| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
For the very specific scenario when the fast-reboot is used, we see
multiple error messages regarding the trusteboot measurements not being
done.
The way fast-reboot works is performing just fundamental operations, like
PCI initialization, to get skiboot into good shape to boot kernel, and
later the host's Kernel. That means fast-reboot contains data structures
filled since last full reboot.
In this process trustedboot is not re-initialized when, but it still tries
to perform the STB measurements and event logging done in
trustedboot_exit_services, showing multiple failure messages.
This patch avoids that situation by returning earlier and logging that
trustedboot already exited.
If eventually something changes and trustedboot gets re-initialized during
fast-reboot this patch also set boot_services_exited to false after every
initialization so we always exit trustedboot whenever it get initialized.
Signed-off-by: Mauro S. M. Rodrigues <maurosr@linux.vnet.ibm.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
SPDX makes it a simpler diff.
I have audited the commit history of each file to ensure that they are
exclusively authored by IBM and thus we have the right to relicense.
The motivation behind this is twofold:
1) We want to enable experiments with coreboot, which is GPLv2 licensed
2) An upcoming firmware component wants to incorporate code from skiboot
and code from the Linux kernel, which is GPLv2 licensed.
I have gone through the IBM internal way of gaining approval for this.
The following files are not exclusively authored by IBM, so are *not*
included in this update (I will be seeking approval from contributors):
core/direct-controls.c
core/flash.c
core/pcie-slot.c
external/common/arch_flash_unknown.c
external/common/rules.mk
external/gard/Makefile
external/gard/rules.mk
external/opal-prd/Makefile
external/pflash/Makefile
external/xscom-utils/Makefile
hdata/vpd.c
hw/dts.c
hw/ipmi/ipmi-watchdog.c
hw/phb4.c
include/cpu.h
include/phb4.h
include/platform.h
libflash/libffs.c
libstb/mbedtls/sha512.c
libstb/mbedtls/sha512.h
platforms/astbmc/barreleye.c
platforms/astbmc/garrison.c
platforms/astbmc/mihawk.c
platforms/astbmc/nicole.c
platforms/astbmc/p8dnu.c
platforms/astbmc/p8dtu.c
platforms/astbmc/p9dsu.c
platforms/astbmc/vesnin.c
platforms/rhesus/ec/config.h
platforms/rhesus/ec/gpio.h
platforms/rhesus/gpio.c
platforms/rhesus/rhesus.c
platforms/astbmc/talos.c
platforms/astbmc/romulus.c
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
[oliver: fixed up the drift]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
The driver for the nuvoton i2c TPM does not currently check if there is
a functional TPM at the bus and address given by the device tree.
This patch adds a simple check of the TPM vendor id register, compares
against the known expected value for the chip, skips registering it if
the chip is inaccessible or returns an unexpected id.
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
The tpm_read_fifo expects buflen parameter which is the size of buf
parameter. Later it uses buflen to check for an overflow in the case tpm
response is bigger than buf capacity.
The check is fine, but it doesn't interrupt the code flow, so even though
we see error messages about the overflow, it doesn't prevent it.
Adding a goto after specifying the error return code fixes it.
Signed-off-by: Mauro S. M. Rodrigues <maurosr@linux.vnet.ibm.com>
Reviewed-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Reviewed-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
This fixes quite a few sparse endian annotations across the tree.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
This patch simply adds unconditional log entries at the beginning and
end of secvar initialization, to clarify whether secvar support is
enabled and functional.
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
[oliver: s/printf/prerror/]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
success
The return code to the storage driver's write function was previously
being ignored, so failures to write were not propogated to the API
consumer. This patch fixes secvar_enqueue_update() to properly return
the expected OPAL_HARDWARE return code if the storage driver's write
function returns an error.
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
This patch adds a generic compatible entry to the secvar/compatible
device tree property for kernels, etc to match for basic secvar
information (e.g. the linux secvar-sysfs implementation).
The new "format" property exposes the expected format for data passing
in and out of the secvar API. In most cases, this should be the same as
the backend-specific compatible entry.
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
Our favourite TPM is capable of listening on multiple I2C bus addresses
and although this feature is supposed to be disabled by default we have
some systems in the wild where the TPM appears to be listening on these
secondary addresses.
The secondary addresses are also susceptible to the bus-lockup problem
that we see with certain traffic patterns to the "main" TPM address.
We don't know what addresses the TPM might be listening on it's best to
take a conservitve approach and only allow traffic to I2C bus addresses
that we are explicitly told about by firmware.
