| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
In secure boot enabled systems, the petitboot linux kernel verifies the
OS kernel against x509 certificates that are wrapped in secure variables
controlled by OPAL. These secure variables are stored in the PNOR SECBOOT
partition, as well as the updates submitted for them using userspace
tools.
This patch adds read and write support to the PNOR SECBOOT partition in
a similar fashion to that of NVRAM, so that OPAL can handle the secure
variables.
Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
Reported-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
Instead of manually prepending each message with 'FLASH: ' use pr_fmt.
Note the messages tagged with 'FLASH_NVRAM' are now tagged with 'FLASH:
NVRAM :' instead.
Signed-off-by: Jordan Niethe <jniethe5@gmail.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
Currently we don't check if the secure boot payload size fits within
the partition that we are reading it from. This results in strange
failures later on in boot if we cross the boundary between an ECCed
and a non-ECCed partition since libflash does not support reading
from regions with mixed ECC status.
Without this patch:
blocklevel_read: Can't cope with partial ecc
FLASH: failed to read content size 15728640 BOOTKERNEL partition, rc 3
With:
FLASH: Cannot load BOOTKERNEL. Content is larger than the partition
Cc: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Acked-by: Stewart Smith <stewart@flamingspork.com>
|
|
During boot SBE and early hostboot does not use HIOMAP protocol to get image
from PNOR. Instead it expects PNOR TOC and Hostboot Boot Loader to be
available at particular address in LPC bus. mbox daemon in BMC side takes
care of this during normal boot. Once boot is complete mbox daemon switches
to normal mode.
During normal reboot, BMC side mbox daemon gets notification and takes care of
loading PNOR TOC and HBBL to LPC bus again.
In MPIPL path, OPAL calls SBE S0 interrupt to initiate MPIPL. BMC will not be
aware of this. But SBE expects PNOR TOC and HBBL to be available in LPC bus at
predefined address. Hence call HIOMAP Reset from OPAL in assert path.
This needs working LPC and IPMI driver in OPAL. If we have issue in these
drivers then we may not be able to reset BMC MBOX properly. Hence MPIPL may
fail. We have to live with this until we find a way to intiate BMC on MPIPL.
CC: Andrew Jeffery <andrew@aj.id.au>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
[oliver: rebased]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
Use Software Package Data Exchange (SPDX) to indicate license for each
file that is unique to skiboot.
At the same time, ensure the (C) who and years are correct.
See https://spdx.org/
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
[oliver: Added a few missing files]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
FFS partitions don't always align on erase blocks. Mark any paritions
not known to align on erase blocks as read only to prevent silent corruption
of adjacent partitions during erase / write from the host.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
This makes it possible for the host to directly address each
partition without requiring each application to directly parse
the FFS headers. This has been in use for some time already to
allow BOOTKERNFW partition updates from the host.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
We would like to successfully boot if we have a dependency on the BMC
for flash even if the BMC is not current ready to service flash
requests. On the assumption that it will become ready, retry for several
minutes to cover a BMC reboot cycle and *eventually* rather than
*immediately* crash out with:
[ 269.549748] reboot: Restarting system
[ 390.297462587,5] OPAL: Reboot request...
[ 390.297737995,5] RESET: Initiating fast reboot 1...
[ 391.074707590,5] Clearing unused memory:
[ 391.075198880,5] PCI: Clearing all devices...
[ 391.075201618,7] Clearing region 201ffe000000-201fff800000
[ 391.086235699,5] PCI: Resetting PHBs and training links...
[ 391.254089525,3] FFS: Error 17 reading flash header
[ 391.254159668,3] FLASH: Can't open ffs handle: 17
[ 392.307245135,5] PCI: Probing slots...
[ 392.363723191,5] PCI Summary:
...
[ 393.423255262,5] OCC: All Chip Rdy after 0 ms
[ 393.453092828,5] INIT: Starting kernel at 0x20000000, fdt at
0x30800a88 390645 bytes
[ 393.453202605,0] FATAL: Kernel is zeros, can't execute!
[ 393.453247064,0] Assert fail: core/init.c:593:0
[ 393.453289682,0] Aborting!
