[Skiboot] [PATCH 08/19] libstb/cvc.c: import softrom behavior from drivers/sw_driver.c

Oliver oohall at gmail.com
Thu Nov 23 12:18:17 AEDT 2017


On Thu, Nov 23, 2017 at 12:15 AM, Claudio Carvalho
<cclaudio at linux.vnet.ibm.com> wrote:
>
>> On 21/11/2017 03:16, Oliver wrote:
>>>
>>> On Sun, Nov 12, 2017 at 4:28 AM, Claudio Carvalho
>>> <cclaudio at linux.vnet.ibm.com> wrote:
>>>>
>>>> Softrom is used only for testing with mambo. By setting
>>>> compatible="ibm,secureboot-v1-softrom" in the "ibm,secureboot" node,
>>>> firmware images can be properly measured even if the
>>>> Container-Verification-Code (CVC) is not available. In this case, the
>>>> mbedtls_sha512() function is used to calculate the sha512 hash of the
>>>> firmware images.
>>>
>>> If this is only used for testing in mambo why not build your own CVC
>>> rom and load that into mambo? That way you can use the same interface
>>> for sim and bare metal.
>>
>>
>> The CVC source code is now public:
>> https://github.com/open-power/hostboot/tree/master/src/securerom
>>
>> Maybe skiboot can build and load it into mambo as suggested by Oliver,
>> what do you think?
>>
>> Claudio
>>
>
> What do you think Stewart?

I asked Stewart about it the other day and wasn't too happy about
relying on blobs from hostboot. I still think it's not a bad idea
given the interfaces between different bits of software are where the
bugs tend to be. And debugging that sort of problem inside of mambo
seems way less painful than doing it on real hardware. That said, I'm
not the one working on it, so do whatever works for you.

>
>
> Claudio
>
>>>
>>>> This imports the softrom behavior from libstb/drivers/sw_driver.c code
>>>> into cvc.c, but now softrom is implemented as a flag. When the flag is
>>>> set, the wrappers for the CVC services work the same way as in
>>>> sw_driver.c.
>>>>
>>>> Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
>>>> ---
>>>>   libstb/cvc.c | 13 +++++++++++++
>>>>   1 file changed, 13 insertions(+)
>>>>
>>>> diff --git a/libstb/cvc.c b/libstb/cvc.c
>>>> index ddb6a1c..5f46e5e 100644
>>>> --- a/libstb/cvc.c
>>>> +++ b/libstb/cvc.c
>>>> @@ -25,6 +25,7 @@
>>>>   #include <xscom.h>
>>>>   #include "container.h"
>>>>   #include "cvc.h"
>>>> +#include "mbedtls/sha512.h"
>>>>
>>>>   /*
>>>>    * Assembly interfaces to call into the Container Verification Code.
>>>> @@ -251,6 +252,15 @@ int call_cvc_sha512(const uint8_t *data, size_t
>>>> data_len, uint8_t *digest,
>>>>                  return OPAL_SUCCESS;
>>>>
>>>>          memset(digest, 0, SHA512_DIGEST_LENGTH);
>>>> +       if (softrom) {
>>>> +               mbedtls_sha512_context ctx;
>>>> +               mbedtls_sha512_init(&ctx);
>>>> +               mbedtls_sha512_starts(&ctx, 0); // SHA512 = 0
>>>> +               mbedtls_sha512_update(&ctx, data, data_len);
>>>> +               mbedtls_sha512_finish(&ctx, digest);
>>>> +               mbedtls_sha512_free(&ctx);
>>>> +               return OPAL_SUCCESS;
>>>> +       }
>>>>
>>>>          service = cvc_find_service(CVC_SHA512_SERVICE);
>>>>
>>>> @@ -276,6 +286,9 @@ int call_cvc_verify(void *container, size_t len,
>>>> const void *hw_key_hash,
>>>>              !hw_key_hash || hw_key_hash_size <= 0)
>>>>                  return OPAL_PARAMETER;
>>>>
>>>> +       if (softrom)
>>>> +               return OPAL_RESOURCE;
>>>> +
>>>>          service = cvc_find_service(CVC_VERIFY_SERVICE);
>>>>
>>>>          if (!service)
>>>> --
>>>> 2.7.4
>>>>
>>>> _______________________________________________
>>>> Skiboot mailing list
>>>> Skiboot at lists.ozlabs.org
>>>> https://lists.ozlabs.org/listinfo/skiboot
>>
>>
>


More information about the Skiboot mailing list