[Skiboot] [PATCH] Mambo: run hello_world and sreset_world tests with Secure and Trusted Boot
Stewart Smith
stewart at linux.vnet.ibm.com
Wed Dec 20 10:20:29 AEDT 2017
We *disable* the secure boot part, but we keep the verified boot
part as we don't currently have container verification code for Mambo.
We can run a small part of the code currently though.
Signed-off-by: Stewart Smith <stewart at linux.vnet.ibm.com>
---
core/init.c | 15 +++++++++++++--
external/mambo/skiboot.tcl | 2 +-
opal-ci/Dockerfile-centos7 | 2 +-
opal-ci/Dockerfile-fedora24 | 2 +-
test/hello_world/Makefile.check | 24 ++++++++++++++++++++++++
test/hello_world/run_mambo_hello_world.sh | 7 +++++--
test/hello_world/run_mambo_p9_hello_world.sh | 7 +++++--
test/sreset_world/Makefile.check | 16 +++++++++++++++-
test/sreset_world/run_mambo_p9_sreset.sh | 6 +++++-
test/sreset_world/run_mambo_sreset.sh | 7 +++++--
10 files changed, 75 insertions(+), 13 deletions(-)
diff --git a/core/init.c b/core/init.c
index 0405f5cc3851..ec9f32981cd4 100644
--- a/core/init.c
+++ b/core/init.c
@@ -342,6 +342,7 @@ bool start_preload_kernel(void)
static bool load_kernel(void)
{
+ void *stb_container = NULL;
struct elf_hdr *kh;
int loaded;
@@ -390,9 +391,10 @@ static bool load_kernel(void)
/* Hack for STB in Mambo, assume at least 4kb in mem */
kernel_size = SECURE_BOOT_HEADERS_SIZE;
}
- if (stb_is_container(KERNEL_LOAD_BASE, kernel_size))
+ if (stb_is_container(KERNEL_LOAD_BASE, kernel_size)) {
+ stb_container = KERNEL_LOAD_BASE;
kh = (struct elf_hdr *) (KERNEL_LOAD_BASE + SECURE_BOOT_HEADERS_SIZE);
- else
+ } else
kh = (struct elf_hdr *) (KERNEL_LOAD_BASE);
}
@@ -417,6 +419,15 @@ static bool load_kernel(void)
return false;
}
+ if (chip_quirk(QUIRK_MAMBO_CALLOUTS)) {
+ secureboot_verify(RESOURCE_ID_KERNEL,
+ stb_container,
+ SECURE_BOOT_HEADERS_SIZE + kernel_size);
+ trustedboot_measure(RESOURCE_ID_KERNEL,
+ stb_container,
+ SECURE_BOOT_HEADERS_SIZE + kernel_size);
+ }
+
trustedboot_exit_boot_services();
return true;
diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl
index abceb749537e..38298bffd09b 100644
--- a/external/mambo/skiboot.tcl
+++ b/external/mambo/skiboot.tcl
@@ -437,7 +437,7 @@ mconfig enable_stb SKIBOOT_ENABLE_MAMBO_STB 0
if { [info exists env(SKIBOOT_ENABLE_MAMBO_STB)] } {
set stb_node [ mysim of addchild $root_node "ibm,secureboot" "" ]
mysim of addprop $stb_node string "compatible" "ibm,secureboot-v1-softrom"
- mysim of addprop $stb_node string "secure-enabled" ""
+# mysim of addprop $stb_node string "secure-enabled" ""
mysim of addprop $stb_node string "trusted-enabled" ""
mysim of addprop $stb_node string "hash-algo" "sha512"
set hw_key_hash {}
diff --git a/opal-ci/Dockerfile-centos7 b/opal-ci/Dockerfile-centos7
index d30d1295d277..7fd8c6cbcbd5 100644
--- a/opal-ci/Dockerfile-centos7
+++ b/opal-ci/Dockerfile-centos7
@@ -1,6 +1,6 @@
FROM centos:7
RUN yum -y update && yum clean all
