libstb/trustedboot.c: import tb_measure() from stb.c

This imports tb_measure() from stb.c, but now it calls the CVC sha512
wrapper to calculate the sha512 hash of the firmware image provided.

In trustedboot.c, the tb_measure() is renamed to trustedboot_measure().

The new function, trustedboot_measure(), no longer checks if the
container payload hash calculated at boot time matches with the hash
found in the container header. A few reasons:
	- If the system admin wants the container header to be
	  checked/validated, the secure boot jumper must be set. Otherwise,
	  the container header information may not be reliable.
	- The container layout is expected to change over time. Skiboot
	  would need to maintain a parser for each container layout
	  change.
	- Skiboot could be checking the hash against a container version that
	  is not supported by the Container-Verification-Code (CVC).

The tb_measure() calls are updated to trustedboot_measure() in a
subsequent patch.

Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>

1 files changed, 18 insertions, 0 deletions

diff --git a/libstb/trustedboot.h b/libstb/trustedboot.h
index 4597514..bd5ac91 100644
--- a/libstb/trustedboot.h
+++ b/libstb/trustedboot.h
@@ -17,6 +17,24 @@
 #ifndef __TRUSTEDBOOT_H
 #define __TRUSTEDBOOT_H
 
+#include <platform.h>
+
 void trustedboot_init(void);
 
+/**
+ * trustedboot_measure - measure a resource
+ * @id    : resource id
+ * @buf   : data to be measured
+ * @len   : buf length
+ *
+ * This measures a resource downloaded from PNOR if trusted mode is on. That is,
+ * an EV_ACTION event is recorded in the event log for the mapped PCR, and the
+ * the sha1 and sha256 measurements are extended in the mapped PCR.
+ *
+ * For more information please refer to 'doc/stb.rst'
+ *
+ * returns: 0 or an error as defined in status_codes.h
+ */
+int trustedboot_measure(enum resource_id id, void *buf, size_t len);
+
 #endif /* __TRUSTEDBOOT_H */