[Skiboot] [PATCH v2 20/20] doc: update libstb documentation with POWER9 changes

Claudio Carvalho cclaudio at linux.vnet.ibm.com
Sat Dec 9 15:52:34 AEDT 2017


POWER9 changes reflected in the libstb:
- bumped ibm,secureboot node to v2
- added ibm,cvc node
- hash-algo superseded by hw-key-hash-size

Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
---
 doc/device-tree/ibm,secureboot.rst |  59 ++++----
 doc/device-tree/tpm.rst            |   6 +-
 doc/stb.rst                        | 298 ++++++++++++++++++-------------------
 3 files changed, 181 insertions(+), 182 deletions(-)

diff --git a/doc/device-tree/ibm,secureboot.rst b/doc/device-tree/ibm,secureboot.rst
index 948c7e0..42c4ed7 100644
--- a/doc/device-tree/ibm,secureboot.rst
+++ b/doc/device-tree/ibm,secureboot.rst
@@ -3,56 +3,57 @@
 ibm,secureboot
 ==============
 
-Secure boot and trusted boot relies on a code stored in the secure ROM at
-manufacture time to verify and measure other codes before they are executed.
-This ROM code is also referred to as ROM verification code.
+The ``ìbm,secureboot`` node provides secure boot and trusted boot information
+up to the target OS. Further information can be found in :ref:`stb-overview`.
 
-On POWER8, the presence of the ROM code is announced to skiboot (by Hostboot)
-by the ``ibm,secureboot`` device tree node.
+Required properties
+-------------------
 
-If the system is booting up in secure mode, the ROM code is called for secure
-boot to verify the integrity and authenticity of an image before it is executed.
+.. code-block:: none
 
-If the system is booting up in trusted mode, the ROM code is called for trusted
-boot to calculate the SHA512 hash of an image only if the image is not a secure boot
-container or the system is not booting up in secure mode.
+    compatible:         Either one of the following values:
 
-For further information about secure boot and trusted boot please refer to
-:ref:`stb-overview`.
+                        ibm,secureboot-v1  :  The container-verification-code
+                                              is stored in a secure ROM memory.
 
+                        ibm,secureboot-v2  :  The container-verification-code
+                                              is stored in a reserved memory.
+                                              It described by the ibm,cvc child
+                                              node.
 
-Required properties
--------------------
+    secure-enabled:     this property exists when the firmware stack is booting
+                        in secure mode (hardware secure boot jumper asserted).
 
-.. code-block:: none
+    trusted-enabled:    this property exists when the firmware stack is booting
+                        in trusted mode.
 
-    compatible:         ibm,secureboot version. It is related to the ROM code version.
-                
-    hash-algo:          hash algorithm used for the hw-key-hash. Aspects such as the size
-                        of the hw-key-hash can be infered from this property.
+    hw-key-hash:        hash of the three hardware public keys trusted by the
+                        platformw owner. This is used to verify if a firmware
+                        code is signed with trusted keys.
 
-    secure-enabled:     this property exists if the system is booting in secure mode.
+    hw-key-hash-size:   hw-key-hash size
 
-    trusted-enabled:    this property exists if the system is booting in trusted mode.
 
-    hw-key-hash:        hash of three concatenated hardware public key. This is required
-                        by the ROM code to verify images.
+Obsolete properties
+-------------------
+
+.. code-block:: none
+
+    hash-algo:          Superseded by the hw-key-hash-size property in
+                        'ibm,secureboot-v2'.
 
