[Skiboot] [PATCH 04/19] hdata/tpmrel.c: register CVC services during HDAT parsing
Oliver
oohall at gmail.com
Thu Nov 30 09:15:20 AEDT 2017
On Wed, Nov 29, 2017 at 10:40 PM, Claudio Carvalho
<cclaudio at linux.vnet.ibm.com> wrote:
>
>
>>>> diff --git a/hdata/tpmrel.c b/hdata/tpmrel.c
>>>> index 0aaa70b..11ed3ce 100644
>>>> --- a/hdata/tpmrel.c
>>>> +++ b/hdata/tpmrel.c
>>>> @@ -20,6 +20,8 @@
>>>>
>>>> #include <skiboot.h>
>>>> #include <device.h>
>>>> +#include <inttypes.h>
>>>> +#include <libstb/cvc.h>
>>>>
>>>> #include "spira.h"
>>>> #include "hdata.h"
>>>> @@ -72,6 +74,93 @@ static void tpmrel_add_firmware_event_log(const
>>>> struct HDIF_common_hdr *hdif_hdr
>>>> }
>>>> }
>>>>
>>>> +static const struct msvpd_hb_reserved_mem
>>>> *get_cvc_reserved_memory(void)
>>>> +{
>>>> +
>>>
>>>
>>> May be we should add another property inside reserved-memory to identify
>>> reserved-memory type and use it here. Because today its just secureboot.
>>> Tomorrow someone else may want to use type field.
>>
>>
>> hmm ... maybe we don't need to add another property. Double checking the
>> HDAT spec, it defines that the label for the CVC reserved memory is
>> "ibm,secure-crypt-algo-code" and skiboot uses the label for the
>> reserved-memory node name and its "ibm,prd-label", see below. If it is OK, I
>> can iterate on the /ibm,hostboot/reserved-memory children looking for
>> ibm,prd-label="ibm,secure-crypt-algo-code".
>>
>> ibm,secure-crypt-algo-code at ffd330000 {
>> ibm,prd-label = "ibm,secure-crypt-algo-code";
>> ibm,prd-instance = <0x0>;
>> phandle = <0x545>;
>> reg = <0xf 0xfd330000 0x0 0x10000>;
>> };
>>
>
> Actually, just realized that ibm,prd-instance is the reserved memory type. I
> can use it to identify the CVC reserved memory. Thank you.
>
> Claudio
Can you check where the prd-label comes from first? IIRC they are
added late in the boot process based on the region names, but if
that's a problem then we can probably just add them in the HDAT parser
rather than as a later step.
>
>
>
>>>
>>>> + const struct msvpd_hb_reserved_mem *hb_resv_mem;
>>>> + const struct HDIF_common_hdr *ms_vpd;
>>>> + uint32_t type;
>>>> + int count, i;
>>>> +
>>>> + ms_vpd = get_hdif(&spira.ntuples.ms_vpd, MSVPD_HDIF_SIG);
>>>> +
>>>> + if (!ms_vpd) {
>>>> + prlog(PR_ERR, "MS VPD invalid\n");
>>>> + return NULL;
>>>> + }
>>>> +
>>>> + count = HDIF_get_iarray_size(ms_vpd, MSVPD_IDATA_HB_RESERVED_MEM);
>>>> + if (count <= 0) {
>>>> + prlog(PR_ERR, "no hostboot reserved memory found\n");
>>>> + return NULL;
>>>> + }
>>>> +
>>>> + for (i = 0; i < count; i++) {
>>>> + hb_resv_mem = HDIF_get_iarray_item(ms_vpd,
>>>> + MSVPD_IDATA_HB_RESERVED_MEM,
>>>> + i, NULL);
>>>> + if (!CHECK_SPPTR(hb_resv_mem))
>>>> + continue;
>>>> +
>>>> + type = be32_to_cpu(hb_resv_mem->type_instance);
>>>> + type = GETFIELD(MSVPD_HBRMEM_RANGE_TYPE, type);
>>>> +
>>>> + /* Reserved memory for the Container Verification Code? */
>>>> + if (type == HBRMEM_CONTAINER_VERIFICATION_CODE)
>>>> + return hb_resv_mem;
>>>> + }
>>>> +
>>>> + return NULL;
>>>> +}
>>>> +
>>>> +#define HRMOR_BIT (1ul << 63)
>>>> +
>>>> +static void tpmrel_cvc_init(struct HDIF_common_hdr *hdif_hdr)
>>>> +{
>>>> + const struct hash_and_verification *hv;
>>>> + const struct msvpd_hb_reserved_mem *cvc_resv_mem;
>>>> + uint32_t type, version, offset;
>>>> + uint64_t start_addr, end_addr;
>>>> + int count, i;
>>>> +
>>>> + cvc_resv_mem = get_cvc_reserved_memory();
>>>> +
>>>> + if (!cvc_resv_mem) {
>>>> + prlog(PR_ERR, "CVC reserved memory not found\n");
>>>> + return;
>>>> + }
>>>> +
>>>> + start_addr = be64_to_cpu(cvc_resv_mem->start_addr);
>>>> + start_addr &= ~HRMOR_BIT;
>>>> + end_addr = be64_to_cpu(cvc_resv_mem->end_addr);
>>>> + end_addr &= ~HRMOR_BIT;
>>>> + prlog(PR_DEBUG, "Found CVC at 0x%"PRIx64"...0x%"PRIx64"\n",
>>>> + start_addr, end_addr);
>>>> + cvc_register(start_addr, end_addr);
>>>> + /*
>>>> + * Initialize each service provided by the container verification
>>>> code
>>>> + */
>>>> + count = HDIF_get_iarray_size(hdif_hdr,
>>>> TPMREL_IDATA_HASH_VERIF_OFFSETS);
>>>> + if (count <= 0 ) {
>>>> + prlog(PR_ERR, "no CVC service found\n"more information in the XIVE );
>>>> + return;
>>>> + }
>>>> +
>>>> + for (i = 0; i < count; i++) {more information in the XIVE more information in the XIVE more information in the XIVE
>>>> +more information in the XIVE more information in the XIVE more information in the XIVE
>>>> + hv = HDIF_get_iarray_item(hdif_hdr,
>>>> + TPMREL_IDATA_HASH_VERIF_OFFSETS,
>>>> + i, NULL);
>>>> + type = be32_to_cpu(hv->type);
>>>> + version = be32_to_cpu(hv->version);
>>>> + offset = be32_to_cpu(hv->offset);
>>>
>>>
>>> Like Oliver mentioned you can add these properties to DT, and then call
>>> cvc_service_register outside hdata parsing.
>>>
>>
>> Right. I will add the /ibm,secureboot/ibm,cvc node as DT_PRIVATE and then
>> call cvc_service_register outside of hdat parsing.
>>
>> ibm,cvc {
>> phandle = <0xd9>;
>> #address-cells = <0x1>;
>> #size-cells = <0x0>;
>> compatible = "ibm,container-verification-code";
>> memory-region = <0x81>; ;; This points to the
>> /ibm,hostboot/reserved-memory/ibm,secure-crypt-algo-code/phandle
>>
>> ibm,cvc-offset at 40 {
>> phandle = <0xda>;
>> compatible = "ibm,cvc-sha512";
>> reg = <0x40>;
>> version = 1;
>> };
>>
>> ibm,cvc-offset at 50 {
>> phandle = <0xdb>;
>> compatible = "ibm,cvc-verify";
>> reg = <0x50>;
>> version = 1;
>> };
>> }
>>
>>
>> Claudio
>>
>
More information about the Skiboot
mailing list