[Skiboot] [PATCH 13/13] libstb/stb.c: fix log messages

Thu Aug 31 16:46:01 AEST 2017

This just makes sure that the stb log messages are following the same
logic.

Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
---
 libstb/stb.c | 78 ++++++++++++++++++++++++++----------------------------------
 1 file changed, 34 insertions(+), 44 deletions(-)

diff --git a/libstb/stb.c b/libstb/stb.c
index cf40b2c..da0c534 100644
--- a/libstb/stb.c
+++ b/libstb/stb.c
@@ -311,16 +311,13 @@ int stb_final(void)
 int tb_measure(enum resource_id id, void *buf, size_t len)
 {
 	uint8_t digest[SHA512_DIGEST_LENGTH];
-	const uint8_t *digestp;
+	const uint8_t *payload_hash = NULL;
 	const char *name;
 	TPM_Pcr pcr;
 
-	digestp = NULL;
-	if (!trusted_mode) {
-		prlog(PR_INFO, "STB: %s skipped resource %d, "
-		      "trusted_mode=0\n", __func__, id);
-		return STB_TRUSTED_MODE_DISABLED;
-	}
+	if (!trusted_mode)
+		return 1;
+
 	name = flash_map_resource_name(id);
 	if (!name) {
 		/**
@@ -343,56 +340,49 @@ int tb_measure(enum resource_id id, void *buf, size_t len)
 	}
 	if (!buf) {
 		/**
-		 * @fwts-label STBNullResourceReceived
-		 * @fwts-advice Null resource passed to tb_measure. This has
-		 * come from the resource load framework and likely indicates a
-		 * bug in the framework.
+		 * @fwts-label ResourceNotMeasuredNull
+		 * @fwts-advice This is a bug. The tb_measure() caller provided
+		 * a NULL container.
 		 */
-		prlog(PR_ERR, "STB: %s failed: resource %s, buf null\n",
-		      __func__, name);
-		return STB_ARG_ERROR;
+		prlog(PR_ERR, "STB: %s NOT MEASURED, it's null\n", name);
+		return -1;
 	}
 	memset(digest, 0, SHA512_DIGEST_LENGTH);
-	/*
-	 * In secure mode we can use the sw-payload-hash from the container
-	 * header to measure the container payload. Otherwise we must calculate
-	 * the hash of the container payload (if it's a container) or the image
-	 * (if it's not a container)
-	 */
+
 	if (stb_is_container(buf, len)) {
-		digestp = stb_sw_payload_hash(buf, len);
-		if(!digestp) {
-			prlog(PR_EMERG, "STB Container is corrupt, can't find hash\n");
+		payload_hash = stb_sw_payload_hash(buf, len);
+		if(!payload_hash) {
+			prlog(PR_EMERG, "STB: %s container NOT MEASURED, "
+			      "sw-payload-hash not found\n", name);
 			return -1;
 		}
 
 		c1vc->sha512((void*) c1vc->sha512_addr,
 			     buf + SECURE_BOOT_HEADERS_SIZE,
 			     len - SECURE_BOOT_HEADERS_SIZE, digest);
-
-		prlog(PR_INFO, "STB: %s sha512 hash re-calculated\n", name);
-		if (memcmp(digestp, digest, TPM_ALG_SHA256_SIZE) != 0) {
-			prlog(PR_ALERT, "STB: HASH IN CONTAINER DOESN'T MATCH CONTENT!\n");
-			prlog(PR_ALERT, "STB: Container hash:\n");
-			stb_print_data(digestp, TPM_ALG_SHA256_SIZE);
-			prlog(PR_ALERT, "STB: Computed hash (on %lx bytes):\n", len);
+		prlog(PR_INFO, "STB: %s sw-payload-hash calculated\n", name);
+
+		if (memcmp(payload_hash, digest, TPM_ALG_SHA256_SIZE) != 0) {
+			prlog(PR_ALERT, "STB: %s NOT MEASURED, "
+			      "sw-payload-hash doesn't match content\n", name);
+			prlog(PR_ALERT, "STB: %s sw-payload-hash:\n", name);
+			stb_print_data(payload_hash, TPM_ALG_SHA256_SIZE);
+			prlog(PR_ALERT, "STB: %s computed hash (on %lx bytes):\n",
+			      name, len);
 			stb_print_data(digest, TPM_ALG_SHA256_SIZE);
 			return -1;
 		}
 	} else {
 		c1vc->sha512((void*) c1vc->sha512_addr, buf, len, digest);
-		prlog(PR_INFO, "STB: %s sha512 hash calculated\n", name);
+		prlog(PR_INFO, "STB: %s hash calculated\n", name);
 	}
 
 #ifdef STB_DEBUG
-	/* print the payload/image hash */
-	prlog(PR_NOTICE, "STB: %s hash:\n", resource_map[r].name);
 	stb_print_data(digest, TPM_ALG_SHA256_SIZE);
 #endif
 	/*
-	 * Measure the resource. Since the ROM code doesn't provide a sha1 hash
-	 * algorithm, the sha512 hash is truncated to match the size required
-	 * by each PCR bank.
+	 * Measure the resource to the same PCR number in both sha256 and sha1
+	 * PCR banks. The sha512 hash provided is truncated accordingly.
 	 */
 	return tpm_extendl(pcr,
 			   TPM_ALG_SHA256, digest, TPM_ALG_SHA256_SIZE,
@@ -405,11 +395,8 @@ int sb_verify(enum resource_id id, void *buf, size_t len)
 	const char *name;
 	int rc = -1;
 
-	if (!secure_mode) {
-		prlog(PR_INFO, "STB: %s skipped resource %d, "
-		      "secure_mode=0\n", __func__, id);
-		return STB_SECURE_MODE_DISABLED;
-	}
+	if (!secure_mode)
+		return 1;
 
 	name = flash_map_resource_name(id);
 	if (!name) {
@@ -417,9 +404,12 @@ int sb_verify(enum resource_id id, void *buf, size_t len)
 		      "resource_id=%d unknown\n", id);
 		sb_enforce();
 	}
-	if (!buf || len < SECURE_BOOT_HEADERS_SIZE) {
-		prlog(PR_EMERG, "STB: %s arg error: id %d, buf %p, len %zd\n",
-		      __func__, id, buf, len);
+	if (!buf) {
+		prlog(PR_EMERG, "STB: %s NOT VERIFIED, it's null\n", name);
+		sb_enforce();
+	}
+	if (len < SECURE_BOOT_HEADERS_SIZE) {
+		prlog(PR_EMERG, "STB: %s NOT VERIFIED, it's too small\n", name);
 		sb_enforce();
 	}
 	if (!stb_is_container(buf, len)) {
-- 
2.7.4