CPU 0040 Backtrace:
S: 0000000031e03ca0 R: 000000003001af60 ._abort+0x4c
S: 0000000031e03d20 R: 000000003001afdc .assert_fail+0x34
S: 0000000031e03da0 R: 00000000300146d8 .load_and_boot_kernel+0xb30
S: 0000000031e03e70 R: 0000000030026cf0 .fast_reboot_entry+0x39c
S: 0000000031e03f00 R: 0000000030002a4c fast_reset_entry+0x2c
--- OPAL boot ---
The OPAL flash API hooks directly into the blocklevel layer, so there's
no delay for e.g. the host kernel, just for asynchronously loaded
resources during boot.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
Implement a standard API for decompressing images using the existing
method found in the IMC code. This patch also standardizes error codes
and does the decompression asynchronously.
The IMC decompress() function is refactored to decompress blobs/images
as a separate CPU job. 'xz_decompress_start()' starts the decompression
in a newly created CPU job; while 'wait_xz_decompress()' waits for the
job to complete.
The IMC code will be first user for the new APIs; whose implementation
is provided as reference in the next patch.
Signed-off-by: Santosh Sivaraj <santosh@fossix.org>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
Also make it possible to use with afl-lop/afl-fuzz just to help make
*sure* we're all good.
Additionally, if we hit a entry in VERSION that is larger than our
buffer size, we skip over it gracefully rather than overwriting the
stack. This is only a problem if VERSION isn't trusted, which as of
4b8cc05a94513816d43fb8bd6178896b430af08f it is verified as part of
Secure Boot.
CC: stable # v5.9+
Fixes: 9727fe384b8685270d344201f7e051475eea3a0b
[stewart: fix up include ordering for building on centos7]
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
Knowing the return code is at least better than not knowing the return
code.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
This reverts commit f835684365273c5ff1b7c700ddc0f9c1a859363f.
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
These were caught with unmapped memory dereference page faults.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
The Skiboot version can include a "skiboot-" prefix if built with
something like Buildroot. The property being compared against won't
include this so ignore it.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
This ensures progress when we don't have interrupts available for IPMI.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
Previously in flash_register() held flash_lock across ffs_init(), which
calls through the blocklevel layer to read the flash. This is unhelpful
with the IPMI HIOMAP protocol transport as LPC interrupts have not yet
been enabled and we are relying on polling to progress. The held lock
stalls the boot as we take the nopoll path in time_wait() while
completing ipmi_queue_msg_sync() in libflash/ipmi-flash.c
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
Seeing as all the VERSION signing code is taking way too long to get
upstream, let's temporarily skip verifying VERSION for now.
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
A few things need to change to support a signed VERSION partition:
- A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE (4K).
- The VERSION partition needs to be loaded after secure/trusted boot is
set up, and therefore after nvram_init().
- Added to the trustedboot resources array.
This also moves the ipmi_dt_add_bmc_info() call to after
flash_dt_add_fw_version() since it adds info to ibm,firmware-versions.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
op-build commit 736a08b996e292a449c4996edb264011dfe56a40
added hcode to the VERSION partition, let's parse it out
and let the user know.
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
Skiboot does not calculate the actual size and start location of the
initramfs if it is wrapped by an STB container (for example if loading
an initramfs from the ROOTFS partition).
Check if the initramfs is in an STB container and determine the size and
location correctly in the same manner as the kernel. Since
load_initramfs() is called after load_kernel() move the call to
trustedboot_exit_boot_services() into load_and_boot_kernel() so it is
called after both of these.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
The blocklevel abstraction allows for regions of the backing store to be
marked as ECC protected so that blocklevel can decode/encode the ECC
bytes into the buffer automatically without the caller having to be ECC
aware.
Unfortunately this abstraction is far from perfect, this is only useful
if reads and writes are performed at the start of the ECC region or in
some circumstances at an ECC aligned position - which requires the
caller be aware of the ECC regions.
The problem that has arisen is that the blocklevel abstraction is
initialised somewhere but when it is later called the caller is unaware
if ECC exists in the region it wants to arbitrarily read and write to.
