diff options
Diffstat (limited to 'libstb/secureboot.c')
-rw-r--r-- | libstb/secureboot.c | 52 |
1 files changed, 49 insertions, 3 deletions
diff --git a/libstb/secureboot.c b/libstb/secureboot.c index cdb6ea5..2787951 100644 --- a/libstb/secureboot.c +++ b/libstb/secureboot.c @@ -21,9 +21,9 @@ #include <skiboot.h> #include <device.h> #include <nvram.h> +#include <opal-api.h> +#include <inttypes.h> #include "secureboot.h" -#include "container.h" -#include "cvc.h" static const void* hw_key_hash = NULL; static size_t hw_key_hash_size; @@ -48,7 +48,7 @@ static void secureboot_enforce(void) * extra info to BMC other than just abort. Terminate Immediate * Attention ? (TI) */ - prlog(PR_EMERG, "enforcing secure mode ...\n"); + prlog(PR_EMERG, "secure mode enforced, aborting.\n"); abort(); } @@ -146,3 +146,49 @@ void secureboot_init(void) if (cvc_init()) secureboot_enforce(); } + +int secureboot_verify(enum resource_id id, void *buf, size_t len) +{ + const char *name; + uint64_t log; + int rc = -1; + + if (!secure_mode) + return 0; + + name = flash_map_resource_name(id); + if (!name) { + prlog(PR_EMERG, "container NOT VERIFIED, resource_id=%d " + "unknown\n", id); + secureboot_enforce(); + } + + rc = call_cvc_verify(buf, len, hw_key_hash, hw_key_hash_size, &log); + + if (rc == OPAL_SUCCESS) { + prlog(PR_INFO, "%s verified\n", name); + } else if (rc == OPAL_PARTIAL) { + /* + * The value returned in log indicates what checking has + * failed. Return codes defined in + * /hostboot/src/include/securerom/status_codes.H + */ + prlog(PR_EMERG, "%s verification FAILED. log=0x%" PRIx64 "\n", + name, be64_to_cpu(log)); + secureboot_enforce(); + } else if (rc == OPAL_PARAMETER) { + prlog(PR_EMERG, "%s NOT VERIFIED, invalid param. buf=%p, " + "len=%zd key-hash=%p hash-size=%zd\n", name, buf, len, + hw_key_hash, hw_key_hash_size); + secureboot_enforce(); + } else if (rc == OPAL_UNSUPPORTED) { + prlog(PR_EMERG, "%s NOT VERIFIED, CVC-verify service not " + "supported\n", name); + secureboot_enforce(); + } else { + prlog(PR_EMERG, "%s NOT VERIFIED, unknown CVC-verify error. " + "rc=%d\n", name, rc); + secureboot_enforce(); + } + return 0; +} |