This is only required on the TPM bus, so this patch extends the existing
TPM workaround to also check that a DT node exists for any I2C bus
address the OS wants to talk to. If there isn't one, we don't forward
the I2C request to the bus and return an I2C timeout error to the OS.
Acked-by: Stewart Smith <stewart@flamingspork.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
This is useful to capture a real in-memory image for use in a simulator
(such as Mambo) without having to go through the complexity of setting
up the in-memory image yourself.
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
[oliver: s/CVC/cvc/]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
Breaks building on travis since the script does wierd builds.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
Remove the check to see if the "status" property already exists. This
function is intended to only be called once so failing an assert is
fine since it indicates a programming error.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
This patch adds an initial port of the userspace unit tests for exercising
the API that were originally developed out of tree. Future revisions will
adjust the naming schemes and general formatting to match that of other
tests within skiboot.
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
[oliver: Use SPDX headers]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
This patch provides the OPAL runtime service frontend for the host OS to
retrieve secure variables, and append new ones for processing on the
next reboot. These calls operate on the internal abstraction or utilize
the platform-provided driver hooks, and therefore this API should not
need to be updated to support changes in storage or backend drivers.
Included are the following functions:
- opal_secvar_get()
- opal_secvar_get_next()
- opal_secvar_enqueue_update()
opal_secvar_get() retrieves the data blob associated with a given key.
The data buffer may be set to NULL to only query for variable size. This
runtime service only operates on the variable bank.
opal_secvar_get_next() can be used to iterate through the list of
variable keys in the variable bank. Supplying an empty key (or zero key
length) returns the key of the first variable in the variable bank.
Supplying a valid key returns the key of the next variable in sequence.
opal_secvar_enqueue_update() provides a method for the host OS to submit
a new variable for processing on next boot, by appending it to the
update bank. As this does not affect the variable bank, appending a
variable via this runtime service will not affect the output of the
previous set of functions. The update queue is only processed during
secvar initialization.
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
[oliver: style fixes]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
---
V2:
- removed opal_secvar_backend, replaced by DT node
- removed unnecessary argument casting
- all calls return OPAL_RESOURCE if secvar failed to init
V3:
- remove metadata from API parameters
- remove opal_secvar_get_size
- change enqueue to replace an update with a repeat name, rather
than enqueueing the duplicate
- change enqueue to unstage an update matching a key if size is zero
- make all key parameters const where possible
- rename key_size to key_buf_size in _get_next
- fix leaking node when enqueue could not allocate the secvar
V4:
- enqueue update now uses secvar alloc/realloc
- use storage-defined max var size instead of hardcoded constant
|
|
This patch implements a platform-independent abstraction for storing and
retrieving secure variables, as required for host OS secure boot. This
serves as the main entry point for initializing the in-memory cache of the
secure variables, which also kicks off any platform-specific logic that may
be needed. This patch also provides core functions for the subsequent
patches in this series to utilize.
The base secure variable implementation makes use of two types of
drivers, to be selected by the platform: "storage" drivers, and
"backend" drivers. The storage driver implements the hooks required to
write the secure variables to some form of non-volatile memory, and load
the variables on boot. The backend driver defines how the variables
should be interpreted, and processed.
Secure variables are stored in two types of banks, the "variable" bank
and the "update" bank. Variables that have been validated and processed
are stored in the variable bank. This bank is effectively read-only
after the base secvar initialization. Any proposed variable updates are
instead stored in the update bank. During secvar initialization, the
backend driver processes variables from the update bank, and if valid,
adds the new variable to the variable bank.
NOTE: The name "backend" is subject to change. It operates more like a
scheme, so unless a better name comes along, it will likely change to
"scheme" or "schema" in the future.
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
[oliver: added missing SPDX tags, removed unused definitions, style fixes]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
---
V2:
- added secvar device tree node as child of ibm,secureboot
- added version and compatible properties to backend driver struct
- added secvar_ready flag for the API to detect if secvar
initialized successfully
- moved pre-process step to after initial variable load
- moved flags field from secvar struct to secvar node
V3:
- remove the metadata secvar field
- add probe_secvar() to bump compatible flag
- add device tree property for backend-agnostic secure mode setting
- remove backend minor version field
- remove static data allocation in secvar struct
V4:
- add alloc_secvar helpers
- removed ibm,secureboot version bump to v3
- secvars now store their allocated size seperate from the
data size (to permit overallocating)
- split device tree functions into their own file
- device tree changes:
- secvar now a child of ibm,opal
- compatible is "ibm,secvar-v1", backend creates its own node
- secure-mode is now a boolean os-secure-enforcing property
- storage and backends now have their own nodes
V5:
- removed storage device tree subnode
- moved max-var-size to secvar node
- added max-var-key-len
- fixed SPDX header in include/secvar.h
- removed obsolete enum
- removed unused devtree wrappers
- set secvar status prop earlier
V6:
- moved os-secureboot-enforcing to ibm,secureboot
- set secvar compatible based on backend
- removed backend node
|
|
Use Software Package Data Exchange (SPDX) to indicate license for each
file that is unique to skiboot.
