[Skiboot] [PATCH v2 00/12] Add secure and trusted boot support for habanero

Claudio Carvalho cclaudio at linux.vnet.ibm.com
Wed Sep 28 18:10:50 AEST 2016

Habanero is the first platform that will support secure and 
trusted boot. Hostboot already have some secure and trusted boot features
for habanero.

This patch series adds secure and trusted boot support for habanero in skiboot.
core/flash.c is extended to verify and measure all the resources downloaded
from PNOR using libstb.

For habanero, CAPP and BOOTKERNEL are the only PNOR partitions downloaded
from PNOR at boot time. So, we verify and measure only these partitions.

Hardware dependencies:
* Nuvoton TPM 2.0 device (nuvoton,npct650)

Software dependencies:
* Hostboot patch to enable both TPM device and TPM device driver
* Habanero-xml patch to enable TPM.
* Currently, secure mode is not on for habanero, but when secure mode is on, 
  CAPP and BOOTKERNEL partitions must have secure boot containers properly

I have a few patches and scripts that we can use for testing while all the 
software dependencies above are not upstream. Please let me know if you need
them for testing.

* You may need to add 'set ALLOW_NON_COMPLIANT_DIMM' to hostboot habanero.config
in order to avoid hostboot failures related to DIMM.

Changelog v2:
- replaced boot_test.sh -f by -N - suggested by Stewart Smith
- replaced boot_test.sh -e by -F - suggested by Stewart Smith
- changed -r to be a default behaviour that cannot be switched off - suggested
  by Stewart Smith

Claudio Carvalho (12):
  core/init.c: adjust offset to run BOOTKERNEL containers
  core/flash.c: load actual partition size
  core: add flash_subpart_info()
  hw/phb3.c: preload the whole CAPP partition
  hw/phb3.c: adjust offset to run CAPP containers
  include/capp.h: add #include guard
  core/flash.c: verify and measure resources
  core/init.c: measure event separator before handover to skiroot
  platforms/astbmc: initialize libstb for habanero
  external/boot_tests: add arbitrary lid option -F
  external/boot_tests: add the nobooting option -N
  external/boot_tests: remove lid from the BMC after flashing

 core/flash.c                       | 154 ++++++++++++++++++++++---------------
 core/init.c                        |  13 +++-
 external/boot-tests/bmc_support.sh |  26 ++++++-
 external/boot-tests/boot_test.sh   |  43 ++++++++---
 hw/phb3.c                          |  28 ++++++-
 include/capp.h                     |   7 +-
 include/skiboot.h                  |   4 +-
 platforms/astbmc/astbmc.h          |   1 +
 platforms/astbmc/common.c          |   7 ++
 platforms/astbmc/habanero.c        |   2 +-
 10 files changed, 202 insertions(+), 83 deletions(-)


More information about the Skiboot mailing list