diff options
author | Claudio Carvalho <cclaudio@linux.vnet.ibm.com> | 2017-12-09 02:52:20 -0200 |
---|---|---|
committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2017-12-18 21:30:57 -0600 |
commit | 3281d5a41a825fce5b935e8929971a8847611fc8 (patch) | |
tree | 893cae01d52a909e18a8911c375b562f7acdc2c4 /libstb/cvc.h | |
parent | 3ab91fbec937830f184108a244795a2e05cb275c (diff) | |
download | skiboot-3281d5a41a825fce5b935e8929971a8847611fc8.zip skiboot-3281d5a41a825fce5b935e8929971a8847611fc8.tar.gz skiboot-3281d5a41a825fce5b935e8929971a8847611fc8.tar.bz2 |
libstb/trustedboot.c: import tb_measure() from stb.c
This imports tb_measure() from stb.c, but now it calls the CVC sha512
wrapper to calculate the sha512 hash of the firmware image provided.
In trustedboot.c, the tb_measure() is renamed to trustedboot_measure().
The new function, trustedboot_measure(), no longer checks if the
container payload hash calculated at boot time matches with the hash
found in the container header. A few reasons:
- If the system admin wants the container header to be
checked/validated, the secure boot jumper must be set. Otherwise,
the container header information may not be reliable.
- The container layout is expected to change over time. Skiboot
would need to maintain a parser for each container layout
change.
- Skiboot could be checking the hash against a container version that
is not supported by the Container-Verification-Code (CVC).
The tb_measure() calls are updated to trustedboot_measure() in a
subsequent patch.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Diffstat (limited to 'libstb/cvc.h')
-rw-r--r-- | libstb/cvc.h | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/libstb/cvc.h b/libstb/cvc.h index 14e8cd2..13c1b33 100644 --- a/libstb/cvc.h +++ b/libstb/cvc.h @@ -44,4 +44,17 @@ int cvc_init(void); int call_cvc_verify(void *buf, size_t size, const void *hw_key_hash, size_t hw_key_hash_size, uint64_t *log); +/* + * call_cvc_sha512 - Call the CVC-sha512 service to calculate a sha512 hash. + * + * @data - buffer that has data to be hashed + * @data_len - number of bytes from @data to be considered in the hash + * calculation + * @digest - buffer to store the calculated hash + * @digest_size - number of bytes allocated for @digest + * + */ +int call_cvc_sha512(const uint8_t *data, size_t data_len, uint8_t *digest, + size_t digest_size); + #endif /* __CVC_H */ |