[Skiboot] [PATCH 17/19] libstb: integrate changes made to support POWER9

Claudio Carvalho cclaudio at linux.vnet.ibm.com
Sun Nov 12 04:28:40 AEDT 2017


The stb.c code was imported into the secureboot.c, trustedboot.c and
cvc.c. Now it has only duplicated code.

This removes the current stb.c code, except the stb_init() function,
which is updated to call only secureboot_init() and trustedboot_init().

The libstb calls are also replaced with a correspondent function from
secureboot.h and trustedboot.h.

Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
---
 core/flash.c |   5 +-
 core/init.c  |   3 +-
 libstb/stb.c | 316 ++---------------------------------------------------------
 libstb/stb.h |  56 +----------
 4 files changed, 16 insertions(+), 364 deletions(-)

diff --git a/core/flash.c b/core/flash.c
index 66568e7..4d5108c 100644
--- a/core/flash.c
+++ b/core/flash.c
@@ -26,7 +26,6 @@
 #include <libflash/blocklevel.h>
 #include <libflash/ecc.h>
 #include <libstb/stb.h>
-#include <libstb/container.h>
 #include <elf.h>
 
 struct flash {
@@ -799,8 +798,8 @@ done_reading:
 	 * Verify and measure the retrieved PNOR partition as part of the
 	 * secure boot and trusted boot requirements
 	 */
-	sb_verify(id, buf, *len);
-	tb_measure(id, buf, *len);
+	secureboot_verify(id, buf, *len);
+	trustedboot_measure(id, buf, *len);
 
 	/* Find subpartition */
 	if (subid != RESOURCE_SUBID_NONE) {
diff --git a/core/init.c b/core/init.c
index 8289dc9..e095338 100644
--- a/core/init.c
+++ b/core/init.c
@@ -47,7 +47,6 @@
 #include <nvram.h>
 #include <vas.h>
 #include <libstb/stb.h>
-#include <libstb/container.h>
 #include <phys-map.h>
 #include <imc.h>
 
@@ -417,7 +416,7 @@ static bool load_kernel(void)
 		return false;
 	}
 
-	stb_final();
+	trustedboot_exit_boot_services();
 
 	return true;
 }
diff --git a/libstb/stb.c b/libstb/stb.c
index f798bcb..d91e67a 100644
--- a/libstb/stb.c
+++ b/libstb/stb.c
@@ -1,4 +1,4 @@
-/* Copyright 2013-2016 IBM Corp.
+/* Copyright 2013-2017 IBM Corp.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,315 +14,15 @@
  * limitations under the License.
  */
 
