[Skiboot] [PATCH v2 00/20] libstb: add support for secure and trusted boot in P9

Claudio Carvalho cclaudio at linux.vnet.ibm.com
Sat Dec 9 16:40:15 AEDT 2017


Major changes in v2:

   - The Container Verification Code (CVC) and its services are no longer
     registered during the HDAT parsing, instead the ibm,cvc node is created
     for libstb to register them later in skiboot. Patches #17, #18, #19.

   - ibm,secureboot node is bumped to "ibm,secureboot-v2". Now the hash-algo
     property is superseded by the hw-key-hash-size and the CVC is represented
     by the ibm,cvc node. Patch #15.

   - (proc_gen >= proc_gen_p9) is always checked before reading the HDAT.
     Patches #15, #16.

   - Before reading any idata structure, first we check if the structure is
     really populated. Patches #16, #17.

   - libstb/{stb.c,stb.h} removed. Patch #14.

   - The CVC hostboot reserved memory is identified during the HDAT parsing by
     checking the DT for a reserved memory where
     (ibm,prd-label=ibm,secure-crypt-algo-code). Patch #17.

Roughly speaking, with the v2 every partition fetched from PNOR should be
properly verified and measured in both POWER8 and POWER9. It was tested on
*witherspoon* and *p9dsu*. Here are the STB messages printed in the OPAL log:

/ # grep STB /sys/firmware/opal/msglog 
[    2.418837830,5] STB: Found ibm,secureboot-v2
[    2.422842040,5] STB: secure mode on (FORCED by nvram)
[    2.425680374,6] STB: Found CVC @ 3ffd320000-3ffd32ffff
[    2.425681636,6] STB: Found CVC-sha512 @ 3ffd320040, version=1
[    2.425682890,6] STB: Found CVC-verify @ 3ffd320050, version=1
[    2.425685891,5] STB: trusted mode on
[    2.427116155,5] STB: Found tpm0,i2c_tpm_nuvoton evLogLen=2174 evLogSize=65536
[    3.037325656,6] STB: IMA_CATALOG verified
[    3.037483524,6] STB: IMA_CATALOG hash calculated
[    3.080420989,5] STB: IMA_CATALOG measured on pcr2 (tpm0, evType 0x5, evLogLen 2257)
[    3.221401794,6] STB: CAPP verified
[    3.221641991,6] STB: CAPP hash calculated
[    3.264593590,5] STB: CAPP measured on pcr2 (tpm0, evType 0x5, evLogLen 2333)
[    8.427545176,6] STB: BOOTKERNEL verified
[    8.459509213,6] STB: BOOTKERNEL hash calculated
[    8.502478342,5] STB: BOOTKERNEL measured on pcr4 (tpm0, evType 0x5, evLogLen 2415)
[    9.317683588,5] STB: EV_SEPARATOR measured on pcr0 (tpm0, evType 0x4, evLogLen 2491)
[    9.364162692,5] STB: EV_SEPARATOR measured on pcr1 (tpm0, evType 0x4, evLogLen 2567)
[    9.410932645,5] STB: EV_SEPARATOR measured on pcr2 (tpm0, evType 0x4, evLogLen 2643)
[    9.457221555,5] STB: EV_SEPARATOR measured on pcr3 (tpm0, evType 0x4, evLogLen 2719)
[    9.503811698,5] STB: EV_SEPARATOR measured on pcr4 (tpm0, evType 0x4, evLogLen 2795)
[   10.038662929,5] STB: EV_SEPARATOR measured on pcr5 (tpm0, evType 0x4, evLogLen 2871)
[   10.085016642,5] STB: EV_SEPARATOR measured on pcr6 (tpm0, evType 0x4, evLogLen 2947)
[   10.131638410,5] STB: EV_SEPARATOR measured on pcr7 (tpm0, evType 0x4, evLogLen 3023)


Changelog v1:
=============

In POWER9, skiboot is responsible to build the device tree from the HDAT,
including the entries related to secure and trusted boot.

