diff options
| author | Stewart Smith <stewart@linux.vnet.ibm.com> | 2016-11-17 19:33:59 +1100 |
|---|---|---|
| committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2016-11-24 16:47:16 +1100 |
| commit | 833b1e6bb2aef485226f8bc48ec1b45c422b2152 (patch) | |
| tree | b5c1a063c60566f509c501e84af882bcbefdff05 /libstb | |
| parent | f5d14f81b51f38c47aa565979c626706888f8434 (diff) | |
| download | skiboot-833b1e6bb2aef485226f8bc48ec1b45c422b2152.zip skiboot-833b1e6bb2aef485226f8bc48ec1b45c422b2152.tar.gz skiboot-833b1e6bb2aef485226f8bc48ec1b45c422b2152.tar.bz2 | |
stb: create-container and wrap skiboot in Secure/Trusted Boot container
We produce **UNSIGNED** skiboot.lid.stb and skiboot.lid.xz.stb as build
artifacts
These are suitable blobs for flashing onto Trusted Boot enabled op-build
builds *WITH* the secure boot jumpers *ON* (i.e. *NOT* in secure mode).
It's just enough of the Secure and Trusted Boot container format to
make Hostboot behave.
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Tested-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Diffstat (limited to 'libstb')
| -rw-r--r-- | libstb/Makefile.inc | 4 | ||||
| -rw-r--r-- | libstb/create-container.c | 118 |
2 files changed, 122 insertions, 0 deletions
diff --git a/libstb/Makefile.inc b/libstb/Makefile.inc index 337b9e4..68d9dc8 100644 --- a/libstb/Makefile.inc +++ b/libstb/Makefile.inc @@ -12,3 +12,7 @@ include $(SRC)/$(LIBSTB_DIR)/drivers/Makefile.inc include $(SRC)/$(LIBSTB_DIR)/tss/Makefile.inc $(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) + +libstb/create-container: libstb/create-container.c + $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) \ + -Wpadded -O0 -g -I$(SRC) -I$(SRC)/include -o $@ $<,$<) diff --git a/libstb/create-container.c b/libstb/create-container.c new file mode 100644 index 0000000..b7ec175 --- /dev/null +++ b/libstb/create-container.c @@ -0,0 +1,118 @@ +/* Copyright 2013-2016 IBM Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <config.h> + +#include <stdbool.h> +#include <types.h> +#include "container.h" + +#include <stdio.h> +#include <stdlib.h> +#include <getopt.h> +#include <unistd.h> +#include <string.h> +#include <errno.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/mman.h> +#include <fcntl.h> +#include <assert.h> + +int main(int argc, char* argv[]) +{ + int fdin, fdout; + void *container = malloc(SECURE_BOOT_HEADERS_SIZE); + struct stat s; + char *buf = malloc(4096); + off_t l; + void *infile; + int r; + ROM_container_raw *c = (ROM_container_raw*)container; + ROM_prefix_header_raw *ph; + ROM_prefix_data_raw *pd; + ROM_sw_header_raw *swh; + + memset(container, 0, SECURE_BOOT_HEADERS_SIZE); + + if (argc<3) + return -1; + + fdin = open(argv[1], O_RDONLY); + assert(fdin > 0); + r = fstat(fdin, &s); + assert(r==0); + infile = mmap(NULL, s.st_size, PROT_READ, 0, fdin, 0); + assert(infile); + fdout = open(argv[2], O_WRONLY|O_CREAT|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + assert(fdout > 0); + + c->magic_number = cpu_to_be32(ROM_MAGIC_NUMBER); + c->version = 1; + c->container_size = cpu_to_be64(SECURE_BOOT_HEADERS_SIZE + s.st_size); + c->target_hrmor = 0; + c->stack_pointer = 0; + memset(c->hw_pkey_a, 0, sizeof(ecc_key_t)); + memset(c->hw_pkey_b, 0, sizeof(ecc_key_t)); + memset(c->hw_pkey_c, 0, sizeof(ecc_key_t)); + + ph = container + sizeof(ROM_container_raw); + ph->ver_alg.version = cpu_to_be16(1); + ph->ver_alg.hash_alg = 1; + ph->ver_alg.sig_alg = 1; + ph->code_start_offset = 0; + ph->reserved = 0; + ph->flags = 0; + ph->sw_key_count = 1; // 1, not 0. Because Hostboot + memset(ph->payload_hash, 0, sizeof(sha2_hash_t)); // TODO + ph->ecid_count = 0; + + pd = (ROM_prefix_data_raw*)ph->ecid; + memset(pd->hw_sig_a, 0, sizeof(ecc_signature_t)); + memset(pd->hw_sig_b, 0, sizeof(ecc_signature_t)); + memset(pd->hw_sig_c, 0, sizeof(ecc_signature_t)); + memset(pd->sw_pkey_p, 0, sizeof(ecc_key_t)); + memset(pd->sw_pkey_q, 0, sizeof(ecc_key_t)); + memset(pd->sw_pkey_r, 0, sizeof(ecc_key_t)); + ph->payload_size = cpu_to_be64(sizeof(ecc_signature_t)*3 + ph->sw_key_count * sizeof(ecc_key_t)); + + swh = (ROM_sw_header_raw*)(((void*)pd) + be64_to_cpu(ph->payload_size)); + swh->ver_alg.version = cpu_to_be16(1); + swh->ver_alg.hash_alg = 1; + swh->ver_alg.sig_alg = 1; + swh->code_start_offset = 0; + swh->reserved = 0; + swh->flags = 0; + swh->reserved_0 = 0; + swh->payload_size = cpu_to_be64(s.st_size); + + r = write(fdout, container, SECURE_BOOT_HEADERS_SIZE); + assert(r == 4096); + read(fdin, buf, s.st_size%4096); + write(fdout, buf, s.st_size%4096); + l = s.st_size - s.st_size%4096; + while (l) { + read(fdin, buf, 4096); + write(fdout, buf, 4096); + l-=4096; + }; + close(fdin); + close(fdout); + + free(container); + free(buf); + return 0; +} |