This should not have been a problem since blocklevel knows. Currently
misaligned reads will fail ECC checks and misaligned writes will
overwrite ECC bytes and the backing store will become corrupted.
This patch add the smarts to blocklevel_read() and blocklevel_write() to
cope with the problem. Note that ECC can always be bypassed by calling
blocklevel_raw_() functions.
All this work means that the gard tool can can safely call
blocklevel_read() and blocklevel_write() and as long as the blocklevel
knows of the presence of ECC then it will deal with all cases.
This also commit removes code in the gard tool which compensated for
inadequacies no longer present in blocklevel.
Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Tested-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
[stewart: core/flash: Adapt to new libflash ECC API
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
First line of VERSION section in PNOR contains firmware version.
Use that to add "version" property under firmware versions dt node.
Sample output:
--------------
root@xxx2:/proc/device-tree/ibm,firmware-versions# lsprop
version "witherspoon-ibm-OP9_v1.19_1.94"
....
...
Suggested-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
List of libstb calls that were superseded:
sb_verify() -> secureboot_verify()
tb_measure() -> trustedboot_measure()
stb_final() -> trustedboot_exit_boot_services()
stb_init() -> secureboot_init() and trustedboot_init()
The new functions are supported in both P8 and P9.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This adds the flash_map_resource_name() to allow skiboot subsystems to
lookup the name of a PNOR partition. Thus, we don't need to duplicate
the same information in other places (e.g. libstb).
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
When loading a flash resource which isn't signed (secure and trusted
boot) and which doesn't have a subpartition, we assume it's the
BOOTKERNEL since previously this was the only such resource. Thus we
also assumed it had an ELF header which we parsed to get the size of the
partition rather than trusting the actual_size field in the FFS header.
A previous commit (9727fe3 DT: Add ibm,firmware-versions node) added the
version resource which isn't signed and also doesn't have a subpartition,
thus we expect it to have an ELF header. It doesn't so we print the
error message "FLASH: Invalid ELF header part VERSION".
It is a fluke that this works currently since we load the secure boot
header unconditionally and this happen to be the same size as the
version partition. We also don't update the return code on error so
happen to return OPAL_SUCCESS.
To make this explicitly correct; only check for an ELF header if we are
loading the BOOTKERNEL resource, otherwise use the partition size from
the FFS header. Also set the return code on error so we don't
erroneously return OPAL_SUCCESS. Add a check that the resource will fit
in the supplied buffer to prevent buffer overrun.
Fixes: 9727fe3 (DT: Add ibm,firmware-versions node)
Reported-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
The mbox protocol explicitly states that an erase is not required
before a write. This means that issuing an erase from userspace,
through the mtd device, and back returns a successful operation
that does nothing. Unfortunately, this makes userspace tools unhappy.
Linux MTD devices support the MTD_NO_ERASE flag which conveys that
writes do not require erases on the underlying flash devices. We
should set this property on all of our
devices which do not require erases to be performed.
NOTE: This still requires a linux kernel component to set the
MTD_NO_ERASE flag from the device tree property.
Signed-off-by: William A. Kennington III <wak@google.com>
Reviewed-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
[stewart@linux.vnet.ibm.com: slightly reword commit msg based on Suraj's comments]
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
In P8, hostboot provides mini device tree. It contains /ibm,firmware-versions
node which has various firmware component version details.
In P9, OPAL is building device tree. This patch adds support to parse VERSION
section of PNOR and create "/ibm,firmware-versions" device tree node.
Sample output:
/sys/firmware/devicetree/base/ibm,firmware-versions # lsprop .
occ "6a00709"
skiboot "v5.7-rc1-p344fb62"
buildroot "2017.02.2-7-g23118ce"
capp-ucode "9c73e9f"
petitboot "v1.4.3-p98b6d83"
sbe "02021c6"
open-power "witherspoon-v1.17-128-gf1b53c7-dirty"
....
....
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Signed-off-by: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
Reviewed-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
According to Coverity:
le16_to_cpu(elf64->e_shnum) is promoted in
`le16_to_cpu(elf64->e_shentsize) * le16_to_cpu(elf64->e_shnum)`
to type int (32 bits, signed), then sign-extended to type
unsigned long long (64 bits, unsigned).