-#include <skiboot.h>
-#include <device.h>
-#include <platform.h>
-#include <string.h>
-#include <stdio.h>
-#include <nvram.h>
-#include "stb.h"
-#include "status_codes.h"
-#include "container.h"
-#include "rom.h"
-#include "tpm_chip.h"
-
-/* For debugging only */
-//#define STB_DEBUG
-//#define STB_FORCE_SECURE_MODE
-//#define STB_FORCE_TRUSTED_MODE
-
-static bool secure_mode = false;
-static bool trusted_mode = false;
-
-static struct rom_driver_ops *rom_driver = NULL;
-
-#define MAX_RESOURCE_NAME	15
-
-/*
- * This maps a PCR for each resource we can measure. The PCR number is
- * mapped according to the TCG PC Client Platform Firmware Profile
- * specification, Revision 00.21
- * Only resources included in this whitelist can be measured.
- */
-static struct {
-
-	/* PNOR partition id */
-	enum resource_id id;
-
-	/* PCR mapping for the resource id */
-	TPM_Pcr pcr;
-
-	/* Resource name */
-	const char name[MAX_RESOURCE_NAME+1];
-
-} resource_map[] = {
-	{ RESOURCE_ID_KERNEL, PCR_4, "BOOTKERNEL" },
-	{ RESOURCE_ID_CAPP,   PCR_2, "CAPP"},
-};
-
-struct event_hash {
-	const unsigned char *sha1;
-	const unsigned char *sha256;
-};
-
-/*
- * Event Separator - digest of 0xFFFFFFFF
- */
-static struct event_hash evFF = {
-	.sha1   = "\xd9\xbe\x65\x24\xa5\xf5\x04\x7d\xb5\x86"
-		  "\x68\x13\xac\xf3\x27\x78\x92\xa7\xa3\x0a",
-
-	.sha256 = "\xad\x95\x13\x1b\xc0\xb7\x99\xc0\xb1\xaf"
-		  "\x47\x7f\xb1\x4f\xcf\x26\xa6\xa9\xf7\x60"
-		  "\x79\xe4\x8b\xf0\x90\xac\xb7\xe8\x36\x7b"
-		  "\xfd\x0e"
-};
-
-static int stb_resource_lookup(enum resource_id id)
-{
-	int i;
-	for (i = 0; i < ARRAY_SIZE(resource_map); i++)
-		if (resource_map[i].id == id)
-			return i;
-	return -1;
-}
-
-static void sb_enforce(void)
-{
-	/*
-	 * TODO: Ideally, the BMC should decide what security policy to apply
-	 * (power off, reboot, switch PNOR sides, etc). We may need
-	 * to provide extra info to BMC other than just abort.
-	 * Terminate Immediate Attention ? (TI)
-	 */
-	prlog(PR_EMERG, "STB: Secure mode enforced, aborting.\n");
-	abort();
-}
-
-void stb_init(void)
-{
-	struct dt_node *ibm_secureboot;
-	/*
-	 * The ibm,secureboot device tree properties are documented in
-	 * 'doc/device-tree/ibm,secureboot.rst'
-	 */
-	ibm_secureboot = dt_find_by_path(dt_root, "/ibm,secureboot");
-	if (ibm_secureboot == NULL) {
-		prlog(PR_NOTICE,"STB: secure and trusted boot not supported\n");
-		return;
-	}
-
-#ifdef STB_FORCE_SECURE_MODE
-	secure_mode = true;
-	prlog(PR_NOTICE, "STB: secure mode on (forced!)\n");
-#else
-	secure_mode = dt_has_node_property(ibm_secureboot, "secure-enabled",
-					   NULL);
-
-	if (nvram_query_eq("force-secure-mode", "always")) {
-		prlog(PR_NOTICE, "STB: secure mode on (FORCED by nvram)\n");
-		secure_mode = true;
-	} else if (secure_mode) {
-		prlog(PR_NOTICE, "STB: secure mode on.\n");
-	} else {
-		prlog(PR_NOTICE, "STB: secure mode off\n");
-	}
-#endif
-
-#ifdef STB_FORCE_TRUSTED_MODE
-	trusted_mode = true;
-	prlog(PR_NOTICE, "STB: trusted mode on (forced!)\n");
-#else
-	trusted_mode = dt_has_node_property(ibm_secureboot, "trusted-enabled",
-					    NULL);
-	if (nvram_query_eq("force-trusted-mode", "true")) {
-		prlog(PR_NOTICE, "STB: trusted mode ON (from NVRAM)\n");
-		trusted_mode = true;
-	}
-	prlog(PR_NOTICE, "STB: trusted mode %s\n",
-	      trusted_mode ? "on" : "off");
-#endif
-
-	if (!secure_mode && !trusted_mode)
-		return;
-	rom_driver = rom_init(ibm_secureboot);
-	if (secure_mode && !rom_driver) {
-		prlog(PR_EMERG, "STB: compatible romcode driver not found\n");
-		sb_enforce();
-	}
-	if (trusted_mode)
-		tpm_init();
-}
-
-int stb_final(void)
-{
-	uint32_t pcr;
-	int rc;
-	bool failed;
-
-	rc = 0;
-	failed = false;
-
-	if (trusted_mode) {
-#ifdef STB_DEBUG
-		prlog(PR_NOTICE, "STB: evFF.sha1:\n");
-		stb_print_data((uint8_t*) evFF.sha1, TPM_ALG_SHA1_SIZE);
-		prlog(PR_NOTICE, "STB: evFF.sha256:\n");
-		stb_print_data((uint8_t*) evFF.sha256, TPM_ALG_SHA256_SIZE);
+#ifndef pr_fmt
+#define pr_fmt(fmt) "STB: " fmt
 #endif
-		/*
-		 * We are done. Extending the digest of 0xFFFFFFFF
-		 * in PCR[0-7], and recording an EV_SEPARATOR event in
-		 * event log as defined in the TCG Platform Firmware Profile
-		 * specification, Revision 00.21
-		 */
-		for (pcr = 0; pcr < 8; pcr++) {
-			rc = tpm_extendl(pcr, TPM_ALG_SHA256,
-					(uint8_t*) evFF.sha256,
-					TPM_ALG_SHA256_SIZE, TPM_ALG_SHA1,
-					(uint8_t*) evFF.sha1,
-					TPM_ALG_SHA1_SIZE, EV_SEPARATOR,
-					"Skiboot Boot");
-			if (rc)
-				failed = true;
-		}
-		tpm_add_status_property();
-	}
-	if (rom_driver) {
-		rom_driver->cleanup();
-		rom_driver = NULL;
-	}
-	tpm_cleanup();
-	secure_mode = false;
-	trusted_mode = false;
-	return (failed) ? STB_MEASURE_FAILED : 0;
-}
 
