From 3281d5a41a825fce5b935e8929971a8847611fc8 Mon Sep 17 00:00:00 2001 From: Claudio Carvalho Date: Sat, 9 Dec 2017 02:52:20 -0200 Subject: libstb/trustedboot.c: import tb_measure() from stb.c This imports tb_measure() from stb.c, but now it calls the CVC sha512 wrapper to calculate the sha512 hash of the firmware image provided. In trustedboot.c, the tb_measure() is renamed to trustedboot_measure(). The new function, trustedboot_measure(), no longer checks if the container payload hash calculated at boot time matches with the hash found in the container header. A few reasons: - If the system admin wants the container header to be checked/validated, the secure boot jumper must be set. Otherwise, the container header information may not be reliable. - The container layout is expected to change over time. Skiboot would need to maintain a parser for each container layout change. - Skiboot could be checking the hash against a container version that is not supported by the Container-Verification-Code (CVC). The tb_measure() calls are updated to trustedboot_measure() in a subsequent patch. Signed-off-by: Claudio Carvalho Signed-off-by: Stewart Smith --- libstb/cvc.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'libstb/cvc.h') diff --git a/libstb/cvc.h b/libstb/cvc.h index 14e8cd2..13c1b33 100644 --- a/libstb/cvc.h +++ b/libstb/cvc.h @@ -44,4 +44,17 @@ int cvc_init(void); int call_cvc_verify(void *buf, size_t size, const void *hw_key_hash, size_t hw_key_hash_size, uint64_t *log); +/* + * call_cvc_sha512 - Call the CVC-sha512 service to calculate a sha512 hash. + * + * @data - buffer that has data to be hashed + * @data_len - number of bytes from @data to be considered in the hash + * calculation + * @digest - buffer to store the calculated hash + * @digest_size - number of bytes allocated for @digest + * + */ +int call_cvc_sha512(const uint8_t *data, size_t data_len, uint8_t *digest, + size_t digest_size); + #endif /* __CVC_H */ -- cgit v1.1