[Skiboot] [PATCH v2 00/20] libstb: add support for secure and trusted boot in P9
Stewart Smith
stewart at linux.vnet.ibm.com
Wed Dec 20 10:45:47 AEDT 2017
Claudio Carvalho <cclaudio at linux.vnet.ibm.com> writes:
> Major changes in v2:
>
> - The Container Verification Code (CVC) and its services are no longer
> registered during the HDAT parsing, instead the ibm,cvc node is created
> for libstb to register them later in skiboot. Patches #17, #18, #19.
>
> - ibm,secureboot node is bumped to "ibm,secureboot-v2". Now the hash-algo
> property is superseded by the hw-key-hash-size and the CVC is represented
> by the ibm,cvc node. Patch #15.
>
> - (proc_gen >= proc_gen_p9) is always checked before reading the HDAT.
> Patches #15, #16.
>
> - Before reading any idata structure, first we check if the structure is
> really populated. Patches #16, #17.
>
> - libstb/{stb.c,stb.h} removed. Patch #14.
>
> - The CVC hostboot reserved memory is identified during the HDAT parsing by
> checking the DT for a reserved memory where
> (ibm,prd-label=ibm,secure-crypt-algo-code). Patch #17.
>
> Roughly speaking, with the v2 every partition fetched from PNOR should be
> properly verified and measured in both POWER8 and POWER9. It was tested on
> *witherspoon* and *p9dsu*. Here are the STB messages printed in the OPAL log:
>
> / # grep STB /sys/firmware/opal/msglog
> [ 2.418837830,5] STB: Found ibm,secureboot-v2
> [ 2.422842040,5] STB: secure mode on (FORCED by nvram)
> [ 2.425680374,6] STB: Found CVC @ 3ffd320000-3ffd32ffff
> [ 2.425681636,6] STB: Found CVC-sha512 @ 3ffd320040, version=1
> [ 2.425682890,6] STB: Found CVC-verify @ 3ffd320050, version=1
> [ 2.425685891,5] STB: trusted mode on
> [ 2.427116155,5] STB: Found tpm0,i2c_tpm_nuvoton evLogLen=2174 evLogSize=65536
> [ 3.037325656,6] STB: IMA_CATALOG verified
> [ 3.037483524,6] STB: IMA_CATALOG hash calculated
> [ 3.080420989,5] STB: IMA_CATALOG measured on pcr2 (tpm0, evType 0x5, evLogLen 2257)
> [ 3.221401794,6] STB: CAPP verified
> [ 3.221641991,6] STB: CAPP hash calculated
> [ 3.264593590,5] STB: CAPP measured on pcr2 (tpm0, evType 0x5, evLogLen 2333)
> [ 8.427545176,6] STB: BOOTKERNEL verified
> [ 8.459509213,6] STB: BOOTKERNEL hash calculated
> [ 8.502478342,5] STB: BOOTKERNEL measured on pcr4 (tpm0, evType 0x5, evLogLen 2415)
> [ 9.317683588,5] STB: EV_SEPARATOR measured on pcr0 (tpm0, evType 0x4, evLogLen 2491)
> [ 9.364162692,5] STB: EV_SEPARATOR measured on pcr1 (tpm0, evType 0x4, evLogLen 2567)
> [ 9.410932645,5] STB: EV_SEPARATOR measured on pcr2 (tpm0, evType 0x4, evLogLen 2643)
> [ 9.457221555,5] STB: EV_SEPARATOR measured on pcr3 (tpm0, evType 0x4, evLogLen 2719)
> [ 9.503811698,5] STB: EV_SEPARATOR measured on pcr4 (tpm0, evType 0x4, evLogLen 2795)
> [ 10.038662929,5] STB: EV_SEPARATOR measured on pcr5 (tpm0, evType 0x4, evLogLen 2871)
> [ 10.085016642,5] STB: EV_SEPARATOR measured on pcr6 (tpm0, evType 0x4, evLogLen 2947)
> [ 10.131638410,5] STB: EV_SEPARATOR measured on pcr7 (tpm0, evType 0x4, evLogLen 3023)
>
>
> Changelog v1:
> =============
>
> In POWER9, skiboot is responsible to build the device tree from the HDAT,
> including the entries related to secure and trusted boot.
>
> Secure and Trusted Boot changes compared to POWER8:
>
> - The Container-Verification-Code (CVC), a.k.a. ROM code, is no longer
> stored in a secure ROM with static address and offsets. In POWER9, it is
> stored in a hostboot reserved memory and each CVC service provided has
> a version, not only an offset.
