[Skiboot] [PATCH v2 07/20] libstb/cvc.c: import softrom behavior from drivers/sw_driver.c

Claudio Carvalho cclaudio at linux.vnet.ibm.com
Sat Dec 9 15:52:21 AEDT 2017


Softrom is used only for testing with mambo. By setting
compatible="ibm,secureboot-v1-softrom" in the "ibm,secureboot" node,
firmware images can be properly measured even if the
Container-Verification-Code (CVC) is not available. In this case, the
mbedtls_sha512() function is used to calculate the sha512 hash of the
firmware images.

This imports the softrom behavior from libstb/drivers/sw_driver.c code
into cvc.c, but now softrom is implemented as a flag. When the flag is
set, the wrappers for the CVC services work the same way as in
sw_driver.c.

Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
---
 libstb/cvc.c        | 16 ++++++++++++++++
 libstb/secureboot.c |  5 ++++-
 libstb/secureboot.h |  1 +
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/libstb/cvc.c b/libstb/cvc.c
index b0f5cd3..fd1f607 100644
--- a/libstb/cvc.c
+++ b/libstb/cvc.c
@@ -26,6 +26,7 @@
 #include <inttypes.h>
 #include "secureboot.h"
 #include "cvc.h"
+#include "mbedtls/sha512.h"
 
 /*
  * Assembly interfaces to call into the Container Verification Code.
@@ -43,6 +44,7 @@ struct container_verification_code {
 };
 
 static struct container_verification_code *cvc = NULL;
+static bool softrom = false;
 static void *secure_rom_mem = NULL;
 
 struct cvc_service {
@@ -194,6 +196,8 @@ int cvc_init(void)
 	if (version == IBM_SECUREBOOT_V1 &&
 	    proc_gen == proc_gen_p8) {
 		rc = cvc_secure_rom_init();
+	} else if (version == IBM_SECUREBOOT_SOFTROM) {
+		softrom = true;
 	} else {
 		prlog(PR_ERR, "%s FAILED. /ibm,secureboot not supported\n",
 		      __func__);
@@ -214,6 +218,15 @@ int call_cvc_sha512(const uint8_t *data, size_t data_len, uint8_t *digest,
 		return OPAL_SUCCESS;
 
 	memset(digest, 0, SHA512_DIGEST_LENGTH);
+	if (softrom) {
+		mbedtls_sha512_context ctx;
+		mbedtls_sha512_init(&ctx);
+		mbedtls_sha512_starts(&ctx, 0); // SHA512 = 0
+		mbedtls_sha512_update(&ctx, data, data_len);
+		mbedtls_sha512_finish(&ctx, digest);
+		mbedtls_sha512_free(&ctx);
+		return OPAL_SUCCESS;
+	}
 
 	service = cvc_find_service(CVC_SHA512_SERVICE);
 
@@ -239,6 +252,9 @@ int call_cvc_verify(void *container, size_t len, const void *hw_key_hash,
 	    !hw_key_hash || hw_key_hash_size <= 0)
 		return OPAL_PARAMETER;
 
+	if (softrom)
+		return OPAL_UNSUPPORTED;
+
 	service = cvc_find_service(CVC_VERIFY_SERVICE);
 
 	if (!service)
diff --git a/libstb/secureboot.c b/libstb/secureboot.c
index 2787951..953b123 100644
--- a/libstb/secureboot.c
+++ b/libstb/secureboot.c
@@ -34,6 +34,7 @@ static struct {
 	const char *compat;
 } secureboot_map[] = {
 	{ IBM_SECUREBOOT_V1, "ibm,secureboot-v1" },
+	{ IBM_SECUREBOOT_SOFTROM, "ibm,secureboot-v1-softrom" },
 };
 
 static void secureboot_enforce(void)
@@ -112,7 +113,9 @@ void secureboot_init(void)
 	if (!secure_mode)
 		return;
 
-	if (version == IBM_SECUREBOOT_V1) {
+	if (version == IBM_SECUREBOOT_V1 ||
+	    version == IBM_SECUREBOOT_SOFTROM) {
+
 		hash_algo = dt_prop_get(node, "hash-algo");
 		if (strcmp(hash_algo, "sha512")) {
 			/**
diff --git a/libstb/secureboot.h b/libstb/secureboot.h
index ea97ed7..8506ea0 100644
--- a/libstb/secureboot.h
+++ b/libstb/secureboot.h
@@ -24,6 +24,7 @@
 
 enum secureboot_version {
 	IBM_SECUREBOOT_V1,
+	IBM_SECUREBOOT_SOFTROM,
 };
 
 bool secureboot_is_compatible(struct dt_node *node, int *version, const char **compat);
-- 
2.7.4



More information about the Skiboot mailing list