[Skiboot] [PATCH 14/15] libstb/drivers: Add ROM code driver
stewart at linux.vnet.ibm.com
Wed Sep 28 13:52:18 AEST 2016
Patrick Williams <patrick at stwcx.xyz> writes:
> On Tue, Sep 20, 2016 at 06:28:11PM +1000, Stewart Smith wrote:
>> Claudio Carvalho <cclaudio at linux.vnet.ibm.com> writes:
>> > This adds a driver for the ROM verification code. The driver is compatible
>> > with 'ibm,secureboot-v1'.
>> > The presense of a verification code in the platform is indicated by the
>> > presence of the ibm,secureboot node in the device tree.
>> > The ibm,secureboot node is documented in
>> > 'doc/device-tree/ibm,secureboot.txt'
>> I think i've made the comment elsewhere but:
>> 1) is there source available for the ROM code?
> I do not believe so for P8. For P9, it would be part of Hostboot and
> then programmed into the SBE SEEPROM. This allows it to be replaced
> with alternative algorithms fairly easily.
>> 2) why are we calling it rather than our own SHA512 code?
>> 3) why would we not verify the ROM code result against a local SHA512
> SHA512/ECDSA are not required in the future. Different geographies have
> different preference on the encryption / signature algorithm, so we are
> designing P9 to be replaceable. I assume you'll want to use the
> algorithm that Hostboot leaves laying around in memory in that case.
maybe/maybe not. Having our own copy (even if it's just shared with
Hostboot implementation) means that we can easily run in sim and verify
trusted/secure boot code paths. If we exclusively rely on hostboot (or
ROM code), then we don't get that.
OPAL Architect, IBM.
More information about the Skiboot