[Skiboot] [PATCH 1/3] libstb: fix failure of calling cvc verify without STB initialization.

Vasant Hegde hegdevasant at linux.vnet.ibm.com
Thu Feb 8 22:48:57 AEDT 2018 

On 02/06/2018 07:46 AM, Pridhiviraj Paidipeddi wrote:
> Currently in OPAL init time at various stages we are loading various
> PNOR partition containers from the flash device. When we load a flash
> resource STB calls the CVC verify and trusted measure(sha512) functions.
> So when we have a flash resource gets loaded before STB initialization,
> then cvc verify function fails to start the verify and enforce the boot.
> 
> Below is one of the example failure where our VERSION partition gets
> loading early in the boot stage without STB initialization done.
> 
> This is with secure mode off.
> STB: VERSION NOT VERIFIED, invalid param. buf=0x305ed930, len=4096 key-hash=0x0 hash-size=0
> 
> In the same code path when secure mode is on, the boot process will abort.
> 
> So this patch fixes this issue by calling cvc verify only if we have
> STB init was done.
> 
> And also we need a permanent fix in init path to ensure STB init gets
> done at first place and then start loading all other flash resources.
> 
> Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe at linux.vnet.ibm.com>
> ---
>   libstb/secureboot.c | 9 +++++++++
>   1 file changed, 9 insertions(+)
> 
> diff --git a/libstb/secureboot.c b/libstb/secureboot.c
> index afe19fe..362f803 100644
> --- a/libstb/secureboot.c
> +++ b/libstb/secureboot.c
> @@ -28,6 +28,7 @@
>   static const void* hw_key_hash = NULL;
>   static size_t hw_key_hash_size;
>   static bool secure_mode = false;
> +static bool secure_init = false;
> 
>   static struct {
>   	enum secureboot_version version;
> @@ -161,6 +162,8 @@ void secureboot_init(void)
>   	}
>   	if (cvc_init())
>   		secureboot_enforce();
> +
> +	secure_init = true;
>   }
> 
>   int secureboot_verify(enum resource_id id, void *buf, size_t len)
> @@ -176,6 +179,12 @@ int secureboot_verify(enum resource_id id, void *buf, size_t len)
>   		secureboot_enforce();
>   	}
> 
> +        if (!secure_init) {
> +                prlog(PR_WARNING, "container NOT VERIFIED, resource_id=%d "
> +                      "secureboot not yet initialized\n", id);

As discussed see if we can call secureboot_init() from here.  Also see if we can 
reorder init code.

-Vasant

More information about the Skiboot mailing list