-RUN yum -y install wget curl xterm gcc git xz make diffutils findutils expect valgrind valgrind-devel ccache dtc openssl-devel
+RUN yum -y install wget curl xterm gcc git xz make diffutils findutils expect valgrind valgrind-devel ccache dtc openssl-devel openssl
RUN wget https://www.kernel.org/pub/tools/crosstool/files/bin/x86_64/4.8.0/x86_64-gcc-4.8.0-nolibc_powerpc64-linux.tar.xz
RUN mkdir /opt/cross
RUN tar -C /opt/cross -xf x86_64-gcc-4.8.0-nolibc_powerpc64-linux.tar.xz
diff --git a/opal-ci/Dockerfile-fedora24 b/opal-ci/Dockerfile-fedora24
index b60120808722..06e1b0f94eae 100644
--- a/opal-ci/Dockerfile-fedora24
+++ b/opal-ci/Dockerfile-fedora24
@@ -1,5 +1,5 @@
FROM fedora:24
-RUN dnf -y install wget curl xterm gcc git xz make diffutils findutils expect valgrind valgrind-devel ccache dtc openssl-devel
+RUN dnf -y install wget curl xterm gcc git xz make diffutils findutils expect valgrind valgrind-devel ccache dtc openssl-devel openssl
RUN dnf -y install gcc-powerpc64-linux-gnu
RUN dnf -y install http://public.dhe.ibm.com/software/server/powerfuncsim/p9/packages/v1.1-0/systemsim-p9-1.1-0.f22.x86_64.rpm
COPY . /build/
diff --git a/test/hello_world/Makefile.check b/test/hello_world/Makefile.check
index 10f48cc1db94..e791ea76b72b 100644
--- a/test/hello_world/Makefile.check
+++ b/test/hello_world/Makefile.check
@@ -1,4 +1,5 @@
HELLO_WORLD_TEST := test/hello_world/hello_kernel/hello_kernel
+HELLO_WORLD_STB_TEST := test/hello_world/hello_kernel/hello_kernel.stb
.PHONY: hello_world-tests
hello_world-tests: $(HELLO_WORLD_TEST:%=%-check-smt-mambo)
@@ -7,6 +8,11 @@ hello_world-tests: $(HELLO_WORLD_TEST:%=%-check-mambo)
hello_world-tests: $(HELLO_WORLD_TEST:%=%-check-p9-mambo)
hello_world-tests: $(HELLO_WORLD_TEST:%=%-check-qemu)
+hello_world-tests: $(HELLO_WORLD_STB_TEST:%=%-check-stb-smt-mambo)
+hello_world-tests: $(HELLO_WORLD_STB_TEST:%=%-check-stb-smt-p9-mambo)
+hello_world-tests: $(HELLO_WORLD_STB_TEST:%=%-check-stb-mambo)
+hello_world-tests: $(HELLO_WORLD_STB_TEST:%=%-check-stb-p9-mambo)
+
boot-tests: hello_world-tests
check: hello_world-tests
@@ -22,6 +28,21 @@ $(HELLO_WORLD_TEST:%=%-check-mambo): %-check-mambo: % skiboot.lid
$(HELLO_WORLD_TEST:%=%-check-p9-mambo): %-check-p9-mambo: % skiboot.lid
$(call Q , BOOT TEST , ./test/hello_world/run_mambo_p9_hello_world.sh, $@)
+# and now, with secure and trusted boot:
+$(HELLO_WORLD_STB_TEST:%=%-check-stb-smt-mambo): %-check-stb-smt-mambo: % skiboot.lid.stb
+ $(call Q , BOOT TEST , SKIBOOT_ENABLE_MAMBO_STB=1 THREADS=2 ./test/hello_world/run_mambo_hello_world.sh , $@)
+
+$(HELLO_WORLD_STB_TEST:%=%-check-stb-smt-p9-mambo): %-check-stb-smt-p9-mambo: % skiboot.lid.stb
+ $(call Q , BOOT TEST , SKIBOOT_ENABLE_MAMBO_STB=1 THREADS=2 ./test/hello_world/run_mambo_p9_hello_world.sh , $@)
+
+$(HELLO_WORLD_STB_TEST:%=%-check-stb-mambo): %-check-stb-mambo: % skiboot.lid.stb
+ $(call Q , BOOT TEST , SKIBOOT_ENABLE_MAMBO_STB=1 ./test/hello_world/run_mambo_hello_world.sh, $@)
+
