[Skiboot] [PATCH 04/19] hdata/tpmrel.c: register CVC services during HDAT parsing

Claudio Carvalho cclaudio at linux.vnet.ibm.com
Wed Nov 29 22:40:03 AEDT 2017



>>> diff --git a/hdata/tpmrel.c b/hdata/tpmrel.c
>>> index 0aaa70b..11ed3ce 100644
>>> --- a/hdata/tpmrel.c
>>> +++ b/hdata/tpmrel.c
>>> @@ -20,6 +20,8 @@
>>>
>>>  #include <skiboot.h>
>>>  #include <device.h>
>>> +#include <inttypes.h>
>>> +#include <libstb/cvc.h>
>>>
>>>  #include "spira.h"
>>>  #include "hdata.h"
>>> @@ -72,6 +74,93 @@ static void tpmrel_add_firmware_event_log(const 
>>> struct HDIF_common_hdr *hdif_hdr
>>>      }
>>>  }
>>>
>>> +static const struct msvpd_hb_reserved_mem 
>>> *get_cvc_reserved_memory(void)
>>> +{
>>> +
>>
>> May be we should add another property inside reserved-memory to 
>> identify reserved-memory type and use it here. Because today its just 
>> secureboot. Tomorrow someone else may want to use type field.
>
> hmm ... maybe we don't need to add another property. Double checking 
> the HDAT spec, it defines that the label for the CVC reserved memory 
> is "ibm,secure-crypt-algo-code" and skiboot uses the label for the 
> reserved-memory node name and its "ibm,prd-label", see below. If it is 
> OK, I can iterate on the /ibm,hostboot/reserved-memory children 
> looking for ibm,prd-label="ibm,secure-crypt-algo-code".
>
>                 ibm,secure-crypt-algo-code at ffd330000 {
>                         ibm,prd-label = "ibm,secure-crypt-algo-code";
>                         ibm,prd-instance = <0x0>;
>                         phandle = <0x545>;
>                         reg = <0xf 0xfd330000 0x0 0x10000>;
>                 };
>

Actually, just realized that ibm,prd-instance is the reserved memory 
type. I can use it to identify the CVC reserved memory. Thank you.

Claudio


>>
>>> +    const struct msvpd_hb_reserved_mem *hb_resv_mem;
>>> +    const struct HDIF_common_hdr *ms_vpd;
>>> +    uint32_t type;
>>> +    int count, i;
>>> +
>>> +    ms_vpd = get_hdif(&spira.ntuples.ms_vpd, MSVPD_HDIF_SIG);
>>> +
>>> +    if (!ms_vpd) {
>>> +        prlog(PR_ERR, "MS VPD invalid\n");
>>> +        return NULL;
>>> +    }
>>> +
>>> +    count = HDIF_get_iarray_size(ms_vpd, MSVPD_IDATA_HB_RESERVED_MEM);
>>> +    if (count <= 0) {
>>> +        prlog(PR_ERR, "no hostboot reserved memory found\n");
>>> +        return NULL;
>>> +    }
>>> +
>>> +    for (i = 0; i < count; i++) {
>>> +        hb_resv_mem = HDIF_get_iarray_item(ms_vpd,
>>> +                           MSVPD_IDATA_HB_RESERVED_MEM,
>>> +                           i, NULL);
>>> +        if (!CHECK_SPPTR(hb_resv_mem))
>>> +            continue;
>>> +
>>> +        type = be32_to_cpu(hb_resv_mem->type_instance);
>>> +        type = GETFIELD(MSVPD_HBRMEM_RANGE_TYPE, type);
>>> +
>>> +        /* Reserved memory for the Container Verification Code? */
>>> +        if (type == HBRMEM_CONTAINER_VERIFICATION_CODE)
>>> +            return hb_resv_mem;
>>> +    }
>>> +
>>> +    return NULL;
>>> +}
>>> +
>>> +#define HRMOR_BIT (1ul << 63)
>>> +
>>> +static void tpmrel_cvc_init(struct HDIF_common_hdr *hdif_hdr)
>>> +{
>>> +    const struct hash_and_verification *hv;
>>> +    const struct msvpd_hb_reserved_mem *cvc_resv_mem;
>>> +    uint32_t type, version, offset;
>>> +    uint64_t start_addr, end_addr;
>>> +    int count, i;
>>> +
>>> +    cvc_resv_mem = get_cvc_reserved_memory();
>>> +
>>> +    if (!cvc_resv_mem) {
>>> +        prlog(PR_ERR, "CVC reserved memory not found\n");
>>> +        return;
>>> +    }
>>> +
>>> +    start_addr = be64_to_cpu(cvc_resv_mem->start_addr);
>>> +    start_addr &= ~HRMOR_BIT;
>>> +    end_addr = be64_to_cpu(cvc_resv_mem->end_addr);
>>> +    end_addr &= ~HRMOR_BIT;
>>> +    prlog(PR_DEBUG, "Found CVC at 0x%"PRIx64"...0x%"PRIx64"\n",
>>> +          start_addr, end_addr);
>>> +    cvc_register(start_addr, end_addr);
>>> +    /*
>>> +     * Initialize each service provided by the container 
>>> verification code
>>> +     */
>>> +    count = HDIF_get_iarray_size(hdif_hdr, 
>>> TPMREL_IDATA_HASH_VERIF_OFFSETS);
>>> +    if (count <= 0 ) {
>>> +        prlog(PR_ERR, "no CVC service found\n");
>>> +        return;
>>> +    }
>>> +
>>> +    for (i = 0; i < count; i++) {
>>> +
>>> +        hv = HDIF_get_iarray_item(hdif_hdr,
>>> +                      TPMREL_IDATA_HASH_VERIF_OFFSETS,
>>> +                      i, NULL);
>>> +        type = be32_to_cpu(hv->type);
>>> +        version = be32_to_cpu(hv->version);
>>> +        offset = be32_to_cpu(hv->offset);
>>
>> Like Oliver mentioned you can add these properties to DT, and then 
>> call cvc_service_register outside hdata parsing.
>>
>
> Right. I will add the /ibm,secureboot/ibm,cvc node as DT_PRIVATE and 
> then call cvc_service_register outside of hdat parsing.
>
>                 ibm,cvc {
>                         phandle = <0xd9>;
>                         #address-cells = <0x1>;
>                         #size-cells = <0x0>;
>                         compatible = "ibm,container-verification-code";
>                         memory-region = <0x81>;      ;; This points to 
> the /ibm,hostboot/reserved-memory/ibm,secure-crypt-algo-code/phandle
>
>                         ibm,cvc-offset at 40 {
>                                 phandle = <0xda>;
>                                 compatible = "ibm,cvc-sha512";
>                                 reg = <0x40>;
>                                 version = 1;
>                         };
>
>                         ibm,cvc-offset at 50 {
>                                 phandle = <0xdb>;
>                                 compatible = "ibm,cvc-verify";
>                                 reg = <0x50>;
>                                 version = 1;
>                         };
>                 }
>
>
> Claudio
>



More information about the Skiboot mailing list