 Example
 -------
 
-For the first version ``ibm,secureboot-v1``, the ROM code expects the *hw-key-hash*
-to be a SHA512 hash.
-
 .. code-block:: dts
 
     ibm,secureboot {
-        compatible = "ibm,secureboot-v1";
-        hash-algo = "sha512";
+        compatible = "ibm,secureboot-v2";
         secure-enabled;
         trusted-enabled;
+        hw-key-hash-size = <0x40>;
         hw-key-hash = <0x40d487ff 0x7380ed6a 0xd54775d5 0x795fea0d 0xe2f541fe
-                       0xa9db06b8 0x466a42a3 0x20e65f75 0xb4866546 0x17d907
+                       0xa9db06b8 0x466a42a3 0x20e65f75 0xb4866546 0x0017d907
                        0x515dc2a5 0xf9fc5095 0x4d6ee0c9 0xb67d219d 0xfb708535
                        0x1d01d6d1>;
         phandle = <0x100000fd>;
diff --git a/doc/device-tree/tpm.rst b/doc/device-tree/tpm.rst
index d4e7667..a8e67bc 100644
--- a/doc/device-tree/tpm.rst
+++ b/doc/device-tree/tpm.rst
@@ -9,12 +9,12 @@ event log information.
 Required properties
 -------------------
 
-All these properties are added by hostboot and consumed by skiboot and the
-linux kernel (tpm and vtpm codes)
+All these properties are consumed by skiboot and the linux kernel (tpm and
+vtpm codes)
 
 ::
 
-    compatible :       manufacturer,model
+    compatible :       should have "nuvoton,npct650"
 
     linux,sml-base:    64-bit base address of the reserved memory allocated for firmware event log.
                        sml stands for shared memory log.
diff --git a/doc/stb.rst b/doc/stb.rst
index 2004af8..078c0f2 100644
--- a/doc/stb.rst
+++ b/doc/stb.rst
@@ -1,42 +1,156 @@
 .. _stb-overview:
 