+$(HELLO_WORLD_STB_TEST:%=%-check-stb-p9-mambo): %-check-stb-p9-mambo: % skiboot.lid.stb
+ $(call Q , BOOT TEST , SKIBOOT_ENABLE_MAMBO_STB=1 ./test/hello_world/run_mambo_p9_hello_world.sh, $@)
+
+# qemu
+
$(HELLO_WORLD_TEST:%=%-check-qemu): %-check-qemu: % skiboot.lid
$(call Q , BOOT TEST , ./test/hello_world/run_qemu_hello_world.sh, $@)
@@ -35,6 +56,9 @@ hello_kernel_LDFLAGS=-m64 -Wl,--build-id=none -T test/hello_world/hello_kernel/h
test/hello_world/hello_kernel/hello_kernel: test/hello_world/hello_kernel/hello_kernel.o
$(call Q,LD, $(CC) $(hello_kernel_LDFLAGS) -o $@ $^ , $@)
+test/hello_world/hello_kernel/hello_kernel.stb: test/hello_world/hello_kernel/hello_kernel libstb/create-container
+ $(call Q,STB-DEVELOPMENT-SIGNED-CONTAINER,$(SRC)/libstb/sign-with-local-keys.sh $< $@ $(SRC)/libstb/keys/,$@)
+
clean: hello_world-test-clean
hello_world-test-clean:
diff --git a/test/hello_world/run_mambo_hello_world.sh b/test/hello_world/run_mambo_hello_world.sh
index 5bb92bced97d..13112d000405 100755
--- a/test/hello_world/run_mambo_hello_world.sh
+++ b/test/hello_world/run_mambo_hello_world.sh
@@ -24,8 +24,11 @@ if [ ! `command -v expect` ]; then
exit 0;
fi
-
-export SKIBOOT_ZIMAGE=`pwd`/test/hello_world/hello_kernel/hello_kernel
+if [ -n "$SKIBOOT_ENABLE_MAMBO_STB" ]; then
+ export SKIBOOT_ZIMAGE=`pwd`/test/hello_world/hello_kernel/hello_kernel.stb
+else
+ export SKIBOOT_ZIMAGE=`pwd`/test/hello_world/hello_kernel/hello_kernel
+fi
# Currently getting some core dumps from mambo, so disable them!
OLD_ULIMIT_C=`ulimit -c`
diff --git a/test/hello_world/run_mambo_p9_hello_world.sh b/test/hello_world/run_mambo_p9_hello_world.sh
index 022c71e372fd..f8b0dae880d8 100755
--- a/test/hello_world/run_mambo_p9_hello_world.sh
+++ b/test/hello_world/run_mambo_p9_hello_world.sh
@@ -23,8 +23,11 @@ if [ ! `command -v expect` ]; then
exit 0;
fi
-
-export SKIBOOT_ZIMAGE=`pwd`/test/hello_world/hello_kernel/hello_kernel
+if [ -n "$SKIBOOT_ENABLE_MAMBO_STB" ]; then
+ export SKIBOOT_ZIMAGE=`pwd`/test/hello_world/hello_kernel/hello_kernel.stb
+else
+ export SKIBOOT_ZIMAGE=`pwd`/test/hello_world/hello_kernel/hello_kernel
+fi
# Currently getting some core dumps from mambo, so disable them!
OLD_ULIMIT_C=`ulimit -c`
diff --git a/test/sreset_world/Makefile.check b/test/sreset_world/Makefile.check
index 02e03f34a4c2..289af8dd17fb 100644
--- a/test/sreset_world/Makefile.check
+++ b/test/sreset_world/Makefile.check
@@ -1,10 +1,14 @@
-SRESET_WORLD_TEST := test/sreset_world/sreset_kernel/sreset_kernel
+SRESET_WORLD_TEST := test/sreset_world/sreset_kernel/sreset_kernel.stb
+SRESET_WORLD_STB_TEST := test/sreset_world/sreset_kernel/sreset_kernel.stb
.PHONY: sreset_world-tests
# We only do the SMT tests as we don't do OPAL re-entry
sreset_world-tests: $(SRESET_WORLD_TEST:%=%-check-smt-mambo)
sreset_world-tests: $(SRESET_WORLD_TEST:%=%-check-smt-p9-mambo)
+sreset_world-tests: $(SRESET_WORLD_STB_TEST:%=%-check-stb-smt-mambo)