At the same time, ensure the (C) who and years are correct.
See https://spdx.org/
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
[oliver: Added a few missing files]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
libstb/container.c:38:28: warning: incorrect type in argument 1 (different base types)
libstb/container.c:38:28: expected restricted beint32_t [usertype] be_val
libstb/container.c:38:28: got unsigned int [usertype]
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
|
|
The existing skiboot events are being logged as EV_ACTION, however, the
TCG PC Client spec says that EV_ACTION events should have one of the
pre-defined strings in the event field recorded in the event log. For
instance:
- "Calling Ready to Boot",
- "Entering ROM Based Setup",
- "User Password Entered", and
- "Start Option ROM Scan.
None of the EV_ACTION pre-defined strings are applicable to the existing
skiboot events. Based on recent discussions with other POWER teams, this
patch proposes a convention on what PCR and event types should be used
for skiboot events. This also changes the skiboot source code to follow
the convention.
The TCG PC Client spec defines several event types, other than
EV_ACTION. However, many of them are specific to UEFI events and some
others are related to platform or CRTM events, which is more applicable
to hostboot events.
Currently, most of the hostboot events are extended to PCR[0,1] and
logged as either EV_PLATFORM_CONFIG_FLAGS, EV_S_CRTM_CONTENTS or
EV_POST_CODE. The "Node Id" and "PAYLOAD" events, though, are extended
to PCR[4,5,6] and logged as EV_COMPACT_HASH.
For the lack of an event type that fits the specific purpose,
EV_COMPACT_HASH seems to be the most adequate one due to its
flexibility. According to the TCG PC Client spec:
- May be used for any PCR except 0, 1, 2 and 3.
- The event field may be informative or may be hashed to generate the
digest field, depending on the component recording the event.
Additionally, the PCR[4,5] seem to be the most adequate PCRs. They would
be used for skiboot and some skiroot events. According to the TCG PC
Client, PCR[4] is intended to represent the entity that manages the
transition between the pre-OS and OS-present state of the platform.
PCR[4], along with PCR[5], identifies the initial OS loader.
In summary, for skiboot events:
- Events that represents data should be extended to PCR 4.
- Events that represents config should be extended to PCR 5.
- For the lack of an event type that fits the specific purpose,
both data and config events should be logged as EV_COMPACT_HASH.
Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
Most nvram options used by skiboot are just for debug or testing for
regressions. They should never be used long term.
We've hit a number of issues in testing and the field where nvram
options have been set "temporarily" but haven't been properly cleared
after, resulting in crashes or real bugs being masked.
This patch marks most nvram options used by skiboot as dangerous and
prints a chicken to remind users of the problem.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Reviewed-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Acked-By: Alistair Popple <alistair@popple.id.au>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
Just pass the container structure rather than bus_id and xscom_base to
tpm_i2c_request_send(). Rename xscom_base to i2c_addr while we're here
since that's just plain wrong.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
The cool kids are all using $() these days as backticks are all
backwards and uncool.
Practically speaking, it makes it easier to escape things, nest things,
and all the other reasons listed on http://mywiki.wooledge.org/BashFAQ/082
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
A few things need to change to support a signed VERSION partition:
- A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE (4K).
- The VERSION partition needs to be loaded after secure/trusted boot is
set up, and therefore after nvram_init().
- Added to the trustedboot resources array.
This also moves the ipmi_dt_add_bmc_info() call to after
flash_dt_add_fw_version() since it adds info to ibm,firmware-versions.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
We print out a whole bunch of things on boot, most of which aren't
interesting, so we should *not* print them instead.
Printing things like what CPUs we found and what PCI devices we found
*are* useful, so continue to do that. But we don't need to splat out
a bunch of things that are always going to be true.
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
We have observed some TPMs clock streching the I2C bus for signifigant
amounts of time when processing commands. The same TPMs also have
errata that can result in permernantly locking up a bus in response to
an I2C transaction they don't understand. Using an excessively long
timeout to prevent this in the field.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
I also couldn't ignore that the same function had both a void *infile
and a char *inFile. The inFile variable is clearly a filename, why not
call it that.