>
> - The hash-algo property is not provided via HDAT, instead it provides
> the hw-key-hash-size, which is indeed the information required by the
> CVC to verify signed firmware code.
>
> Since skiboot is the only consumer for the Container-Verification-Code, this
> patch series doesn't export the CVC services (version and offset) to the device
> tree. Instead, they are consumed only in skiboot.
>
> Activities performed in this patch series:
>
> - do some libstb code refactoring in order to support CVC initialization
> during HDAT parsing and also later on when the libstb is initialized.
>
> - build the STB device tree entries from HDAT.
>
> - update the skiboot TCG Software Stack (TSS).
>
> - extend and update the libstb documentation with POWER9 changes.
>
> Roughly speaking, with this patch series every partition fetched from PNOR
> should be properly verified and measured in both POWER8 and POWER9. It was
> tested on witherspoon. Here are the STB messages printed in the OPAL log:
>
> $> grep STB /sys/firmware/opal/msglog
> [ 115.507742723,6] STB: CVC-sha512 service found @0xffd330040
> [ 115.507747366,6] STB: CVC-verify service found @0xffd330050
> [ 4.329796596,5] STB: Found ibm,secureboot-v1
> [ 4.329919669,5] STB: secure mode on (FORCED by nvram)
> [ 4.329962637,5] STB: trusted mode on (FORCED by nvram)
> [ 4.330023021,5] STB: tpm0 registered: driver=i2c_tpm_nuvoton evLogSize=2095
> [ 5.354157641,6] STB: IMA_CATALOG verified
> [ 5.354264802,6] STB: IMA_CATALOG hash calculated
> [ 5.397284153,5] STB: IMA_CATALOG measured on pcr2 (tpm0, evType 0x5, evLogSize 2178)
> [ 7.026764601,6] STB: CAPP verified
> [ 7.027069959,6] STB: CAPP hash calculated
> [ 7.070083022,5] STB: CAPP measured on pcr2 (tpm0, evType 0x5, evLogSize 2254)
> [ 16.087319251,6] STB: BOOTKERNEL verified
> [ 16.126912000,6] STB: BOOTKERNEL hash calculated
> [ 16.169940665,5] STB: BOOTKERNEL measured on pcr4 (tpm0, evType 0x5, evLogSize 2336)
> [ 17.105389759,5] STB: EV_SEPARATOR measured on pcr0 (tpm0, evType 0x4, evLogSize 2412)
> [ 17.148509076,5] STB: EV_SEPARATOR measured on pcr1 (tpm0, evType 0x4, evLogSize 2488)
> [ 17.191687100,5] STB: EV_SEPARATOR measured on pcr2 (tpm0, evType 0x4, evLogSize 2564)
> [ 17.234846677,5] STB: EV_SEPARATOR measured on pcr3 (tpm0, evType 0x4, evLogSize 2640)
> [ 17.277938046,5] STB: EV_SEPARATOR measured on pcr4 (tpm0, evType 0x4, evLogSize 2716)
> [ 17.321053996,5] STB: EV_SEPARATOR measured on pcr5 (tpm0, evType 0x4, evLogSize 2792)
> [ 17.364199336,5] STB: EV_SEPARATOR measured on pcr6 (tpm0, evType 0x4, evLogSize 2868)
> [ 17.407303146,5] STB: EV_SEPARATOR measured on pcr7 (tpm0, evType 0x4, evLogSize 2944)
>
>
> Claudio Carvalho (20):
> libstb: move drivers/sha512.* to mbedtls directory
> libstb: import stb_init() breaking it into multiple files
> core/flash.c: extern function to get the name of a PNOR partition
> core/init.c: remove redundant calls to verify and measure BOOTKERNEL
> libstb/secureboot.c: import sb_verify() from stb.c
> libstb/trustedboot.c: import tb_measure() from stb.c
> libstb/cvc.c: import softrom behavior from drivers/sw_driver.c
> libstb/trustedboot.c: import stb_final() from stb.c
> tpm_i2c_nuvoton: add nuvoton,npct601 to the compatible property
> libstb/tss: update the list of event types supported
> libstb/tpm_chip.c: define pr_fmt and fix messages logged
> core: update superseded libstb calls in flash.c and init.c
> hdata: add secure and trusted boot ntuple to SPIRA-H/S
> libstb: remove stb.c and obsolete companions