If `le16_to_cpu(elf64->e_shentsize) * le16_to_cpu(elf64->e_shnum)`
is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
I'm sure in practice this can't happen since this would require
either/or e_shnum and e_shentsize to be quite large.
Fixes: CID 138019, 137707, 137706, 137708
Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
IMC (In Memory Collection) catalog is a repository of information
about the Performance Monitoring Units (PMUs) and their events under
the IMC infrastructure. The information include :
- The PMU names
- Event names
- Event description
- Event offsets
- Event scale
- Event unit
The catalog is provided as a flattened device tree (dtb). Processors
with different PVR values may have different PMU or event names. Hence,
for each processor, there can be multiple device tree binaries (dtbs)
containing the IMC information. Each of the dtb is compressed and forms
a sub-partition inside the PNOR partition "IMA_CATALOG". Here is a link
to the commit adding this partition to PNOR :
https://github.com/open-power/pnor/commit/c940142c6dc64dd176096dc648f433c889919e84
So, each compressed dtb forms a sub-partition inside the IMC pnor
partition and can be accessed/loaded through a sub-partition id which
is nothing but the PVR id. Based on the current processor's PVR, the
appropriate sub-partion will be loaded.
Note however, that the catalog information is in the form of a dtb and
the dtb is compressed too. So, the sub-partition loaded must be
decompressed first before we can actually use it.
It is important to mention here that while a PNOR image built for one
processor is specific to only that processor and isn't portable, a
single system generation (Processor version) may have multiple revisions
and these revisions may have some changes in their IMC PMUs and events,
and hence, the need for multiple IMC DTBs.
The sub-partition that we obtain from the IMC pnor partition is a
compressed device tree binary. We uncompress it using the libxz's
functions. After uncompressing it, we link the device tree binary to the
system's device tree. The kernel can now access the device tree and get
the IMC PMUs and their events' information.
Not all the IMC PMUs listed in the device tree may be available. This is
indicated by imc availability vector (which is a part of the IMC control
block structure). We need to check this vector and make sure to remove
the IMC device nodes which are unavailable.
Signed-off-by: Hemant Kumar <hemant@linux.vnet.ibm.com>
Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
[stewart@linux.vnet.ibm.com: use pr_fmt, fix failure path for resource load]
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
These OPAL calls are exposing the host flash chip to linux as a flash
device. The host is expected to understand that it is raw flash and use
it appropriately, it isn't skiboots place to strip ecc bytes or perform
erase before writes.
Over the course of other developments blocklevel has gotten quite clever
but in this case the cleverness is inappropriate.
Fixes: https://github.com/open-power/skiboot/issues/44
Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Resource loading uses the flash calls directly which works on hardware
as the blocklevel abstraction was initialised with a flash structure. On
platforms such as mambo the blocklevel abstraction was initialised with
the bogusdisk structure so calling the flash calls directly results in
following uninitialised function pointers off into lala land.
Functionality is preserved as the blocklevel is told if a flash
partition is ECC protected during the call to ffs_init().
Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
We always verify and measure an image as a whole, never its subpartition
(if exists).
This removes the subid argument from sb_verify() and tb_measure()
functions, and also reflects the change to the callers, STB interface
and STB documentation.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This just do some line breaking in the flash_load_resource() function.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
[stewart@linux.vnet.ibm.com: reword commit message]
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This fixes the previous reverts of loading the CAPP partition with
STB headers (which broke CAPP partitions without STB headers).
The new logic fixes both CAPP partition loading with STB headers *and*
addresses a long standing bug due to differing interpretations of FFS.
The f_part utility that *constructs* PNOR files just sets actualSize=totalSize
no matter on what the size of the partition is. Prior to this patch,
skiboot would always load actualSize, leading to longer than needed IPL.
The pflash utility updates actualSize, so no developer has really ever
noticed this, apart from maybe an inkling that it's odd that a freshly
baked PNOR from op-build takes ever so slightly longer to boot than one
that has had individual partitions pflashed in.
With this patch, we now compute actualSize. For partitions with a STB
header, we take the payload size from the STB header. For partitions
that don't have a STB header, we compute the size either by parsing
the ELF header or by looking at the subpartition header and computing it.