Secure and Trusted Boot changes compared to POWER8:

    - The Container-Verification-Code (CVC), a.k.a. ROM code, is no longer
      stored in a secure ROM with static address and offsets. In POWER9, it is
      stored in a hostboot reserved memory and each CVC service provided has
      a version, not only an offset.

    - The hash-algo property is not provided via HDAT, instead it provides
      the hw-key-hash-size, which is indeed the information required by the
      CVC to verify signed firmware code.

Since skiboot is the only consumer for the Container-Verification-Code, this
patch series doesn't export the CVC services (version and offset) to the device
tree. Instead, they are consumed only in skiboot.

Activities performed in this patch series:

    - do some libstb code refactoring in order to support CVC initialization
      during HDAT parsing and also later on when the libstb is initialized.

    - build the STB device tree entries from HDAT.

    - update the skiboot TCG Software Stack (TSS).

    - extend and update the libstb documentation with POWER9 changes.

Roughly speaking, with this patch series every partition fetched from PNOR
should be properly verified and measured in both POWER8 and POWER9. It was
tested on witherspoon. Here are the STB messages printed in the OPAL log:

$> grep STB /sys/firmware/opal/msglog
[  115.507742723,6] STB: CVC-sha512 service found @0xffd330040
[  115.507747366,6] STB: CVC-verify service found @0xffd330050
[    4.329796596,5] STB: Found ibm,secureboot-v1
[    4.329919669,5] STB: secure mode on (FORCED by nvram)
[    4.329962637,5] STB: trusted mode on (FORCED by nvram)
[    4.330023021,5] STB: tpm0 registered: driver=i2c_tpm_nuvoton evLogSize=2095
[    5.354157641,6] STB: IMA_CATALOG verified
[    5.354264802,6] STB: IMA_CATALOG hash calculated
[    5.397284153,5] STB: IMA_CATALOG measured on pcr2 (tpm0, evType 0x5, evLogSize 2178)
[    7.026764601,6] STB: CAPP verified
[    7.027069959,6] STB: CAPP hash calculated
[    7.070083022,5] STB: CAPP measured on pcr2 (tpm0, evType 0x5, evLogSize 2254)
[   16.087319251,6] STB: BOOTKERNEL verified
[   16.126912000,6] STB: BOOTKERNEL hash calculated
[   16.169940665,5] STB: BOOTKERNEL measured on pcr4 (tpm0, evType 0x5, evLogSize 2336)
[   17.105389759,5] STB: EV_SEPARATOR measured on pcr0 (tpm0, evType 0x4, evLogSize 2412)
[   17.148509076,5] STB: EV_SEPARATOR measured on pcr1 (tpm0, evType 0x4, evLogSize 2488)
[   17.191687100,5] STB: EV_SEPARATOR measured on pcr2 (tpm0, evType 0x4, evLogSize 2564)
[   17.234846677,5] STB: EV_SEPARATOR measured on pcr3 (tpm0, evType 0x4, evLogSize 2640)
[   17.277938046,5] STB: EV_SEPARATOR measured on pcr4 (tpm0, evType 0x4, evLogSize 2716)
[   17.321053996,5] STB: EV_SEPARATOR measured on pcr5 (tpm0, evType 0x4, evLogSize 2792)
[   17.364199336,5] STB: EV_SEPARATOR measured on pcr6 (tpm0, evType 0x4, evLogSize 2868)
[   17.407303146,5] STB: EV_SEPARATOR measured on pcr7 (tpm0, evType 0x4, evLogSize 2944)


Claudio Carvalho (20):
  libstb: move drivers/sha512.* to mbedtls directory
  libstb: import stb_init() breaking it into multiple files
  core/flash.c: extern function to get the name of a PNOR partition
  core/init.c: remove redundant calls to verify and measure BOOTKERNEL
  libstb/secureboot.c: import sb_verify() from stb.c
  libstb/trustedboot.c: import tb_measure() from stb.c
  libstb/cvc.c: import softrom behavior from drivers/sw_driver.c
  libstb/trustedboot.c: import stb_final() from stb.c
  tpm_i2c_nuvoton: add nuvoton,npct601 to the compatible property
  libstb/tss: update the list of event types supported
  libstb/tpm_chip.c: define pr_fmt and fix messages logged
  core: update superseded libstb calls in flash.c and init.c
  hdata: add secure and trusted boot ntuple to SPIRA-H/S
  libstb: remove stb.c and obsolete companions
  hdata/spira: add ibm,secureboot node in P9
  hdata/tpmrel.c: add firmware event log info to the tpm node
  hdata/tpmrel.c: add ibm,cvc device tree node
  libstb: add support for ibm,secureboot-v2
  libstb/cvc: update memory-region to point to /reserved-memory
  doc: update libstb documentation with POWER9 changes