-int tb_measure(enum resource_id id, void *buf, size_t len)
-{
-	int r;
-	uint8_t digest[SHA512_DIGEST_LENGTH];
-	const uint8_t *digestp;
-
-	digestp = NULL;
-	if (!trusted_mode) {
-		prlog(PR_INFO, "STB: %s skipped resource %d, "
-		      "trusted_mode=0\n", __func__, id);
-		return STB_TRUSTED_MODE_DISABLED;
-	}
-	r = stb_resource_lookup(id);
-	if (r == -1) {
-		/**
-		 * @fwts-label STBMeasureResourceNotMapped
-		 * @fwts-advice The resource is not registered in the resource_map[]
-		 * array, but it should be otherwise the resource cannot be
-		 * measured if trusted mode is on.
-		 */
-		prlog(PR_ERR, "STB: %s failed, resource %d not mapped\n",
-		      __func__, id);
-		return STB_ARG_ERROR;
-	}
-	if (!buf) {
-		/**
-		 * @fwts-label STBNullResourceReceived
-		 * @fwts-advice Null resource passed to tb_measure. This has
-		 * come from the resource load framework and likely indicates a
-		 * bug in the framework.
-		 */
-		prlog(PR_ERR, "STB: %s failed: resource %s, buf null\n",
-		      __func__, resource_map[r].name);
-		return STB_ARG_ERROR;
-	}
-	memset(digest, 0, SHA512_DIGEST_LENGTH);
-	/*
-	 * In secure mode we can use the sw-payload-hash from the container
-	 * header to measure the container payload. Otherwise we must calculate
-	 * the hash of the container payload (if it's a container) or the image
-	 * (if it's not a container)
-	 */
-	if (stb_is_container(buf, len)) {
-		digestp = stb_sw_payload_hash(buf, len);
-		if(!digestp) {
-			prlog(PR_EMERG, "STB Container is corrupt, can't find hash\n");
-			abort();
-		}
-
-		rom_driver->sha512(
-			      (void*)((uint8_t*)buf + SECURE_BOOT_HEADERS_SIZE),
-			      len - SECURE_BOOT_HEADERS_SIZE, digest);
-
-		prlog(PR_INFO, "STB: %s sha512 hash re-calculated\n",
-		      resource_map[r].name);
-		if (memcmp(digestp, digest, TPM_ALG_SHA256_SIZE) != 0) {
-			prlog(PR_ALERT, "STB: HASH IN CONTAINER DOESN'T MATCH CONTENT!\n");
-			prlog(PR_ALERT, "STB: Container hash:\n");
-			stb_print_data(digestp, TPM_ALG_SHA256_SIZE);
-			prlog(PR_ALERT, "STB: Computed hash (on %lx bytes):\n", len);
-			stb_print_data(digest, TPM_ALG_SHA256_SIZE);
-
-			if (secure_mode)
-				abort();
-		}
-	} else {
-		rom_driver->sha512(buf, len, digest);
-		prlog(PR_INFO, "STB: %s sha512 hash calculated\n",
-		      resource_map[r].name);
-	}
-
-#ifdef STB_DEBUG
-	/* print the payload/image hash */
-	prlog(PR_NOTICE, "STB: %s hash:\n", resource_map[r].name);
-	stb_print_data(digest, TPM_ALG_SHA256_SIZE);
-#endif
-	/*
-	 * Measure the resource. Since the ROM code doesn't provide a sha1 hash
-	 * algorithm, the sha512 hash is truncated to match the size required
-	 * by each PCR bank.
-	 */
-	return tpm_extendl(resource_map[r].pcr,
-			   TPM_ALG_SHA256, digest, TPM_ALG_SHA256_SIZE,
-			   TPM_ALG_SHA1,   digest, TPM_ALG_SHA1_SIZE,
-			   EV_ACTION, resource_map[r].name);
-}
+#include "tpm_chip.h"
+#include "stb.h"
 
