[Skiboot] [PATCH] opal/init: Fix VERSION hash calculation by Re-ordering inits

Fri Apr 13 17:20:43 AEST 2018

We have currently VERSION parition loads early in the boot stage
for BMC platforms, which is not verified/measured by STB. Currnetly
STB init depends on nvram settings, which need nvram init, nvram init
depends on pnor init. So we cannot move stb init before platform init.

So this patch fixes this issue by following below init order for BMC
platforms to have a proper hash calculation for all the flash resources.

pnor_init --> nvram_init --> stb_init --> preload_flash_resources

In FSP platforms init remains unchanged.

And currently VERSION partition isn't signed, hence enabled only
trusted_measure for it. And also PCR_3 used for measurements as
VERSION is a data partition.

[   68.444384848,5] STB: VERSION hash calculated
[   68.489532547,5] STB: VERSION measured on pcr3 (tpm0, evType 0x5, evLogLen 2253)

Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe at linux.vnet.ibm.com>
---
 core/init.c               |  4 ++--
 libstb/trustedboot.c      |  4 ++++
 platforms/astbmc/common.c | 15 +++++++++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/core/init.c b/core/init.c
index b91e34b..0b294c8 100644
--- a/core/init.c
+++ b/core/init.c
@@ -1048,8 +1048,8 @@ void __noreturn __nomcount main_cpu_entry(const void *fdt)
 	if (platform.init)
 		platform.init();
 
-	/* Read in NVRAM and set it up */
-	nvram_init();
+	/* Read in NVRAM and set it up, if not already done */
+	nvram_reinit();
 
 	/* Set the console level */
 	console_log_level();
diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c
index 151e4e1..071a592 100644
--- a/libstb/trustedboot.c
+++ b/libstb/trustedboot.c
@@ -46,6 +46,7 @@ static struct {
 	{ RESOURCE_ID_IMA_CATALOG, PCR_2 },
 	{ RESOURCE_ID_KERNEL, PCR_4 },
 	{ RESOURCE_ID_CAPP,   PCR_2 },
+	{ RESOURCE_ID_VERSION,   PCR_3 },
 };
 
 /*
@@ -82,6 +83,9 @@ void trustedboot_init(void)
 {
 	struct dt_node *node;
 
+	if (trusted_init)
+		return;
+
 	node = dt_find_by_path(dt_root, "/ibm,secureboot");
 	if (!node) {
 		prlog(PR_NOTICE, "trusted boot not supported\n");
diff --git a/platforms/astbmc/common.c b/platforms/astbmc/common.c
index 243ad94..22f62d0 100644
--- a/platforms/astbmc/common.c
+++ b/platforms/astbmc/common.c
@@ -26,6 +26,7 @@
 #include <bt.h>
 #include <errorlog.h>
 #include <lpc.h>
+#include <libstb/trustedboot.h>
 
 #include "astbmc.h"
 
@@ -134,6 +135,20 @@ void astbmc_init(void)
 	astbmc_fru_init();
 	ipmi_sensor_init();
 
+	/* PNOR is initialized, we can init NVRAM */
+	nvram_init();
+
+	/*
+	 * As PNOR flash drivers are ready we can init STB now,
+	 *  so that it can call verify and measure functions
+	 */
+
+	/* TODO: currently VERSION partition isn't signed, enable
+	 * secureboot_init only once it is signed.
+	 */
+	/* secureboot_init(); */
+	trustedboot_init();
+
 	/* Preload PNOR VERSION section */
 	flash_fw_version_preload();
 
-- 
2.7.4