-================================
-Secure and Trusted Boot Overview
-================================
-
-Just as a quick reference::
-
-  Secure boot:  verify and enforce.
-  Trusted boot: measure and record.
-
-Secure boot seeks to protect system integrity from execution of malicious
-code during boot. The authenticity and integrity of every code is verified
-by its predecessor code before it is executed. If the verification fails, the
-boot process is aborted.
-
-Trusted boot does not perform enforcement. Instead it creates artifacts during
-system boot to prove that a particular chain of events have happened during
-boot. Interested parties can subsequently assess the artifacts to check whether
-or not only trusted events happened and then make security decisions. These
-artifacts comprise a log of measurements and the digests extended into the TPM PCRs.
-Platform Configuration Registers (PCRs) are registers in the Trusted Platform
-Module (TPM) that are shielded from direct access by the CPU.
-
-Trusted boot measures and maintains in an Event Log a record of all boot
-events that may affect the security state of the platform. A measurement is
-calculated by hashing the data of a given event. When a new measurement is
-added to the Event Log, the same measurement is also sent to the TPM, which
-performs an extend operation to incrementally update the existing digest stored
-in a PCR.
-
-PCR extend is an operation that uses a hash function to combine a new
+Secure and Trusted Boot Library (LibSTB) Documentation
+======================================================
+
+*LibSTB* provides APIs to support Secure Boot and Trusted Boot in skiboot.
+
+``Secure Boot: verify and enforce.``
+        When the system is booting in secure mode, Secure Boot MUST ensure that
+        only trusted code is executed during system boot by verifying if the
+        code is signed with trusted keys and halting the system boot if the
+        verification fails.
+
+``Trusted Boot: measure and record.``
+        When the system is booting in trusted mode, Trusted Boot MUST create
+        artifacts during system boot to prove that a particular chain of events
+        have happened during boot. Interested parties can subsequently assess
+        the artifacts to check whether or not only trusted events happened and
+        then make security decisions. These artifacts comprise a log of
+        measurements and the digests extended into the TPM PCRs. Platform
+        Configuration Registers (PCRs) are registers in the Trusted Platform
+        Module (TPM) that are shielded from direct access by the CPU.
+
+In order to support Secure and Trusted Boot, the flash driver calls libSTB to
+verify and measure the code it fetches from PNOR.
+
+LibSTB is initialized by calling *stb_init()*, see ``libstb/stb.h``.
+
+Secure Boot
+-----------
+
+``Requirements:``
+        #. CVC-verify service to verify signed firmware code.
+
+Secure boot is initialized by calling *secureboot_init()* and its API is quite
+simple, see ``libstb/secureboot.h``.
+
+The flash driver calls ``secureboot_verify()`` to verify if the fetched firmware
+blob is properly signed with keys trusted by the platform owner. This
+verification is performed only when the system is booting in secure mode. If
+the verification fails, it enforces a halt of the system boot.
+
+The verification itself is performed by the :ref:`container-verification-code`,
+precisely the *CVC-verify* service, which requires both the fetched code and the
+hardware key hash trusted by the platform owner.
+
+The secure mode status, hardware key hash and hardware key hash size
+information is found in the device tree, see
+:ref:`doc/device-tree/ibm,secureboot.rst <device-tree/ibm,secureboot>`.
+
+Signing Firmware Code
+^^^^^^^^^^^^^^^^^^^^^
+
+Fimware code is signed using the ``sb-signing-utils`` utilities by running it
+standalone or just calling op-build. The latter will automatically sign the
+various firmware components that comprise the PNOR image if SECUREBOOT is
+enabled for the platform.
