[Skiboot] [PATCH v2] Recognise signed VERSION partition
stewart at linux.ibm.com
Tue Jul 17 20:15:29 AEST 2018
ppaidipe <ppaidipe at linux.vnet.ibm.com> writes:
> On 2018-07-17 13:36, Stewart Smith wrote:
>> Samuel Mendoza-Jonas <sam at mendozajonas.com> writes:
>>> A few things need to change to support a signed VERSION partition:
>>> - A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE
>>> - The VERSION partition needs to be loaded after secure/trusted boot
>>> set up, and therefore after nvram_init().
>>> - Added to the trustedboot resources array.
>>> This also moves the ipmi_dt_add_bmc_info() call to after
>>> flash_dt_add_fw_version() since it adds info to ibm,firmware-versions.
>>> Signed-off-by: Samuel Mendoza-Jonas <sam at mendozajonas.com>
>>> v2: rebase on master to work alongside the flash_dt_add_fw_version()
>>> changes, move modifying the DT to later in the boot process and let
>>> VERSION load in the background.
>> looks good to me, merged to master as of
> On secureboot enabled platforms we are getting a boot enforce with this
> as VERSION partition is still not signed.
> [ 74.044712556,7] LPC: Routing irq 4, policy: 0 (r=1)
> [ 74.044713816,7] LPC: SerIRQ 4 using route 2 targetted at OPAL
> [ 74.049822308,5] OCC: All Chip Rdy after 0 ms
> [ 74.252505689,0] STB: VERSION verification FAILED.
> [ 74.255402552,0] STB: secure mode enforced, aborting.
> [ 74.258240099,0] Aborting!
> CPU 0018 Backtrace:
> S: 0000000031cc3a60 R: 000000003001ae60 ._abort+0x4c
> S: 0000000031cc3ae0 R: 00000000300a8a40 .secureboot_enforce+0x3c
> S: 0000000031cc3b50 R: 00000000300a8f50 .secureboot_verify+0x15c
> S: 0000000031cc3c00 R: 0000000030030a9c .flash_load_resources+0x5fc
> S: 0000000031cc3d40 R: 0000000030018d5c .cpu_process_jobs+0xdc
> S: 0000000031cc3e00 R: 0000000030014ec8 .__secondary_cpu_entry+0x44
> S: 0000000031cc3e80 R: 0000000030014f1c .secondary_cpu_entry+0x34
> S: 0000000031cc3f00 R: 0000000030002790 secondary_wait+0x8c
> --- OPAL boot ---
> We need corresponding changes in op-build as well to make it signed.
Agreed. Hopefully Sam has them up shortly.
OPAL Architect, IBM.
More information about the Skiboot