diff options
Diffstat (limited to 'libstb')
-rw-r--r-- | libstb/cvc.c | 16 | ||||
-rw-r--r-- | libstb/secureboot.c | 5 | ||||
-rw-r--r-- | libstb/secureboot.h | 1 |
3 files changed, 21 insertions, 1 deletions
diff --git a/libstb/cvc.c b/libstb/cvc.c index b0f5cd3..fd1f607 100644 --- a/libstb/cvc.c +++ b/libstb/cvc.c @@ -26,6 +26,7 @@ #include <inttypes.h> #include "secureboot.h" #include "cvc.h" +#include "mbedtls/sha512.h" /* * Assembly interfaces to call into the Container Verification Code. @@ -43,6 +44,7 @@ struct container_verification_code { }; static struct container_verification_code *cvc = NULL; +static bool softrom = false; static void *secure_rom_mem = NULL; struct cvc_service { @@ -194,6 +196,8 @@ int cvc_init(void) if (version == IBM_SECUREBOOT_V1 && proc_gen == proc_gen_p8) { rc = cvc_secure_rom_init(); + } else if (version == IBM_SECUREBOOT_SOFTROM) { + softrom = true; } else { prlog(PR_ERR, "%s FAILED. /ibm,secureboot not supported\n", __func__); @@ -214,6 +218,15 @@ int call_cvc_sha512(const uint8_t *data, size_t data_len, uint8_t *digest, return OPAL_SUCCESS; memset(digest, 0, SHA512_DIGEST_LENGTH); + if (softrom) { + mbedtls_sha512_context ctx; + mbedtls_sha512_init(&ctx); + mbedtls_sha512_starts(&ctx, 0); // SHA512 = 0 + mbedtls_sha512_update(&ctx, data, data_len); + mbedtls_sha512_finish(&ctx, digest); + mbedtls_sha512_free(&ctx); + return OPAL_SUCCESS; + } service = cvc_find_service(CVC_SHA512_SERVICE); @@ -239,6 +252,9 @@ int call_cvc_verify(void *container, size_t len, const void *hw_key_hash, !hw_key_hash || hw_key_hash_size <= 0) return OPAL_PARAMETER; + if (softrom) + return OPAL_UNSUPPORTED; + service = cvc_find_service(CVC_VERIFY_SERVICE); if (!service) diff --git a/libstb/secureboot.c b/libstb/secureboot.c index 2787951..953b123 100644 --- a/libstb/secureboot.c +++ b/libstb/secureboot.c @@ -34,6 +34,7 @@ static struct { const char *compat; } secureboot_map[] = { { IBM_SECUREBOOT_V1, "ibm,secureboot-v1" }, + { IBM_SECUREBOOT_SOFTROM, "ibm,secureboot-v1-softrom" }, }; static void secureboot_enforce(void) @@ -112,7 +113,9 @@ void secureboot_init(void) if (!secure_mode) return; - if (version == IBM_SECUREBOOT_V1) { + if (version == IBM_SECUREBOOT_V1 || + version == IBM_SECUREBOOT_SOFTROM) { + hash_algo = dt_prop_get(node, "hash-algo"); if (strcmp(hash_algo, "sha512")) { /** diff --git a/libstb/secureboot.h b/libstb/secureboot.h index ea97ed7..8506ea0 100644 --- a/libstb/secureboot.h +++ b/libstb/secureboot.h @@ -24,6 +24,7 @@ enum secureboot_version { IBM_SECUREBOOT_V1, + IBM_SECUREBOOT_SOFTROM, }; bool secureboot_is_compatible(struct dt_node *node, int *version, const char **compat); |