[Skiboot] [PATCH 3/5] hdata/spira: add ibm,secureboot node
Claudio Carvalho
cclaudio at linux.vnet.ibm.com
Thu Aug 31 17:42:50 AEST 2017
This adds the ibm,secureboot node in P9 systems.
The information provided by the ibm,secureboot node is stored in the
iplparams_sysparams structure, however it is populated only when
hdif->version >= 0x60.
Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
---
hdata/spira.c | 32 ++++++++++++++++++++++++++++++++
hdata/spira.h | 15 +++++++++------
2 files changed, 41 insertions(+), 6 deletions(-)
diff --git a/hdata/spira.c b/hdata/spira.c
index 220ae9e..92da94b 100644
--- a/hdata/spira.c
+++ b/hdata/spira.c
@@ -24,6 +24,7 @@
#include <fsp-mdst-table.h>
#include <fsp-attn.h>
#include <fsp-leds.h>
+#include <libstb/container.h>
#include "hdata.h"
#include "hostservices.h"
@@ -849,6 +850,34 @@ static void add_nmmu(void)
}
}
+static void dt_init_secureboot_node(const struct iplparams_sysparams *sysparams)
+{
+ struct dt_node *node;
+ u16 sys_sec_setting;
+ u16 hw_key_hash_size;
+
+ node = dt_new(dt_root, "ibm,secureboot");
+ assert(node);
+
+ dt_add_property_string(node, "compatible", "ibm,secureboot-v2");
+
+ sys_sec_setting = be16_to_cpu(sysparams->sys_sec_setting);
+ if (sys_sec_setting & SEC_CONTAINER_SIG_CHECKING)
+ dt_add_property(node, "secure-enabled", NULL, 0);
+ if (sys_sec_setting & SEC_HASHES_EXTENDED_TO_TPM)
+ dt_add_property(node, "trusted-enabled", NULL, 0);
+
+ hw_key_hash_size = be16_to_cpu(sysparams->hw_key_hash_size);
+ dt_add_property_cells(node, "hw-key-hash-size", hw_key_hash_size);
+ if (hw_key_hash_size)
+ dt_add_property(node, "hw-key-hash", sysparams->hw_key_hash,
+ hw_key_hash_size);
+
+ if (be16_to_cpu(sysparams->sys_attributes) & SYS_ATTR_MULTIPLE_TPM)
+ prlog(PR_WARNING, "Multiple TPM set, but not supported\n");
+}
+
+
static void add_iplparams_sys_params(const void *iplp, struct dt_node *node)
{
const struct iplparams_sysparams *p;
@@ -935,6 +964,9 @@ static void add_iplparams_sys_params(const void *iplp, struct dt_node *node)
sys_attributes = be32_to_cpu(p->sys_attributes);
if (sys_attributes & SYS_ATTR_RISK_LEVEL)
dt_add_property(node, "elevated-risk-level", NULL, 0);
+
+ if (version >= 0x60)
+ dt_init_secureboot_node(p);
}
static void add_iplparams_ipl_params(const void *iplp, struct dt_node *node)
diff --git a/hdata/spira.h b/hdata/spira.h
index 78ff33d..0056887 100644
--- a/hdata/spira.h
+++ b/hdata/spira.h
@@ -355,6 +355,7 @@ struct iplparams_sysparams {
__be32 abc_bus_speed;
__be32 wxyz_bus_speed;
__be32 sys_eco_mode;
+#define SYS_ATTR_MULTIPLE_TPM PPC_BIT32(0)
#define SYS_ATTR_RISK_LEVEL PPC_BIT32(3)
__be32 sys_attributes;
__be32 mem_scrubbing;
@@ -369,12 +370,14 @@ struct iplparams_sysparams {
uint8_t split_core_mode; /* >= 0x5c */
uint8_t reserved[3];
uint8_t sys_vendor[64]; /* >= 0x5f */
- /* >= 0x60 */
- __be16 sys_sec_setting;
- __be16 tpm_config_bit;
- __be16 tpm_drawer;
- __be16 reserved2;
- uint8_t hw_key_hash[64];
+#define SEC_CONTAINER_SIG_CHECKING PPC_BIT16(0)
+#define SEC_HASHES_EXTENDED_TO_TPM PPC_BIT16(1)
+ __be16 sys_sec_setting; /* >= 0x60 */
+#define TPM_CONFIG_TPM_REQUIRED PPC_BIT16(0)
+ __be16 tpm_config_bit; /* >= 0x60 */
+ __be16 tpm_drawer; /* >= 0x60 */
+ __be16 hw_key_hash_size; /* >= 0x60 */
+ uint8_t hw_key_hash[64]; /* >= 0x60 */
uint8_t sys_family_str[64]; /* vendor,name */
uint8_t sys_type_str[64]; /* vendor,type */
} __packed;
--
2.7.4
More information about the Skiboot
mailing list