[Skiboot] [PATCH 01/15] doc/device-tree: Add ibm, secureboot.txt

Stewart Smith stewart at linux.vnet.ibm.com
Thu Sep 1 18:46:32 AEST 2016 

Claudio Carvalho <cclaudio at linux.vnet.ibm.com> writes:
> This adds a documentation for the ibm,secureboot device tree node.
>
> Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
> ---
>  doc/device-tree/ibm,secureboot.txt | 42 ++++++++++++++++++++++++++++++++++++++
>  1 file changed, 42 insertions(+)
>  create mode 100644 doc/device-tree/ibm,secureboot.txt
>
> diff --git a/doc/device-tree/ibm,secureboot.txt b/doc/device-tree/ibm,secureboot.txt
> new file mode 100644
> index 0000000..387cb25
> --- /dev/null
> +++ b/doc/device-tree/ibm,secureboot.txt

(minor point, but we recently switched to rst formatted docs. I'm not
too fussed if you move it over to .rst or not, I can do that with merge)

> @@ -0,0 +1,42 @@
> +Device tree bindings for ibm,secureboot
> +=======================================
> +
> +This node represents the presence of the ROM verification code in the
> +platform. It has properties related to secure boot and trusted boot.

Could you expand a bit on what you mean by ROM? (or point to the
explanation).

Maybe something like:
"In a secure ROM flashed during manufacturing, there may exist some code
for secure/trusted boot. On POWER8, the presence of this code is announced to
skiboot (by HostBoot) by the ibm,secureboot node."

Obviously, with HDAT on P9, this is going to be different. Any idea
what?

Is this a node in the device tree an OS is going to care about at all?

Is the source code to this ROM available somewhere? Considering it's the
core of verifying things, it would good for people to be able to verify it.

> +Required properties
> +-------------------
> +
> +- compatible :  ibm,secureboot version. It is related to the ROM verification
> +		code version.
> +
> +- hash-algo : 	hash algorithm used for the hw-key-hash. Aspects such as the
> +		size of the hw-key-hash can be infered from this
> property.

Would it be possible to support multiple hash algorithms at any point in
time?

What about if instead we had a list of hash algorithms and the keys in
hw-key-hash-$ALGORITHM (e.g. hw-key-hash-sha512)?

> +- secure-enabled : this property exists whether the system is booting on
> +		   secure mode.
> +
> +- trusted-enabled : this property exists whether the system is booting on
> +		    trusted mode.

s/wheather/if/; s/on/in/;

> +- hw-key-hash : hash of three concatenated hardware public key. This is
> +		required by the ROM verification code to verify images.
> +
> +Example
> +-------
> +
> +For the first version "ibm,secureboot-v1", the ROM verification code expects the
> +hw-key-hash to be a sha512 hash.
> +
> +ibm,secureboot {
> +	compatible = "ibm,secureboot-v1";
> +	hash-algo = "sha512";
> +	secure-enabled;
> +	trusted-enabled;
> +	hw-key-hash = <0x40d487ff 0x7380ed6a 0xd54775d5 0x795fea0d 0xe2f541fe
> +0xa9db06b8 0x466a42a3 0x20e65f75 0xb4866546 0x17d907 0x515dc2a5 0xf9fc5095
> +0x4d6ee0c9 0xb67d219d 0xfb708535 0x1d01d6d1>;
> +	phandle = <0x100000fd>;
> +	linux,phandle = <0x100000fd>;
> +};
> +
> -- 
> 1.9.1
>
> _______________________________________________
> Skiboot mailing list
> Skiboot at lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/skiboot

-- 
Stewart Smith
OPAL Architect, IBM.

More information about the Skiboot mailing list