[Skiboot] [PATCH v2 00/20] libstb: add support for secure and trusted boot in P9

Stewart Smith stewart at linux.vnet.ibm.com
Wed Dec 13 20:54:11 AEDT 2017 

Claudio Carvalho <cclaudio at linux.vnet.ibm.com> writes:
> / # grep STB /sys/firmware/opal/msglog 
> [    2.418837830,5] STB: Found ibm,secureboot-v2
> [    2.422842040,5] STB: secure mode on (FORCED by nvram)
> [    2.425680374,6] STB: Found CVC @ 3ffd320000-3ffd32ffff
> [    2.425681636,6] STB: Found CVC-sha512 @ 3ffd320040, version=1
> [    2.425682890,6] STB: Found CVC-verify @ 3ffd320050, version=1
> [    2.425685891,5] STB: trusted mode on
> [    2.427116155,5] STB: Found tpm0,i2c_tpm_nuvoton evLogLen=2174 evLogSize=65536
> [    3.037325656,6] STB: IMA_CATALOG verified
> [    3.037483524,6] STB: IMA_CATALOG hash calculated
> [    3.080420989,5] STB: IMA_CATALOG measured on pcr2 (tpm0, evType 0x5, evLogLen 2257)
> [    3.221401794,6] STB: CAPP verified
> [    3.221641991,6] STB: CAPP hash calculated
> [    3.264593590,5] STB: CAPP measured on pcr2 (tpm0, evType 0x5, evLogLen 2333)
> [    8.427545176,6] STB: BOOTKERNEL verified
> [    8.459509213,6] STB: BOOTKERNEL hash calculated
> [    8.502478342,5] STB: BOOTKERNEL measured on pcr4 (tpm0, evType 0x5, evLogLen 2415)
> [    9.317683588,5] STB: EV_SEPARATOR measured on pcr0 (tpm0, evType 0x4, evLogLen 2491)
> [    9.364162692,5] STB: EV_SEPARATOR measured on pcr1 (tpm0, evType 0x4, evLogLen 2567)
> [    9.410932645,5] STB: EV_SEPARATOR measured on pcr2 (tpm0, evType 0x4, evLogLen 2643)
> [    9.457221555,5] STB: EV_SEPARATOR measured on pcr3 (tpm0, evType 0x4, evLogLen 2719)
> [    9.503811698,5] STB: EV_SEPARATOR measured on pcr4 (tpm0, evType 0x4, evLogLen 2795)
> [   10.038662929,5] STB: EV_SEPARATOR measured on pcr5 (tpm0, evType 0x4, evLogLen 2871)
> [   10.085016642,5] STB: EV_SEPARATOR measured on pcr6 (tpm0, evType 0x4, evLogLen 2947)
> [   10.131638410,5] STB: EV_SEPARATOR measured on pcr7 (tpm0, evType
> 0x4, evLogLen 3023)

I'm having a slightly different experience at the moment:

I used sb-signing-utils to ./sign-with-local-keys.sh (using the development keys
in op-build/openpower/package/sb-signing-utils/keys) for BOOTKERNEL, and
I'm instead just getting:
[   51.147186780,0] STB: VERSION NOT VERIFIED, invalid param. buf=0x30575560, len=4096 key-hash=0x0 hash-size=0
[   51.254853202,5] STB: Found ibm,secureboot-v2
[   51.258769416,5] STB: secure mode off
[   51.260898690,6] STB: Found CVC @ 3ffd2e0000-3ffd2effff
[   51.260899992,6] STB: Found CVC-sha512 @ 3ffd2e0040, version=1
[   51.260901467,6] STB: Found CVC-verify @ 3ffd2e0050, version=1
[   51.260904595,5] STB: trusted mode off
[   51.373418060,0] STB: IMA_CATALOG verification FAILED. log=0xffffffffffff8160
[   51.502378419,0] STB: CAPP verification FAILED. log=0xffffffffffff8160
[   57.131768572,0] STB: BOOTKERNEL verification FAILED. log=0xffffffffffff8160

Considering BOOTKERNEL is the only one with a header, the other failures
are expected.

I've done the naive thing of just enabling the following options in
upstream hostboot:
set SECUREBOOT
set TPMDD
set TPM_NUVOTON

Any thoughts?
-- 
Stewart Smith
OPAL Architect, IBM.

More information about the Skiboot mailing list