[Skiboot] [PATCH v2 18/20] libstb: add support for ibm, secureboot-v2
Claudio Carvalho
cclaudio at linux.vnet.ibm.com
Sat Dec 9 15:52:32 AEDT 2017
ibm,secureboot-v2 changes:
- The Container Verification Code is represented by the ibm,cvc node.
- Each ibm,cvc child describes a CVC service.
- hash-algo is superseded by hw-key-hash-size.
Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
---
libstb/cvc.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++
libstb/secureboot.c | 16 ++++++++++++++++
libstb/secureboot.h | 1 +
3 files changed, 71 insertions(+)
diff --git a/libstb/cvc.c b/libstb/cvc.c
index fd1f607..4faeb96 100644
--- a/libstb/cvc.c
+++ b/libstb/cvc.c
@@ -134,6 +134,58 @@ static void cvc_service_register(uint32_t id, uint32_t offset, uint32_t version)
name, service->addr, service->version);
}
+static int cvc_reserved_mem_init(struct dt_node *parent) {
+ struct dt_node *node, *service;
+ struct dt_node *reserved_mem;
+ struct dt_node *cvc_resv_mem = NULL;
+ uint32_t phandle;
+ uint64_t addr, size;
+
+ reserved_mem = dt_find_by_path(dt_root, "/ibm,hostboot/reserved-memory");
+ if (!reserved_mem) {
+ prlog(PR_ERR, "/ibm,hostboot/reserved-memory not found\n");
+ return -1;
+ }
+
+ /*
+ * The container verification code is stored in a hostboot reserved
+ * memory which is pointed by the property
+ * /ibm,secureboot/ibm,container-verification-code/memory-region
+ */
+ dt_for_each_child(parent, node) {
+ if (dt_node_is_compatible(node, "ibm,container-verification-code")) {
+ phandle = dt_prop_get_u32(node, "memory-region");
+ cvc_resv_mem = dt_find_by_phandle(reserved_mem, phandle);
+ break;
+ }
+ }
+ if (!cvc_resv_mem) {
+ prlog(PR_ERR, "CVC not found in /ibm,hostboot/reserved-memory\n");
+ return -1;
+ }
+ addr = dt_get_address(cvc_resv_mem, 0, &size);
+ cvc_register(addr, addr + size-1);
+
+ /*
+ * Each child of the CVC node describes a CVC service
+ */
+ dt_for_each_child(node, service) {
+ uint32_t version, offset;
+
+ version = dt_prop_get_u32(service, "version");
+ offset = dt_prop_get_u32(service, "reg");
+
+ if (dt_node_is_compatible(service, "ibm,cvc-sha512"))
+ cvc_service_register(CVC_SHA512_SERVICE, offset, version);
+ else if (dt_node_is_compatible(service, "ibm,cvc-verify"))
+ cvc_service_register(CVC_VERIFY_SERVICE, offset, version);
+ else
+ prlog(PR_DEBUG, "unknown %s\n", service->name);
+ }
+
+ return 0;
+}
+
#define SECURE_ROM_MEMORY_SIZE (16 * 1024)
#define SECURE_ROM_XSCOM_ADDRESS 0x02020017
@@ -198,6 +250,8 @@ int cvc_init(void)
rc = cvc_secure_rom_init();
} else if (version == IBM_SECUREBOOT_SOFTROM) {
softrom = true;
+ } else if (version == IBM_SECUREBOOT_V2) {
+ rc = cvc_reserved_mem_init(node);
} else {
prlog(PR_ERR, "%s FAILED. /ibm,secureboot not supported\n",
__func__);
diff --git a/libstb/secureboot.c b/libstb/secureboot.c
index 953b123..f3a5db4 100644
--- a/libstb/secureboot.c
+++ b/libstb/secureboot.c
@@ -35,6 +35,7 @@ static struct {
} secureboot_map[] = {
{ IBM_SECUREBOOT_V1, "ibm,secureboot-v1" },
{ IBM_SECUREBOOT_SOFTROM, "ibm,secureboot-v1-softrom" },
+ { IBM_SECUREBOOT_V2, "ibm,secureboot-v2" },
};
static void secureboot_enforce(void)
@@ -130,6 +131,21 @@ void secureboot_init(void)
secureboot_enforce();
}
hw_key_hash_size = SHA512_DIGEST_LENGTH;
+
+ } else if (version == IBM_SECUREBOOT_V2) {
+
+ hw_key_hash_size = dt_prop_get_u32(node, "hw-key-hash-size");
+ if (hw_key_hash_size == 0) {
+ prlog(PR_EMERG, "hw-key-hash-size=%zd too short\n",
+ hw_key_hash_size);
+ secureboot_enforce();
+ }
+ if (hw_key_hash_size > SHA512_DIGEST_LENGTH) {
+ prlog(PR_EMERG, "hw-key-hash-size=%zd too big\n",
+ hw_key_hash_size);
+ secureboot_enforce();
+ }
+
} else {
prlog(PR_ERR, "%s FAILED. /ibm,secureboot not supported",
__func__);
diff --git a/libstb/secureboot.h b/libstb/secureboot.h
index 8506ea0..b1cb29b 100644
--- a/libstb/secureboot.h
+++ b/libstb/secureboot.h
@@ -25,6 +25,7 @@
enum secureboot_version {
IBM_SECUREBOOT_V1,
IBM_SECUREBOOT_SOFTROM,
+ IBM_SECUREBOOT_V2,
};
bool secureboot_is_compatible(struct dt_node *node, int *version, const char **compat);
--
2.7.4
More information about the Skiboot
mailing list