[Skiboot] [PATCH v2 00/12] Add secure and trusted boot support for habanero
Claudio Carvalho
cclaudio at linux.vnet.ibm.com
Wed Sep 28 18:10:50 AEST 2016
Habanero is the first platform that will support secure and
trusted boot. Hostboot already have some secure and trusted boot features
for habanero.
This patch series adds secure and trusted boot support for habanero in skiboot.
core/flash.c is extended to verify and measure all the resources downloaded
from PNOR using libstb.
For habanero, CAPP and BOOTKERNEL are the only PNOR partitions downloaded
from PNOR at boot time. So, we verify and measure only these partitions.
Hardware dependencies:
* Nuvoton TPM 2.0 device (nuvoton,npct650)
Software dependencies:
* Hostboot patch to enable both TPM device and TPM device driver
* Habanero-xml patch to enable TPM.
* Currently, secure mode is not on for habanero, but when secure mode is on,
CAPP and BOOTKERNEL partitions must have secure boot containers properly
built
I have a few patches and scripts that we can use for testing while all the
software dependencies above are not upstream. Please let me know if you need
them for testing.
Throubleshooting:
* You may need to add 'set ALLOW_NON_COMPLIANT_DIMM' to hostboot habanero.config
in order to avoid hostboot failures related to DIMM.
Changelog v2:
- replaced boot_test.sh -f by -N - suggested by Stewart Smith
- replaced boot_test.sh -e by -F - suggested by Stewart Smith
- changed -r to be a default behaviour that cannot be switched off - suggested
by Stewart Smith
Claudio Carvalho (12):
core/init.c: adjust offset to run BOOTKERNEL containers
core/flash.c: load actual partition size
core: add flash_subpart_info()
hw/phb3.c: preload the whole CAPP partition
hw/phb3.c: adjust offset to run CAPP containers
include/capp.h: add #include guard
core/flash.c: verify and measure resources
core/init.c: measure event separator before handover to skiroot
platforms/astbmc: initialize libstb for habanero
external/boot_tests: add arbitrary lid option -F
external/boot_tests: add the nobooting option -N
external/boot_tests: remove lid from the BMC after flashing
core/flash.c | 154 ++++++++++++++++++++++---------------
core/init.c | 13 +++-
external/boot-tests/bmc_support.sh | 26 ++++++-
external/boot-tests/boot_test.sh | 43 ++++++++---
hw/phb3.c | 28 ++++++-
include/capp.h | 7 +-
include/skiboot.h | 4 +-
platforms/astbmc/astbmc.h | 1 +
platforms/astbmc/common.c | 7 ++
platforms/astbmc/habanero.c | 2 +-
10 files changed, 202 insertions(+), 83 deletions(-)
--
1.9.1
More information about the Skiboot
mailing list