We now need to read the entire partition for partitions with subpartitions
so that we pass consistent values to be measured as part of Trusted Boot.
As of this patch, the actualSize field in FFS is *not* relied on for
partition size, we determine it from the content of the partition.
However, this patch *will* break loading of partitions that are not ELF
and do not contain subpartitions. Luckily, nothing in-tree makes use of
that.
Fixes: f0a23e4fadcdc49f134e122fa134f183f2e172f7
Based-on-patch-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
From the subpartition structure, we have the ability to compute
the full partition size. Do that.
This lets us only read the amount of a subpartition that is valid
and needed to be read, rather than having to read the entire thing.
We continue the current behaviour of loading flash partitions though.
Based-on-patch-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
A unit test for parsing sub-partition info is useful for a number
of reasons, one of which showed its head during development of
secure/trusted boot.
This patch just moves things around, there's no functional changes.
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This reverts commit e1e6d009860d0ef60f9daf7a0fbe15f869516bd0.
Breaks DT enough that it makes people cranky, reverting for now
Reported-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
flash_read_corrected() assumes the passed blocklevel device is an
actual flash device. However the blocklevel flash abstraction supports
automatically reading ECC protected data so use that instead.
Signed-off-by: Alistair Popple <alistair@popple.id.au>
[Cyril added true to last param to ffs_init() in flash_register()]
[Cyril rebased onto 46c006f core/console: use char literals instead of
numeric]
Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
If NVRAM has ECC (as per the ffs header) then the actual size of the
partition is less than reported by the ffs header in the PNOR then the
actual size of the partition is less than reported by the ffs header.
Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This changes core/flash.c to verify and measure the downloaded PNOR
resource before it is returned to the caller.
sb_verify() and tb_measure() do nothing if libstb is not initialized
in the platform.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Currently, the CAPP lid has the TOC (4K) and one supartition (36K). For
secure boot we can either build one container for the TOC and another one for
the subpartition, or build one container for the whole CAPP partition.
We decided implement the second option.
The first option would require changes to the CAPP TOC layout in order to
correlate the TOC with the subpartitions. Besides that, the first option
also increases the boot time since we would need to verify and measure
the CAPP TOC.
This patch adds the flash_subpart_info function so the correct CAPP
subpartition can be selected also outside of the flash API.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
We are downloading 0x20000 bytes from PNOR for CAPP, but currently the
CAPP lid is only 40K.
This loads the actual partition size as opposed to the total partition
size.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This changes the boot ABI, so it's only active for P9 and later systems,
even though it's unrelated to hardware changes. There is an associated
Linux change to properly search for this node as well.
This change properly specifies #address-cells for the flash node, so we
can avoid DTC errors like:
device tree: Warning (reg_format): "reg" property in /ibm,opal/flash@0
has invalid length (8 bytes) (#address-cells == 0, #size-cells == 0)
Base on a patch from Cyril Bur
Signed-off-by: Jack Miller <jack@codezen.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
It appears the inital patch was incomplete and coverity has caught
more issues. The initial patch addressed one aspect of passing
pointers instead of values, actual function prototypes needed to be
changed and callers adjusted.
Fixes coverity 134277 and 134278
Fixes: 81a538a ("core/flash: Fix passing pointer instead of value")
Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Reviewed-by: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
The current flash code was written with only one flash chip, which is
a system_flash (ie. the PNOR image), in mind.
Now that we have mambo bogusdisk flash, we can have many flash chips.
This is resulting in some confusing output messages.
This reworks some of the error paths and warnings to make this more
coherent when we have multiple flash chips.
We assume everything can be a system flash, so I've removed the
is_system_flash parameter from flash_register(). We'll use the first
system flash we find and warn if we find another since discovery order
is not a guaranteed API.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Acked-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
The checks validate pointers sent in using
opal_addr_valid() in opal_call API's provided
via the console, cpu, fdt, flash, i2c, interrupts,
nvram, opal-msg, opal, opal-pci, xscom and
cec modules
Signed-off-by: Balbir Singh <bsingharora@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
