diff options
author | Claudio Carvalho <cclaudio@linux.vnet.ibm.com> | 2017-12-09 02:52:20 -0200 |
---|---|---|
committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2017-12-18 21:30:57 -0600 |
commit | 3281d5a41a825fce5b935e8929971a8847611fc8 (patch) | |
tree | 893cae01d52a909e18a8911c375b562f7acdc2c4 /libstb/trustedboot.h | |
parent | 3ab91fbec937830f184108a244795a2e05cb275c (diff) | |
download | skiboot-3281d5a41a825fce5b935e8929971a8847611fc8.zip skiboot-3281d5a41a825fce5b935e8929971a8847611fc8.tar.gz skiboot-3281d5a41a825fce5b935e8929971a8847611fc8.tar.bz2 |
libstb/trustedboot.c: import tb_measure() from stb.c
This imports tb_measure() from stb.c, but now it calls the CVC sha512
wrapper to calculate the sha512 hash of the firmware image provided.
In trustedboot.c, the tb_measure() is renamed to trustedboot_measure().
The new function, trustedboot_measure(), no longer checks if the
container payload hash calculated at boot time matches with the hash
found in the container header. A few reasons:
- If the system admin wants the container header to be
checked/validated, the secure boot jumper must be set. Otherwise,
the container header information may not be reliable.
- The container layout is expected to change over time. Skiboot
would need to maintain a parser for each container layout
change.
- Skiboot could be checking the hash against a container version that
is not supported by the Container-Verification-Code (CVC).
The tb_measure() calls are updated to trustedboot_measure() in a
subsequent patch.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Diffstat (limited to 'libstb/trustedboot.h')
-rw-r--r-- | libstb/trustedboot.h | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/libstb/trustedboot.h b/libstb/trustedboot.h index 4597514..bd5ac91 100644 --- a/libstb/trustedboot.h +++ b/libstb/trustedboot.h @@ -17,6 +17,24 @@ #ifndef __TRUSTEDBOOT_H #define __TRUSTEDBOOT_H +#include <platform.h> + void trustedboot_init(void); +/** + * trustedboot_measure - measure a resource + * @id : resource id + * @buf : data to be measured + * @len : buf length + * + * This measures a resource downloaded from PNOR if trusted mode is on. That is, + * an EV_ACTION event is recorded in the event log for the mapped PCR, and the + * the sha1 and sha256 measurements are extended in the mapped PCR. + * + * For more information please refer to 'doc/stb.rst' + * + * returns: 0 or an error as defined in status_codes.h + */ +int trustedboot_measure(enum resource_id id, void *buf, size_t len); + #endif /* __TRUSTEDBOOT_H */ |