[Skiboot] [PATCH v2 07/20] libstb/cvc.c: import softrom behavior from drivers/sw_driver.c
Claudio Carvalho
cclaudio at linux.vnet.ibm.com
Sat Dec 9 15:52:21 AEDT 2017
Softrom is used only for testing with mambo. By setting
compatible="ibm,secureboot-v1-softrom" in the "ibm,secureboot" node,
firmware images can be properly measured even if the
Container-Verification-Code (CVC) is not available. In this case, the
mbedtls_sha512() function is used to calculate the sha512 hash of the
firmware images.
This imports the softrom behavior from libstb/drivers/sw_driver.c code
into cvc.c, but now softrom is implemented as a flag. When the flag is
set, the wrappers for the CVC services work the same way as in
sw_driver.c.
Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
---
libstb/cvc.c | 16 ++++++++++++++++
libstb/secureboot.c | 5 ++++-
libstb/secureboot.h | 1 +
3 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/libstb/cvc.c b/libstb/cvc.c
index b0f5cd3..fd1f607 100644
--- a/libstb/cvc.c
+++ b/libstb/cvc.c
@@ -26,6 +26,7 @@
#include <inttypes.h>
#include "secureboot.h"
#include "cvc.h"
+#include "mbedtls/sha512.h"
/*
* Assembly interfaces to call into the Container Verification Code.
@@ -43,6 +44,7 @@ struct container_verification_code {
};
static struct container_verification_code *cvc = NULL;
+static bool softrom = false;
static void *secure_rom_mem = NULL;
struct cvc_service {
@@ -194,6 +196,8 @@ int cvc_init(void)
if (version == IBM_SECUREBOOT_V1 &&
proc_gen == proc_gen_p8) {
rc = cvc_secure_rom_init();
+ } else if (version == IBM_SECUREBOOT_SOFTROM) {
+ softrom = true;
} else {
prlog(PR_ERR, "%s FAILED. /ibm,secureboot not supported\n",
__func__);
@@ -214,6 +218,15 @@ int call_cvc_sha512(const uint8_t *data, size_t data_len, uint8_t *digest,
return OPAL_SUCCESS;
memset(digest, 0, SHA512_DIGEST_LENGTH);
+ if (softrom) {
+ mbedtls_sha512_context ctx;
+ mbedtls_sha512_init(&ctx);
+ mbedtls_sha512_starts(&ctx, 0); // SHA512 = 0
+ mbedtls_sha512_update(&ctx, data, data_len);
+ mbedtls_sha512_finish(&ctx, digest);
+ mbedtls_sha512_free(&ctx);
+ return OPAL_SUCCESS;
+ }
service = cvc_find_service(CVC_SHA512_SERVICE);
@@ -239,6 +252,9 @@ int call_cvc_verify(void *container, size_t len, const void *hw_key_hash,
!hw_key_hash || hw_key_hash_size <= 0)
return OPAL_PARAMETER;
+ if (softrom)
+ return OPAL_UNSUPPORTED;
+
service = cvc_find_service(CVC_VERIFY_SERVICE);
if (!service)
diff --git a/libstb/secureboot.c b/libstb/secureboot.c
index 2787951..953b123 100644
--- a/libstb/secureboot.c
+++ b/libstb/secureboot.c
@@ -34,6 +34,7 @@ static struct {
const char *compat;
} secureboot_map[] = {
{ IBM_SECUREBOOT_V1, "ibm,secureboot-v1" },
+ { IBM_SECUREBOOT_SOFTROM, "ibm,secureboot-v1-softrom" },
};
static void secureboot_enforce(void)
@@ -112,7 +113,9 @@ void secureboot_init(void)
if (!secure_mode)
return;
- if (version == IBM_SECUREBOOT_V1) {
+ if (version == IBM_SECUREBOOT_V1 ||
+ version == IBM_SECUREBOOT_SOFTROM) {
+
hash_algo = dt_prop_get(node, "hash-algo");
if (strcmp(hash_algo, "sha512")) {
/**
diff --git a/libstb/secureboot.h b/libstb/secureboot.h
index ea97ed7..8506ea0 100644
--- a/libstb/secureboot.h
+++ b/libstb/secureboot.h
@@ -24,6 +24,7 @@
enum secureboot_version {
IBM_SECUREBOOT_V1,
+ IBM_SECUREBOOT_SOFTROM,
};
bool secureboot_is_compatible(struct dt_node *node, int *version, const char **compat);
--
2.7.4
More information about the Skiboot
mailing list