Fixes: CID 263054 and 263051
Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This changes to build system to use thin archives rather than
incremental linking for built-in.o, similar to recent change to Linux.
built-in.o is renamed to built-in.a, and is created as a thin archive
with no index, for speed and size. All built-in.a are aggregated into
a skiboot.tmp.a which is a thin archive built with an index, making it
suitable or linking. This is input into the final link.
The advantags of build size and linker code placement flexibility are
not as great with skiboot as a bigger project like Linux, but it's a
conceptually better way to build, and is more compatible with link
time optimisation in toolchains which might be interesting for skiboot
particularly for size reductions.
Size of build tree before this patch is 34.4MB, afterwards 23.1MB.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Currently we are logging secure verify/enforce messages in PR_EMERG
level even when there is no secureboot mode enabled. So reduce the
log level to PR_ERR when secureboot mode is OFF.
Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Hostboot will expect the label field of the stb header to contain
"PAYLOAD" for skiboot or it will fail to load and run skiboot.
The failure looks something like this:
53.40896|ISTEP 20. 1 - host_load_payload
53.65840|secure|Secureboot Failure plid = 0x90000755, rc = 0x1E07
53.65881|System shutting down with error status 0x1E07
53.67547|================================================
53.67954|Error reported by secure (0x1E00) PLID 0x90000755
53.67560| Container's component ID does not match expected component ID
53.67561| ModuleId 0x09 SECUREBOOT::MOD_SECURE_VERIFY_COMPONENT
53.67845| ReasonCode 0x1e07 SECUREBOOT::RC_ROM_VERIFY
53.67998| UserData1 : 0x0000000000000000
53.67999| UserData2 : 0x0000000000000000
53.67999|------------------------------------------------
53.68000| Callout type : Procedure Callout
53.68000| Procedure : EPUB_PRC_HB_CODE
53.68001| Priority : SRCI_PRIORITY_HIGH
53.68001|------------------------------------------------
53.68002| Callout type : Procedure Callout
53.68003| Procedure : EPUB_PRC_FW_VERIFICATION_ERR
53.68003| Priority : SRCI_PRIORITY_HIGH
53.68004|------------------------------------------------
Reported-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
Tested-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
When we load a flash resource during OPAL init, STB calls trusted measure
to measure the given resource. There is a situation when a flash gets loaded
before STB initialization then trusted measure cannot measure properly.
So this patch fixes this issue by calling trusted measure only if the
corresponding trusted init was done.
The ideal fix is to make sure STB init done at the first place during init
and then do the loading of flash resources, by that way STB can properly
verify and measure the all resources.
Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Currently in OPAL init time at various stages we are loading various
PNOR partition containers from the flash device. When we load a flash
resource STB calls the CVC verify and trusted measure(sha512) functions.
So when we have a flash resource gets loaded before STB initialization,
then cvc verify function fails to start the verify and enforce the boot.
Below is one of the example failure where our VERSION partition gets
loading early in the boot stage without STB initialization done.
This is with secure mode off.
STB: VERSION NOT VERIFIED, invalid param. buf=0x305ed930, len=4096 key-hash=0x0 hash-size=0
In the same code path when secure mode is on, the boot process will abort.
So this patch fixes this issue by calling cvc verify only if we have
STB init was done.
And also we need a permanent fix in init path to ensure STB init gets
done at first place and then start loading all other flash resources.
Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Currently libstb logs the verify and hash caluculation messages in
PR_INFO level. So when there is a secure boot enforcement happens
in loading last flash resource(Ex: BOOTKERNEL), the previous verify
and measure messages are not logged to console, which is not clear
to the end user which resource is verified and measured.
So this patch fixes this by increasing the log level to PR_NOTICE.
Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Register the location of the secure ROM, not the address of the location.
Fixes: 594c7a6ae3ccc
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
We check the secure boot containers no matter what, only *enforcing*
secure boot if we're booting in secure mode. This gives us an extra
layer of checking firmware is legit even when secure mode isn't enabled,
as well as being really useful for testing.
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
The sb-signing-utils project has improved upon the skeleton
create-container tool that existed in skiboot, including
being able to (quite easily) create *signed* images.
This commit brings in that code (and makes it build in the
skiboot build environment) and updates our skiboot.*.stb
generating code to use the development keys.
We also update print-container as well, syncing it with the
upstream project.