+
+The signing utilities also allow signing firmware code using published hardware
+keys (a.k.a. imprint keys, only for development) or production hardware keys,
+see `sb-signing-utils`_.
+
+The hardware keys are the root keys. The signing tool uses three hardware keys
+to sign up to three firmware keys, which are then used to sign the firmware
+code. The resulting signed firmware code is then assembled following the secure
+boot container format. All the information required to verify the signatures is
+placed in the first 4K reserved for the container header (e.g.  public keys,
+hashes and signatures). The firmware code itself is placed in the container
+payload.
+
+.. _sb-signing-utils: https://github.com/open-power/sb-signing-utils
+
+.. _container-verification-code:
+
+Container Verification Code
+---------------------------
+
+The *Container Verification Code* (a.k.a. ROM code) is stored in a secure
+memory region and it provides basic Secure and Trusted Boot services for the
+entire firmware stack. See `doc/device-tree/ibm,secureboot.rst
+<device-tree/ibm,secureboot>` and `doc/device-tree/ibm,cvc.rst
+<device-tree/ibm,cvc>`.
+
+LibSTB uses function wrappers to call into each CVC service, see
+``libstb/cvc.h``.
+
+CVC-verify Service
+^^^^^^^^^^^^^^^^^^
+
+.. code-block:: c
+
+        int call_cvc_verify(void *buf, size_t size, const void *hw_key_hash,
+                            size_t hw_key_hash_size, uint64_t *log)
+
+This function wrapper calls into the *CVC-verify*, which verifies if the
+firmware code provided in ``@buf`` is properly signed with the keys trusted by
+the platform owner. Its parameters are documented in ``libstb/cvc.h``.
+
+``@hw_key_hash`` is used to check if the firware keys used to sign
+the firmware blob can be trusted.
+
+``@log`` is optional. If the verification fails, the caller can interpret
+it to find out what checks has failed.
+
+Enforcement is caller's responsibility.
+
+CVC-sha512 Service
+^^^^^^^^^^^^^^^^^^
+
+.. code-block:: c
+
+        int call_cvc_sha512(const uint8_t *data, size_t data_len, uint8_t *digest,
+                            size_t digest_size)
+
+This function wrapper calls into the *CVC-sha512*, which calculates the
+sha512 hash of what is provided in @data. Its parameters are documented in
+``libstb/cvc.h``.
+
+Trusted Boot
+------------
+
+``Requirements:``
+        #. TPM device and TPM driver. See devices supported in
+           :ref:`doc/device-tree/tpm.rst <device-tree/tpm>`.
+        #. TCG Software Stack (TSS) to send commands to the TPM device.
+        #. Firmware Event Log driver to add new events to the log. Event log
+           address and size information is found in the device tree, see
+           :ref:`doc/device-tree/tpm.rst <device-tree/tpm>`.
+        #. CVC-sha512 service to calculate the sha512 hash of the data that
+           will be measured.
+
+The Trusted Boot API is quite simple, see ``libstb/trustedboot.h``.
+
+The flash driver calls ``trustedboot_measure()`` to measure the firmware code
+fetched from PNOR and also record its measurement in two places. This is
+performed only when the system is booting in trusted mode (information found in
+the device tree, see :ref:`doc/device-tree/ibm,secureboot.rst <device-tree/ibm,secureboot>`).
+
+Once the firmware code is measured by calling the *CVC-sha512* service, its
+measurement is first recorded in a TPM PCR statically defined for each event.
+In order to record it, the skiboot TCG Software Stack (TSS) API is called to
+extend the measurement into the PCR number of both the sha1 and sha256 banks.
+The skiboot TSS is a light TSS implementation and its source code is shared
+between hostboot and skiboot, see ``libstb/tss/trustedbootCmds.H``.
+
+PCR extend is an TPM operation that uses a hash function to combine a new
 measurement with the existing digest saved in the PCR. Basically, it
 concatenates the existing PCR value with the received measurement, and then
-stores the hash of this string in the PCR.
+records the hash of this new string in the PCR.
 
