4d72cc88c669a9bef4a1cf19c4131 /libstb/cvc.c | |
parent | 060ff18d4ddcfb87e9aa31fc5eadaf4318bca9bb (diff) | |
download | skiboot-3ab91fbec937830f184108a244795a2e05cb275c.zip skiboot-3ab91fbec937830f184108a244795a2e05cb275c.tar.gz skiboot-3ab91fbec937830f184108a244795a2e05cb275c.tar.bz2 |
libstb/secureboot.c: import sb_verify() from stb.c
This imports the sb_verify() function from stb.c, but now it calls the
CVC verify wrapper in order to verify signed firmware images. The
hw-key-hash and hw-key-hash-size initialized in secureboot.c are passed
to the CVC verify function wrapper.
In secureboot.c, the sb_verify() is renamed to secureboot_verify(). The
sb_verify() calls are updated in a subsequent patch.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Diffstat (limited to 'libstb/cvc.c')
-rw-r--r-- | libstb/cvc.c | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/libstb/cvc.c b/libstb/cvc.c index 86d292d..96c48f4 100644 --- a/libstb/cvc.c +++ b/libstb/cvc.c @@ -20,12 +20,20 @@ #include <skiboot.h> #include <string.h> +#include <opal-api.h> #include <chip.h> #include <xscom.h> #include <inttypes.h> #include "secureboot.h" #include "cvc.h" +/* + * Assembly interfaces to call into the Container Verification Code. + * func_ptr: CVC base address + offset + */ +ROM_response __cvc_verify_v1(void *func_ptr, ROM_container_raw *container, + ROM_hw_params *params); + struct container_verification_code { uint64_t start_addr; uint64_t end_addr; @@ -189,6 +197,40 @@ int cvc_init(void) __func__); return -1; } - return rc; } + +int call_cvc_verify(void *container, size_t len, const void *hw_key_hash, + size_t hw_key_hash_size, uint64_t *log) +{ + ROM_hw_params hw_params; + ROM_response rc; + struct cvc_service *service; + + if (!container || len < SECURE_BOOT_HEADERS_SIZE || + !hw_key_hash || hw_key_hash_size <= 0) + return OPAL_PARAMETER; + + service = cvc_find_service(CVC_VERIFY_SERVICE); + + if (!service) + return OPAL_UNSUPPORTED; + + memset(&hw_params, 0, sizeof(ROM_hw_params)); + memcpy(&hw_params.hw_key_hash, hw_key_hash, hw_key_hash_size); + + if (service->version == 1) + rc = __cvc_verify_v1((void*) service->addr, + (ROM_container_raw*) container, + &hw_params); + else + return OPAL_UNSUPPORTED; + + if (log) + *log = hw_params.log; + + if (rc != ROM_DONE) + return OPAL_PARTIAL; + + return OPAL_SUCCESS; +} |