-int sb_verify(enum resource_id id, void *buf, size_t len)
+void stb_init(void)
 {
-	int r;
-	const char *name = NULL;
-
-	if (!secure_mode) {
-		prlog(PR_INFO, "STB: %s skipped resource %d, "
-		      "secure_mode=0\n", __func__, id);
-		return STB_SECURE_MODE_DISABLED;
-	}
-	r = stb_resource_lookup(id);
-	if (r == -1)
-		/**
-		 * @fwts-label STBVerifyResourceNotMapped
-		 * @fwts-advice Unregistered resources can be verified, but not
-		 * measured. The resource should be registered in the
-		 * resource_map[] array, otherwise the resource cannot be
-		 * measured if trusted mode is on.
-		 */
-		prlog(PR_WARNING, "STB: verifying the non-expected "
-		      "resource %d\n", id);
-	else
-		name = resource_map[r].name;
-	if (!rom_driver || !rom_driver->verify) {
-		prlog(PR_EMERG, "STB: secure boot not initialized\n");
-		sb_enforce();
-	}
-	if (!buf || len < SECURE_BOOT_HEADERS_SIZE) {
-		prlog(PR_EMERG, "STB: %s arg error: id %d, buf %p, len %zd\n",
-		      __func__, id, buf, len);
-		sb_enforce();
-	}
-	if (rom_driver->verify(buf)) {
-		prlog(PR_EMERG, "STB: %s failed: resource %s, "
-		      "eyecatcher 0x%016llx\n", __func__, name,
-		      *((uint64_t*)buf));
-		sb_enforce();
-	}
-	prlog(PR_NOTICE, "STB: %s verified\n", name);
-	return 0;
+	secureboot_init();
+	trustedboot_init();
 }
diff --git a/libstb/stb.h b/libstb/stb.h
index 6ca44ea..f5defa4 100644
--- a/libstb/stb.h
+++ b/libstb/stb.h
@@ -1,4 +1,4 @@
-/* Copyright 2013-2016 IBM Corp.
+/* Copyright 2013-2017 IBM Corp.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,56 +17,10 @@
 #ifndef __STB_H
 #define __STB_H
 
-/**
- * This reads secure mode and trusted mode from device tree and
- * loads drivers accordingly.
- */
-extern void stb_init(void);
-
-/**
- * As defined in the TCG Platform Firmware Profile specification, the
- * digest of 0xFFFFFFFF or 0x00000000  must be extended in PCR[0-7] and
- * an EV_SEPARATOR event must be recorded in the event log for PCR[0-7]
- * prior to the first invocation of the first Ready to Boot call.
- *
- * This function should be called before the control is passed to petitboot
- * kernel in order to do the proper PCR extend and event log recording as
- * defined above. This function also deallocates the memory allocated for secure
- * and trusted boot.
- */
-extern int stb_final(void);
-
-/**
- * sb_verify - verify a resource
- * @id   : resource id
- * @buf  : data to be verified
- * @len  : buf length
- *
- * This verifies the integrity and authenticity of a resource downloaded from
- * PNOR if secure mode is on. The verification is done by the
- * verification code flashed in the secure ROM.
- *
- * For more information refer to 'doc/stb.rst'
- *
- * returns: 0 otherwise the boot process is aborted
- */
-extern int sb_verify(enum resource_id id, void *buf, size_t len);
+#include <libstb/secureboot.h>
+#include <libstb/trustedboot.h>
+#include <libstb/container.h>
 
-
-/**
- * tb_measure - measure a resource
- * @id    : resource id
- * @buf   : data to be measured
- * @len   : buf length
- *
- * This measures a resource downloaded from PNOR if trusted mode is on. That is,
- * an EV_ACTION event is recorded in the event log for the mapped PCR, and the
- * the sha1 and sha256 measurements are extended in the mapped PCR.
- *
- * For more information please refer to 'doc/stb.rst'
- *
- * returns: 0 or an error as defined in status_codes.h
- */
-extern int tb_measure(enum resource_id id, void *buf, size_t len);
+void stb_init(void);
 
 #endif /* __STB_H */
-- 
2.7.4



More information about the Skiboot mailing list