-The TPM may maintain multiple banks of PCRs, where a PCR bank is a collection of
-PCRs that are extended with the same hash algorithm. TPM 2.0 has a SHA1 bank
-and a SHA256 bank with 24 PCRs each.
+The measurement is also recorded in the event log. The ``TpmLogMgr_addEvent()``
+function is called to add the measurement to the log, see
+``libstb/tss/tpmLogMgr.H``.
 
 When the system boot is complete, each non-zero PCR value represents one or more
 events measured during the boot in chronological order. Interested parties
@@ -44,119 +158,3 @@ can make inferences about the system's state by using an attestation tool to
 remotely compare the PCR values of a TPM against known good values, and also
 identify unexpected events by replaying the Event Log against known good Event
 Log entries.
-
-
-Implementation in skiboot
--------------------------
-
-Libstb implements an API for secure and trusted boot, which is used to verify
-and measure images retrieved from PNOR. The libstb interface is documented
-in ``libstb/stb.h``
-
-The example below shows how libstb can be used to add secure and trusted
-boot support for a platform:
-
-::
-
-    stb_init();
-        start_preload_resource(RESOURCE_ID_CAPP, 0, capp_ucode_info.lid, &capp_ucode_info.size);
-            sb_verify(id, buf, len);
-            tb_measure(id, buf, len);
-        start_preload_resource(RESOURCE_ID_KERNEL, 0, KERNEL_LOAD_BASE, &kernel_size);
-            sb_verify(id, buf, len);
-            tb_measure(id, buf, len);
-    stb_final();
-
-First, ``stb_init()`` must be called to initialize libstb. Basically, it reads both
-secure mode and trusted mode flags and loads drivers accordingly. In P8, secure
-mode and trusted mode are read from the *ibm,secureboot* device tree node (see
-:ref:`device-tree/ibm,secureboot`).
-
-If either secure mode or trusted mode is on, ``stb_init()`` loads a driver (romcode
-driver) to access the verification and SHA512 functions provided by the code
-stored in the secure ROM at manufacture time. Both secure boot and trusted boot
-depends on the romcode driver to access the ROM code. If trusted mode is on,
-``stb_init()`` loads a TPM device driver compatible with the tpm device tree node
-and also initializes the existing event log in skiboot. For device tree bindings
-for the TPM, see :ref:`device-tree/tpm`.
-
-Once libstb is initialized in the platform, ``sb_verify()`` and ``tb_measure()`` can
-used as shown in the example above to respectively verify and measure images
-retrieved from PNOR. If a platform claims secure and trusted boot support, then
-``sb_verify()`` and ``tb_measure()`` is called for all images retrieved from PNOR. 
-
-``sb_verify()`` and ``tb_measure()`` do nothing if libstb is not initialized in the
-platform since both secure mode and trusted mode are off by default.
-
-Finally, ``stb_final()`` must be called when no more images need to be retrieved
-from PNOR in order to indicate that secure boot and trusted boot have completed
-in skiboot. When stb_final() is called, basically it records eight *EV_SEPARATOR*
-events in the event log (one for each PCR through 0 to 7) and extends the PCR
-through 0 to 7 of both SHA1 and SHA256 PCR banks with the digest of *0xFFFFFFFF*.
-Additionally, ``stb_final()`` also frees resources allocated for secure boot and
-trusted boot.
-
-
-Verifying an image
-~~~~~~~~~~~~~~~~~~
-
-If secure mode is on, ``sb_verify()`` verifies the integrity and authenticity of an
-image by calling the ``ROM_verify()`` function from the ROM code via romcode driver. In
-general terms, this verification will pass only if the following conditions are
-satisfied. Otherwise the boot process is aborted.
-
-1. Secure boot header is properly built and attached to the image.  When
-   ``sb_verify()`` is called, the ROM code verifies all the secure boot header
-   fields, including the keys, hashes and signatures.  The secure boot header
-   and the image are also collectively referred to as secure boot container, or
-   just container. As the secure boot header is the container header and the
-   image is the container payload.
-
-2. The public hardware keys of the container header match with the hw-key-hash
-   read from the device tree. The way that secure boot is designed, this
-   assertion ensures that only images signed by the owner of the hw-key-hash
-   will pass the verification.  The hw-key-hash is a hash of three hardware
-   public keys stored in *SEEPROM* at manufacture time and written to the device
-   tree at boot time.
-
-
-Measuring an image
-~~~~~~~~~~~~~~~~~~
-
-``tb_measure()`` measures an image retrieved from PNOR if trusted mode is on, but
-only if the provided image is included in the *resource_map* whitelist. This
-whitelist defines for each expected image to what PCR the measurement must be
-recorded and extended. ``tb_measure()`` returns an error if the provided image is
-not included in the *resource_map* whitelist.
-
-For the sake of simplicity we say that ``tb_measure()`` measures an image, but
-calculating the digest of a given image is just one of the steps performed by
-``tb_measure()``.
-
-Steps performed by ``tb_measure()`` if trusted mode is on:
-
-1. Measure the provided image for each PCR bank: SHA1 and SHA256. If secure
-   mode is on and the image is a container, parse the container header to get
-   the SHA512 hash of the container payload (*sw-payload-hash* field). Otherwise,
-   call the ROM code via romcode driver to calculate the SHA512 hash of the
-   image at boot time. In both cases, the SHA512 hash is truncated to match the
-   size required by each PCR bank: SHA1 bank PCRs are 20 bytes and SHA256 bank
-   PCRs are 32 bytes.
-
-2. Record a new event in the event log for the mapped PCR. Call the tpmLogMgr
-   API to generate a new event and record it in the event log. The new event is
-   generated for the mapped PCR and it also contains a digest list with both
-   SHA1 and SHA256 measurements obtained in step 1.
-
-3. Extend the measurements into the mapped PCR. Call the TCG Software Stack
-   (TSS) API to extend both measurements obtained in step 1 into the mapped PCR
-   number. The SHA1 measurement is extended to the SHA1 PCR bank and the SHA256
-   measurement is extended to the SHA256 PCR bank. However, they are extended
-   to the same PCR number on each bank.
-   Since this TSS implementation supports multibank, it does the marshalling of
-   both SHA1 and SHA256 measurements into a single TPM extend command and then
-   it sends the command to the TPM device via TPM device driver.
-
-Both TSS and tpmLogMgr APIs are implemented by hostboot, but their source code
-are added to skiboot. The TSS and tpmLogMgr interfaces are defined in
-``libstb/tss/trustedbootCmds.H`` and ``libstb/tss/tpmLogMgr.H``, respectively.
-- 
2.7.4



More information about the Skiboot mailing list