[Skiboot] [PATCH] opal/init: Fix VERSION hash calculation by Re-ordering inits
Claudio Carvalho
cclaudio at linux.vnet.ibm.com
Fri Apr 20 07:22:43 AEST 2018
This looks good to me.
Reviewed-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
Claudio
On 13/04/2018 04:20, Pridhiviraj Paidipeddi wrote:
> We have currently VERSION parition loads early in the boot stage
> for BMC platforms, which is not verified/measured by STB. Currnetly
> STB init depends on nvram settings, which need nvram init, nvram init
> depends on pnor init. So we cannot move stb init before platform init.
>
> So this patch fixes this issue by following below init order for BMC
> platforms to have a proper hash calculation for all the flash resources.
>
> pnor_init --> nvram_init --> stb_init --> preload_flash_resources
>
> In FSP platforms init remains unchanged.
>
> And currently VERSION partition isn't signed, hence enabled only
> trusted_measure for it. And also PCR_3 used for measurements as
> VERSION is a data partition.
>
> [ 68.444384848,5] STB: VERSION hash calculated
> [ 68.489532547,5] STB: VERSION measured on pcr3 (tpm0, evType 0x5, evLogLen 2253)
>
> Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe at linux.vnet.ibm.com>
> ---
> core/init.c | 4 ++--
> libstb/trustedboot.c | 4 ++++
> platforms/astbmc/common.c | 15 +++++++++++++++
> 3 files changed, 21 insertions(+), 2 deletions(-)
>
> diff --git a/core/init.c b/core/init.c
> index b91e34b..0b294c8 100644
> --- a/core/init.c
> +++ b/core/init.c
> @@ -1048,8 +1048,8 @@ void __noreturn __nomcount main_cpu_entry(const void *fdt)
> if (platform.init)
> platform.init();
>
> - /* Read in NVRAM and set it up */
> - nvram_init();
> + /* Read in NVRAM and set it up, if not already done */
> + nvram_reinit();
>
> /* Set the console level */
> console_log_level();
> diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c
> index 151e4e1..071a592 100644
> --- a/libstb/trustedboot.c
> +++ b/libstb/trustedboot.c
> @@ -46,6 +46,7 @@ static struct {
> { RESOURCE_ID_IMA_CATALOG, PCR_2 },
> { RESOURCE_ID_KERNEL, PCR_4 },
> { RESOURCE_ID_CAPP, PCR_2 },
> + { RESOURCE_ID_VERSION, PCR_3 },
> };
>
> /*
> @@ -82,6 +83,9 @@ void trustedboot_init(void)
> {
> struct dt_node *node;
>
> + if (trusted_init)
> + return;
> +
> node = dt_find_by_path(dt_root, "/ibm,secureboot");
> if (!node) {
> prlog(PR_NOTICE, "trusted boot not supported\n");
> diff --git a/platforms/astbmc/common.c b/platforms/astbmc/common.c
> index 243ad94..22f62d0 100644
> --- a/platforms/astbmc/common.c
> +++ b/platforms/astbmc/common.c
> @@ -26,6 +26,7 @@
> #include <bt.h>
> #include <errorlog.h>
> #include <lpc.h>
> +#include <libstb/trustedboot.h>
>
> #include "astbmc.h"
>
> @@ -134,6 +135,20 @@ void astbmc_init(void)
> astbmc_fru_init();
> ipmi_sensor_init();
>
> + /* PNOR is initialized, we can init NVRAM */
> + nvram_init();
> +
> + /*
> + * As PNOR flash drivers are ready we can init STB now,
> + * so that it can call verify and measure functions
> + */
> +
> + /* TODO: currently VERSION partition isn't signed, enable
> + * secureboot_init only once it is signed.
> + */
> + /* secureboot_init(); */
> + trustedboot_init();
> +
> /* Preload PNOR VERSION section */
> flash_fw_version_preload();
>
More information about the Skiboot
mailing list