[Skiboot] [PATCH] libstb/secureboot: Fix logging of secure verify messages.
Pridhiviraj Paidipeddi
ppaidipe at linux.vnet.ibm.com
Tue Feb 27 20:56:19 AEDT 2018
Currently we are logging secure verify/enforce messages in PR_EMERG
level even when there is no secureboot mode enabled. So reduce the
log level to PR_ERR when secureboot mode is OFF.
Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe at linux.vnet.ibm.com>
---
libstb/secureboot.c | 31 +++++++++++++++++++------------
1 file changed, 19 insertions(+), 12 deletions(-)
diff --git a/libstb/secureboot.c b/libstb/secureboot.c
index 921aba7..348acf5 100644
--- a/libstb/secureboot.c
+++ b/libstb/secureboot.c
@@ -29,6 +29,7 @@ static const void* hw_key_hash = NULL;
static size_t hw_key_hash_size;
static bool secure_mode = false;
static bool secure_init = false;
+static unsigned int level = PR_ERR;
static struct {
enum secureboot_version version;
@@ -112,6 +113,12 @@ void secureboot_init(void)
secure_mode ? "on" : "off");
}
+ /* Use emergency log level only when secure mode is ON */
+ if (secure_mode)
+ level = PR_EMERG;
+ else
+ level = PR_ERR;
+
if (version == IBM_SECUREBOOT_V1 ||
version == IBM_SECUREBOOT_SOFTROM) {
@@ -124,7 +131,7 @@ void secureboot_init(void)
* running the latest POWER firmware, so probably there
* is a bug in the device tree received from hostboot.
*/
- prlog(PR_EMERG, "secureboot init FAILED, hash-algo=%s "
+ prlog(level, "secureboot init FAILED, hash-algo=%s "
"not supported\n", hash_algo);
secureboot_enforce();
}
@@ -134,29 +141,29 @@ void secureboot_init(void)
hw_key_hash_size = dt_prop_get_u32(node, "hw-key-hash-size");
if (hw_key_hash_size == 0) {
- prlog(PR_EMERG, "hw-key-hash-size=%zd too short\n",
+ prlog(level, "hw-key-hash-size=%zd too short\n",
hw_key_hash_size);
secureboot_enforce();
}
if (hw_key_hash_size > SHA512_DIGEST_LENGTH) {
- prlog(PR_EMERG, "hw-key-hash-size=%zd too big\n",
+ prlog(level, "hw-key-hash-size=%zd too big\n",
hw_key_hash_size);
secureboot_enforce();
}
} else {
- prlog(PR_ERR, "%s FAILED. /ibm,secureboot not supported",
+ prlog(level, "%s FAILED. /ibm,secureboot not supported",
__func__);
secureboot_enforce();
}
hw_key_hash = dt_prop_get_def_size(node, "hw-key-hash", NULL, &size);
if (!hw_key_hash) {
- prlog(PR_EMERG, "hw-key-hash not found\n");
+ prlog(level, "hw-key-hash not found\n");
secureboot_enforce();
}
if (size != hw_key_hash_size) {
- prlog(PR_EMERG, "hw_key-hash wrong size %zd (expected=%zd)\n",
+ prlog(level, "hw_key-hash wrong size %zd (expected=%zd)\n",
size, hw_key_hash_size);
secureboot_enforce();
}
@@ -174,14 +181,14 @@ int secureboot_verify(enum resource_id id, void *buf, size_t len)
name = flash_map_resource_name(id);
if (!name) {
- prlog(PR_EMERG, "container NOT VERIFIED, resource_id=%d "
+ prlog(level, "container NOT VERIFIED, resource_id=%d "
"unknown\n", id);
secureboot_enforce();
return -1;
}
if (!secure_init) {
- prlog(PR_WARNING, "container NOT VERIFIED, resource_id=%d "
+ prlog(level, "container NOT VERIFIED, resource_id=%d "
"secureboot not yet initialized\n", id);
secureboot_enforce();
return -1;
@@ -197,20 +204,20 @@ int secureboot_verify(enum resource_id id, void *buf, size_t len)
* failed. Return codes defined in
* /hostboot/src/include/securerom/status_codes.H
*/
- prlog(PR_EMERG, "%s verification FAILED. log=0x%" PRIx64 "\n",
+ prlog(level, "%s verification FAILED. log=0x%" PRIx64 "\n",
name, be64_to_cpu(log));
secureboot_enforce();
} else if (rc == OPAL_PARAMETER) {
- prlog(PR_EMERG, "%s NOT VERIFIED, invalid param. buf=%p, "
+ prlog(level, "%s NOT VERIFIED, invalid param. buf=%p, "
"len=%zd key-hash=%p hash-size=%zd\n", name, buf, len,
hw_key_hash, hw_key_hash_size);
secureboot_enforce();
} else if (rc == OPAL_UNSUPPORTED) {
- prlog(PR_EMERG, "%s NOT VERIFIED, CVC-verify service not "
+ prlog(level, "%s NOT VERIFIED, CVC-verify service not "
"supported\n", name);
secureboot_enforce();
} else {
- prlog(PR_EMERG, "%s NOT VERIFIED, unknown CVC-verify error. "
+ prlog(level, "%s NOT VERIFIED, unknown CVC-verify error. "
"rc=%d\n", name, rc);
secureboot_enforce();
}
--
2.7.4
More information about the Skiboot
mailing list