[Skiboot] [PATCH 04/19] hdata/tpmrel.c: register CVC services during HDAT parsing

Oliver oohall at gmail.com
Thu Nov 30 09:15:20 AEDT 2017


On Wed, Nov 29, 2017 at 10:40 PM, Claudio Carvalho
<cclaudio at linux.vnet.ibm.com> wrote:
>
>
>>>> diff --git a/hdata/tpmrel.c b/hdata/tpmrel.c
>>>> index 0aaa70b..11ed3ce 100644
>>>> --- a/hdata/tpmrel.c
>>>> +++ b/hdata/tpmrel.c
>>>> @@ -20,6 +20,8 @@
>>>>
>>>>  #include <skiboot.h>
>>>>  #include <device.h>
>>>> +#include <inttypes.h>
>>>> +#include <libstb/cvc.h>
>>>>
>>>>  #include "spira.h"
>>>>  #include "hdata.h"
>>>> @@ -72,6 +74,93 @@ static void tpmrel_add_firmware_event_log(const
>>>> struct HDIF_common_hdr *hdif_hdr
>>>>      }
>>>>  }
>>>>
>>>> +static const struct msvpd_hb_reserved_mem
>>>> *get_cvc_reserved_memory(void)
>>>> +{
>>>> +
>>>
>>>
>>> May be we should add another property inside reserved-memory to identify
>>> reserved-memory type and use it here. Because today its just secureboot.
>>> Tomorrow someone else may want to use type field.
>>
>>
>> hmm ... maybe we don't need to add another property. Double checking the
>> HDAT spec, it defines that the label for the CVC reserved memory is
>> "ibm,secure-crypt-algo-code" and skiboot uses the label for the
>> reserved-memory node name and its "ibm,prd-label", see below. If it is OK, I
>> can iterate on the /ibm,hostboot/reserved-memory children looking for
>> ibm,prd-label="ibm,secure-crypt-algo-code".
>>
>>                 ibm,secure-crypt-algo-code at ffd330000 {
>>                         ibm,prd-label = "ibm,secure-crypt-algo-code";
>>                         ibm,prd-instance = <0x0>;
>>                         phandle = <0x545>;
>>                         reg = <0xf 0xfd330000 0x0 0x10000>;
>>                 };
>>
>
> Actually, just realized that ibm,prd-instance is the reserved memory type. I
> can use it to identify the CVC reserved memory. Thank you.
>
> Claudio

Can you check where the prd-label comes from first? IIRC they are
added late in the boot process based on the region names, but if
that's a problem then we can probably just add them in the HDAT parser
rather than as a later step.