+sreset_world-tests: $(SRESET_WORLD_STB_TEST:%=%-check-stb-smt-p9-mambo)
+
boot-tests: sreset_world-tests
check: sreset_world-tests
@@ -14,6 +18,12 @@ $(SRESET_WORLD_TEST:%=%-check-smt-mambo): %-check-smt-mambo: % skiboot.lid
$(SRESET_WORLD_TEST:%=%-check-smt-p9-mambo): %-check-smt-p9-mambo: % skiboot.lid
$(call Q , BOOT TEST , THREADS=2 ./test/sreset_world/run_mambo_p9_sreset.sh , $@)
+$(SRESET_WORLD_STB_TEST:%=%-check-stb-smt-mambo): %-check-stb-smt-mambo: % skiboot.lid.stb
+ $(call Q , BOOT TEST , SKIBOOT_ENABLE_MAMBO_STB=1 THREADS=2 ./test/sreset_world/run_mambo_sreset.sh , $@)
+
+$(SRESET_WORLD_STB_TEST:%=%-check-stb-smt-p9-mambo): %-check-stb-smt-p9-mambo: % skiboot.lid.stb
+ $(call Q , BOOT TEST , SKIBOOT_ENABLE_MAMBO_STB=1 THREADS=2 ./test/sreset_world/run_mambo_p9_sreset.sh , $@)
+
test/sreset_world/sreset_kernel/sreset_kernel.o: test/sreset_world/sreset_kernel/sreset_kernel.S test/sreset_world/sreset_kernel/sreset_kernel.ld
$(call Q,CC, $(CC) -mbig-endian -m64 -c -MMD -o $@ $< ,$@)
@@ -24,6 +34,10 @@ sreset_kernel_LDFLAGS=-m64 -Wl,--build-id=none -T test/sreset_world/sreset_kerne
test/sreset_world/sreset_kernel/sreset_kernel: test/sreset_world/sreset_kernel/sreset_kernel.o
$(call Q,LD, $(CC) $(sreset_kernel_LDFLAGS) -o $@ $^ , $@)
+test/sreset_world/sreset_kernel/sreset_kernel.stb: test/sreset_world/sreset_kernel/sreset_kernel libstb/create-container
+ $(call Q,STB-DEVELOPMENT-SIGNED-CONTAINER,$(SRC)/libstb/sign-with-local-keys.sh $< $@ $(SRC)/libstb/keys/,$@)
+
+
clean: sreset_world-test-clean
sreset_world-test-clean:
diff --git a/test/sreset_world/run_mambo_p9_sreset.sh b/test/sreset_world/run_mambo_p9_sreset.sh
index 2d0d51a28fe3..9f61f1e9b41a 100755
--- a/test/sreset_world/run_mambo_p9_sreset.sh
+++ b/test/sreset_world/run_mambo_p9_sreset.sh
@@ -23,7 +23,11 @@ if [ ! `command -v expect` ]; then
exit 0;
fi
-export SKIBOOT_ZIMAGE=`pwd`/test/sreset_world/sreset_kernel/sreset_kernel
+if [ -n "$SKIBOOT_ENABLE_MAMBO_STB" ]; then
+ export SKIBOOT_ZIMAGE=`pwd`/test/sreset_world/sreset_kernel/sreset_kernel.stb
+else
+ export SKIBOOT_ZIMAGE=`pwd`/test/sreset_world/sreset_kernel/sreset_kernel
+fi
# Currently getting some core dumps from mambo, so disable them!
OLD_ULIMIT_C=`ulimit -c`
diff --git a/test/sreset_world/run_mambo_sreset.sh b/test/sreset_world/run_mambo_sreset.sh
index 281c466c6221..10c7224de3c8 100755
--- a/test/sreset_world/run_mambo_sreset.sh
+++ b/test/sreset_world/run_mambo_sreset.sh
@@ -24,8 +24,11 @@ if [ ! `command -v expect` ]; then
exit 0;
fi
-
-export SKIBOOT_ZIMAGE=`pwd`/test/sreset_world/sreset_kernel/sreset_kernel
+if [ -n "$SKIBOOT_ENABLE_MAMBO_STB" ]; then
+ export SKIBOOT_ZIMAGE=`pwd`/test/sreset_world/sreset_kernel/sreset_kernel.stb
+else
+ export SKIBOOT_ZIMAGE=`pwd`/test/sreset_world/sreset_kernel/sreset_kernel
+fi
# Currently getting some core dumps from mambo, so disable them!
OLD_ULIMIT_C=`ulimit -c`
--
2.14.3
More information about the Skiboot
mailing list