[Skiboot] [PATCH v2] Recognise signed VERSION partition

Stewart Smith stewart at linux.ibm.com
Tue Jul 17 20:15:29 AEST 2018 

ppaidipe <ppaidipe at linux.vnet.ibm.com> writes:
> On 2018-07-17 13:36, Stewart Smith wrote:
>> Samuel Mendoza-Jonas <sam at mendozajonas.com> writes:
>>> A few things need to change to support a signed VERSION partition:
>>> 
>>> - A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE 
>>> (4K).
>>> - The VERSION partition needs to be loaded after secure/trusted boot 
>>> is
>>>   set up, and therefore after nvram_init().
>>> - Added to the trustedboot resources array.
>>> 
>>> This also moves the ipmi_dt_add_bmc_info() call to after
>>> flash_dt_add_fw_version() since it adds info to ibm,firmware-versions.
>>> 
>>> Signed-off-by: Samuel Mendoza-Jonas <sam at mendozajonas.com>
>>> ---
>>> v2: rebase on master to work alongside the flash_dt_add_fw_version()
>>> changes, move modifying the DT to later in the boot process and let
>>> VERSION load in the background.
>> 
>> looks good to me, merged to master as of
>> 3cd749c99791d43ee929b9401fb14fc6739ce360
>
>
> On secureboot enabled platforms we are getting a boot enforce with this 
> patch
> as VERSION partition is still not signed.
>
> [   74.044712556,7] LPC: Routing irq 4, policy: 0 (r=1)
> [   74.044713816,7] LPC: SerIRQ 4 using route 2 targetted at OPAL
> [   74.049822308,5] OCC: All Chip Rdy after 0 ms
> [   74.252505689,0] STB: VERSION verification FAILED. 
> log=0xffffffffffff8120
> [   74.255402552,0] STB: secure mode enforced, aborting.
> [   74.258240099,0] Aborting!
> CPU 0018 Backtrace:
>   S: 0000000031cc3a60 R: 000000003001ae60   ._abort+0x4c
>   S: 0000000031cc3ae0 R: 00000000300a8a40   .secureboot_enforce+0x3c
>   S: 0000000031cc3b50 R: 00000000300a8f50   .secureboot_verify+0x15c
>   S: 0000000031cc3c00 R: 0000000030030a9c   .flash_load_resources+0x5fc
>   S: 0000000031cc3d40 R: 0000000030018d5c   .cpu_process_jobs+0xdc
>   S: 0000000031cc3e00 R: 0000000030014ec8   .__secondary_cpu_entry+0x44
>   S: 0000000031cc3e80 R: 0000000030014f1c   .secondary_cpu_entry+0x34
>   S: 0000000031cc3f00 R: 0000000030002790   secondary_wait+0x8c
>   --- OPAL boot ---
>
> We need corresponding changes in op-build as well to make it signed.

Agreed. Hopefully Sam has them up shortly.

-- 
Stewart Smith
OPAL Architect, IBM.

More information about the Skiboot mailing list