> hdata/spira: add ibm,secureboot node in P9
> hdata/tpmrel.c: add firmware event log info to the tpm node
> hdata/tpmrel.c: add ibm,cvc device tree node
> libstb: add support for ibm,secureboot-v2
> libstb/cvc: update memory-region to point to /reserved-memory
> doc: update libstb documentation with POWER9 changes
>
> asm/Makefile.inc | 2 +-
> asm/{rom_entry.S => cvc_entry.S} | 8 +-
> core/flash.c | 18 +-
> core/init.c | 42 ++--
> doc/device-tree/ibm,cvc.rst | 47 +++++
> doc/device-tree/ibm,secureboot.rst | 59 +++---
> doc/device-tree/tpm.rst | 6 +-
> doc/stb.rst | 298 ++++++++++++++--------------
> hdata/Makefile.inc | 2 +-
> hdata/hdata.h | 1 +
> hdata/spira.c | 44 +++++
> hdata/spira.h | 69 ++++++-
> hdata/test/hdata_to_dt.c | 1 +
> hdata/tpmrel.c | 221 +++++++++++++++++++++
> include/skiboot.h | 1 +
> libstb/Makefile.inc | 5 +-
> libstb/cvc.c | 365 +++++++++++++++++++++++++++++++++++
> libstb/cvc.h | 61 ++++++
> libstb/drivers/Makefile.inc | 2 +-
> libstb/drivers/romcode.c | 138 -------------
> libstb/drivers/romcode.h | 24 ---
> libstb/drivers/sw_driver.c | 76 --------
> libstb/drivers/sw_driver.h | 24 ---
> libstb/drivers/tpm_i2c_nuvoton.c | 10 +
> libstb/mbedtls/Makefile.inc | 11 ++
> libstb/{drivers => mbedtls}/sha512.c | 0
> libstb/{drivers => mbedtls}/sha512.h | 0
> libstb/rom.c | 55 ------
> libstb/rom.h | 43 -----
> libstb/secureboot.c | 213 ++++++++++++++++++++
> libstb/secureboot.h | 50 +++++
> libstb/stb.c | 328 -------------------------------
> libstb/tpm_chip.c | 105 +++++-----
> libstb/tpm_chip.h | 2 +-
> libstb/trustedboot.c | 246 +++++++++++++++++++++++
> libstb/{stb.h => trustedboot.h} | 45 ++---
> libstb/tss/trustedTypes.H | 22 ++-
> libstb/tss/trustedboot.H | 18 +-
> 38 files changed, 1646 insertions(+), 1016 deletions(-)
> rename asm/{rom_entry.S => cvc_entry.S} (93%)
> create mode 100644 doc/device-tree/ibm,cvc.rst
> create mode 100644 hdata/tpmrel.c
> create mode 100644 libstb/cvc.c
> create mode 100644 libstb/cvc.h
> delete mode 100644 libstb/drivers/romcode.c
> delete mode 100644 libstb/drivers/romcode.h
> delete mode 100644 libstb/drivers/sw_driver.c
> delete mode 100644 libstb/drivers/sw_driver.h
> create mode 100644 libstb/mbedtls/Makefile.inc
> rename libstb/{drivers => mbedtls}/sha512.c (100%)
> rename libstb/{drivers => mbedtls}/sha512.h (100%)
> delete mode 100644 libstb/rom.c
> delete mode 100644 libstb/rom.h
> create mode 100644 libstb/secureboot.c
> create mode 100644 libstb/secureboot.h
> delete mode 100644 libstb/stb.c
> create mode 100644 libstb/trustedboot.c
> rename libstb/{stb.h => trustedboot.h} (54%)
Merged to master as of 63ef6f54445e52e0cd3af4672e73c047484a6a12
As discussed in the thread here, the one change was to run all the
container verification all the time. this means that currently, if you
flash this skiboot onto a machine, you'll get a bunch of warnings about
things not being verified. I think this is the Right Thing (TM) to do,
as it makes any holes in signing things fairly obvious and not just
something that'll fall apart if secure mode is switched on.
I've also merged a patch that makes our skiboot.lid.xz.stb file be
signed with development keys, so these should actually verify okay with
development keys.
I've also done the same for hello_world and sreset_world tests in mambo,
so we now *do* run some container code in mambo as part of CI.
Thanks for your work on this!
--
Stewart Smith
OPAL Architect, IBM.
More information about the Skiboot
mailing list