[Skiboot] [PATCH v2 03/14] libstb/stb.c: change sb_verify() to use flash_lookup_resource_name()

Claudio Carvalho cclaudio at linux.vnet.ibm.com
Thu Aug 31 17:24:34 AEST 2017


Secureboot verifies only containers stored in known partitions. With the
flash_lookup_resource_name() function, the PNOR partition information
don't need to be duplicated in libstb for secureboot.

This replaces stb_resource_lookup() by flash_lookup_resource_name()
in sb_verify().

Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
---
 libstb/stb.c | 23 ++++++++---------------
 1 file changed, 8 insertions(+), 15 deletions(-)

diff --git a/libstb/stb.c b/libstb/stb.c
index 41e6505..949f81c 100644
--- a/libstb/stb.c
+++ b/libstb/stb.c
@@ -275,27 +275,20 @@ int tb_measure(enum resource_id id, void *buf, size_t len)
 
 int sb_verify(enum resource_id id, void *buf, size_t len)
 {
-	int r;
-	const char *name = NULL;
+	const char *name;
 
 	if (!secure_mode) {
 		prlog(PR_INFO, "STB: %s skipped resource %d, "
 		      "secure_mode=0\n", __func__, id);
 		return STB_SECURE_MODE_DISABLED;
 	}
-	r = stb_resource_lookup(id);
-	if (r == -1)
-		/**
-		 * @fwts-label STBVerifyResourceNotMapped
-		 * @fwts-advice Unregistered resources can be verified, but not
-		 * measured. The resource should be registered in the
-		 * resource_map[] array, otherwise the resource cannot be
-		 * measured if trusted mode is on.
-		 */
-		prlog(PR_WARNING, "STB: verifying the non-expected "
-		      "resource %d\n", id);
-	else
-		name = resource_map[r].name;
+
+	name = flash_map_resource_name(id);
+	if (!name) {
+		prlog(PR_EMERG, "STB: container NOT VERIFIED, "
+		      "resource_id=%d unknown\n", id);
+		sb_enforce();
+	}
 	if (!rom_driver || !rom_driver->verify) {
 		prlog(PR_EMERG, "STB: secure boot not initialized\n");
 		sb_enforce();
-- 
2.7.4



More information about the Skiboot mailing list