Derived from github.com:open-power/sb-signing-utils.git
at v0.3-5-gcb111c03ad7f
(and yes, changes here will be submitted upstream)
Cc: Dave Heller <hellerda@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
The linux documentation, reserved-memory.txt, says that memory-region is
a phandle that pairs to a children of /reserved-memory.
This updates /ibm,secureboot/ibm,cvc/memory-region to point to
/reserved-memory/secure-crypt-algo-code instead of
/ibm,hostboot/reserved-memory/secure-crypt-algo-code.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
ibm,secureboot-v2 changes:
- The Container Verification Code is represented by the ibm,cvc node.
- Each ibm,cvc child describes a CVC service.
- hash-algo is superseded by hw-key-hash-size.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This removes all the files that were replaced by secureboot.c,
trustedboot.c and cvc.c.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This defines pr_fmt and also fix messages logged:
- EV_SEPARATOR instead of 0xFFFFFFFF
- when an event is measured it also prints the tpm id, event type and
event log length
(yay!) Now we can filter the messages logged by libstb and its
sub-modules by running:
$> grep STB /sys/firmware/opal/msglog
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Skiboot, precisely the tpmLogMgr, initializes the firmware event log by
calculating its length so that a new event can be recorded without
exceeding the log size. In order to calculate the size, it walks through
the log until it finds an especific event type. However, if the log has
an unknown event type, the tpmLogMgr will not be able to reach the end
of the log.
This updates the list of event types with all of those supported by
hostboot. Thus, skiboot can properly calculate the event log length.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
The linux kernel doesn't have a driver compatible with
"nuvoton,npct650", but it does have for "nuvoton,npct601", which should
also be compatible with npct650.
This adds "nuvoton,npct601" to the compatible devtree property.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
The stb_final() primary goal is to measure the event EV_SEPARATOR
into PCR[0-7] when trusted boot is about to exit the boot services.
This imports the stb_final() from stb.c into trustedboot.c, but making
the following changes:
- Rename it to trustedboot_exit_boot_services().
- As specified in the TCG PC Client spec, EV_SEPARATOR events must be
logged with the name 0xFFFFFF.
- Remove the rom driver clean-up call.
- Don't allow code to be measured in skiboot after
trustedboot_exit_boot_services() is called.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Softrom is used only for testing with mambo. By setting
compatible="ibm,secureboot-v1-softrom" in the "ibm,secureboot" node,
firmware images can be properly measured even if the
Container-Verification-Code (CVC) is not available. In this case, the
mbedtls_sha512() function is used to calculate the sha512 hash of the
firmware images.
This imports the softrom behavior from libstb/drivers/sw_driver.c code
into cvc.c, but now softrom is implemented as a flag. When the flag is
set, the wrappers for the CVC services work the same way as in
sw_driver.c.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This imports tb_measure() from stb.c, but now it calls the CVC sha512
wrapper to calculate the sha512 hash of the firmware image provided.
In trustedboot.c, the tb_measure() is renamed to trustedboot_measure().
The new function, trustedboot_measure(), no longer checks if the
container payload hash calculated at boot time matches with the hash
found in the container header. A few reasons:
- If the system admin wants the container header to be
checked/validated, the secure boot jumper must be set. Otherwise,
the container header information may not be reliable.
- The container layout is expected to change over time. Skiboot
would need to maintain a parser for each container layout
change.
- Skiboot could be checking the hash against a container version that
is not supported by the Container-Verification-Code (CVC).
The tb_measure() calls are updated to trustedboot_measure() in a
subsequent patch.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This imports the sb_verify() function from stb.c, but now it calls the
CVC verify wrapper in order to verify signed firmware images. The
hw-key-hash and hw-key-hash-size initialized in secureboot.c are passed
to the CVC verify function wrapper.
In secureboot.c, the sb_verify() is renamed to secureboot_verify(). The
sb_verify() calls are updated in a subsequent patch.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This imports stb_init() from stb.c, but breaking it into multiple files
in order to make the code easier to read and to maintain. New files
created: secureboot.c, trustedboot.c and cvc.c.
The secureboot_init() in secureboot.c also initializes the hardware key
hash and the hardware key hash size, which are used to call the CVC
verify wrapper. These variables were initialized in the romcode_probe()
function, libstb/drivers/romcode.c.
The cvc_init() in cvc.c is slightly modified from what exists in
stb_init(). Now it calls cvc_register() and cvc_service_register().
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
The drivers/sha512.c file is a SHA512 hash implementation imported from
the mbed TLS project.
As a matter of semantics, this moves drivers/sha512.* to the mbedtls
directory.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