 asm/Makefile.inc                     |   2 +-
 asm/{rom_entry.S => cvc_entry.S}     |   8 +-
 core/flash.c                         |  18 +-
 core/init.c                          |  42 ++--
 doc/device-tree/ibm,cvc.rst          |  47 +++++
 doc/device-tree/ibm,secureboot.rst   |  59 +++---
 doc/device-tree/tpm.rst              |   6 +-
 doc/stb.rst                          | 298 ++++++++++++++--------------
 hdata/Makefile.inc                   |   2 +-
 hdata/hdata.h                        |   1 +
 hdata/spira.c                        |  44 +++++
 hdata/spira.h                        |  69 ++++++-
 hdata/test/hdata_to_dt.c             |   1 +
 hdata/tpmrel.c                       | 221 +++++++++++++++++++++
 include/skiboot.h                    |   1 +
 libstb/Makefile.inc                  |   5 +-
 libstb/cvc.c                         | 365 +++++++++++++++++++++++++++++++++++
 libstb/cvc.h                         |  61 ++++++
 libstb/drivers/Makefile.inc          |   2 +-
 libstb/drivers/romcode.c             | 138 -------------
 libstb/drivers/romcode.h             |  24 ---
 libstb/drivers/sw_driver.c           |  76 --------
 libstb/drivers/sw_driver.h           |  24 ---
 libstb/drivers/tpm_i2c_nuvoton.c     |  10 +
 libstb/mbedtls/Makefile.inc          |  11 ++
 libstb/{drivers => mbedtls}/sha512.c |   0
 libstb/{drivers => mbedtls}/sha512.h |   0
 libstb/rom.c                         |  55 ------
 libstb/rom.h                         |  43 -----
 libstb/secureboot.c                  | 213 ++++++++++++++++++++
 libstb/secureboot.h                  |  50 +++++
 libstb/stb.c                         | 328 -------------------------------
 libstb/tpm_chip.c                    | 105 +++++-----
 libstb/tpm_chip.h                    |   2 +-
 libstb/trustedboot.c                 | 246 +++++++++++++++++++++++
 libstb/{stb.h => trustedboot.h}      |  45 ++---
 libstb/tss/trustedTypes.H            |  22 ++-
 libstb/tss/trustedboot.H             |  18 +-
 38 files changed, 1646 insertions(+), 1016 deletions(-)
 rename asm/{rom_entry.S => cvc_entry.S} (93%)
 create mode 100644 doc/device-tree/ibm,cvc.rst
 create mode 100644 hdata/tpmrel.c
 create mode 100644 libstb/cvc.c
 create mode 100644 libstb/cvc.h
 delete mode 100644 libstb/drivers/romcode.c
 delete mode 100644 libstb/drivers/romcode.h
 delete mode 100644 libstb/drivers/sw_driver.c
 delete mode 100644 libstb/drivers/sw_driver.h
 create mode 100644 libstb/mbedtls/Makefile.inc
 rename libstb/{drivers => mbedtls}/sha512.c (100%)
 rename libstb/{drivers => mbedtls}/sha512.h (100%)
 delete mode 100644 libstb/rom.c
 delete mode 100644 libstb/rom.h
 create mode 100644 libstb/secureboot.c
 create mode 100644 libstb/secureboot.h
 delete mode 100644 libstb/stb.c
 create mode 100644 libstb/trustedboot.c
 rename libstb/{stb.h => trustedboot.h} (54%)

-- 
2.7.4



More information about the Skiboot mailing list