>
>
>
>>>
>>>> +    const struct msvpd_hb_reserved_mem *hb_resv_mem;
>>>> +    const struct HDIF_common_hdr *ms_vpd;
>>>> +    uint32_t type;
>>>> +    int count, i;
>>>> +
>>>> +    ms_vpd = get_hdif(&spira.ntuples.ms_vpd, MSVPD_HDIF_SIG);
>>>> +
>>>> +    if (!ms_vpd) {
>>>> +        prlog(PR_ERR, "MS VPD invalid\n");
>>>> +        return NULL;
>>>> +    }
>>>> +
>>>> +    count = HDIF_get_iarray_size(ms_vpd, MSVPD_IDATA_HB_RESERVED_MEM);
>>>> +    if (count <= 0) {
>>>> +        prlog(PR_ERR, "no hostboot reserved memory found\n");
>>>> +        return NULL;
>>>> +    }
>>>> +
>>>> +    for (i = 0; i < count; i++) {
>>>> +        hb_resv_mem = HDIF_get_iarray_item(ms_vpd,
>>>> +                           MSVPD_IDATA_HB_RESERVED_MEM,
>>>> +                           i, NULL);
>>>> +        if (!CHECK_SPPTR(hb_resv_mem))
>>>> +            continue;
>>>> +
>>>> +        type = be32_to_cpu(hb_resv_mem->type_instance);
>>>> +        type = GETFIELD(MSVPD_HBRMEM_RANGE_TYPE, type);
>>>> +
>>>> +        /* Reserved memory for the Container Verification Code? */
>>>> +        if (type == HBRMEM_CONTAINER_VERIFICATION_CODE)
>>>> +            return hb_resv_mem;
>>>> +    }
>>>> +
>>>> +    return NULL;
>>>> +}
>>>> +
>>>> +#define HRMOR_BIT (1ul << 63)
>>>> +
>>>> +static void tpmrel_cvc_init(struct HDIF_common_hdr *hdif_hdr)
>>>> +{
>>>> +    const struct hash_and_verification *hv;
>>>> +    const struct msvpd_hb_reserved_mem *cvc_resv_mem;
>>>> +    uint32_t type, version, offset;
>>>> +    uint64_t start_addr, end_addr;
>>>> +    int count, i;
>>>> +
>>>> +    cvc_resv_mem = get_cvc_reserved_memory();
>>>> +
>>>> +    if (!cvc_resv_mem) {
>>>> +        prlog(PR_ERR, "CVC reserved memory not found\n");
>>>> +        return;
>>>> +    }
>>>> +
>>>> +    start_addr = be64_to_cpu(cvc_resv_mem->start_addr);
>>>> +    start_addr &= ~HRMOR_BIT;
>>>> +    end_addr = be64_to_cpu(cvc_resv_mem->end_addr);
>>>> +    end_addr &= ~HRMOR_BIT;
>>>> +    prlog(PR_DEBUG, "Found CVC at 0x%"PRIx64"...0x%"PRIx64"\n",
>>>> +          start_addr, end_addr);
>>>> +    cvc_register(start_addr, end_addr);
>>>> +    /*
>>>> +     * Initialize each service provided by the container verification
>>>> code
>>>> +     */
>>>> +    count = HDIF_get_iarray_size(hdif_hdr,
>>>> TPMREL_IDATA_HASH_VERIF_OFFSETS);
>>>> +    if (count <= 0 ) {
>>>> +        prlog(PR_ERR, "no CVC service found\n"more information in the XIVE );
>>>> +        return;
>>>> +    }
>>>> +
>>>> +    for (i = 0; i < count; i++) {more information in the XIVE more information in the XIVE more information in the XIVE
>>>> +more information in the XIVE more information in the XIVE more information in the XIVE
>>>> +        hv = HDIF_get_iarray_item(hdif_hdr,
>>>> +                      TPMREL_IDATA_HASH_VERIF_OFFSETS,
>>>> +                      i, NULL);
>>>> +        type = be32_to_cpu(hv->type);
>>>> +        version = be32_to_cpu(hv->version);
>>>> +        offset = be32_to_cpu(hv->offset);
>>>
>>>
>>> Like Oliver mentioned you can add these properties to DT, and then call
>>> cvc_service_register outside hdata parsing.
>>>
>>
>> Right. I will add the /ibm,secureboot/ibm,cvc node as DT_PRIVATE and then
>> call cvc_service_register outside of hdat parsing.
>>
>>                 ibm,cvc {
>>                         phandle = <0xd9>;
>>                         #address-cells = <0x1>;
>>                         #size-cells = <0x0>;
>>                         compatible = "ibm,container-verification-code";
>>                         memory-region = <0x81>;      ;; This points to the
>> /ibm,hostboot/reserved-memory/ibm,secure-crypt-algo-code/phandle
>>
>>                         ibm,cvc-offset at 40 {
>>                                 phandle = <0xda>;
>>                                 compatible = "ibm,cvc-sha512";
>>                                 reg = <0x40>;
>>                                 version = 1;
>>                         };
>>
>>                         ibm,cvc-offset at 50 {
>>                                 phandle = <0xdb>;
>>                                 compatible = "ibm,cvc-verify";
>>                                 reg = <0x50>;
>>                                 version = 1;
>>                         };
>>                 }
>>
>>
>> Claudio
>>
>


More information about the Skiboot mailing list