[Skiboot] [PATCH v2] Recognise signed VERSION partition

Samuel Mendoza-Jonas sam at mendozajonas.com
Wed Jul 18 10:49:46 AEST 2018 

On Tue, 2018-07-17 at 20:15 +1000, Stewart Smith wrote:
> ppaidipe <ppaidipe at linux.vnet.ibm.com> writes:
> > On 2018-07-17 13:36, Stewart Smith wrote:
> > > Samuel Mendoza-Jonas <sam at mendozajonas.com> writes:
> > > > A few things need to change to support a signed VERSION partition:
> > > > 
> > > > - A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE 
> > > > (4K).
> > > > - The VERSION partition needs to be loaded after secure/trusted boot 
> > > > is
> > > >   set up, and therefore after nvram_init().
> > > > - Added to the trustedboot resources array.
> > > > 
> > > > This also moves the ipmi_dt_add_bmc_info() call to after
> > > > flash_dt_add_fw_version() since it adds info to ibm,firmware-versions.
> > > > 
> > > > Signed-off-by: Samuel Mendoza-Jonas <sam at mendozajonas.com>
> > > > ---
> > > > v2: rebase on master to work alongside the flash_dt_add_fw_version()
> > > > changes, move modifying the DT to later in the boot process and let
> > > > VERSION load in the background.
> > > 
> > > looks good to me, merged to master as of
> > > 3cd749c99791d43ee929b9401fb14fc6739ce360
> > 
> > 
> > On secureboot enabled platforms we are getting a boot enforce with this 
> > patch
> > as VERSION partition is still not signed.
> > 
> > [   74.044712556,7] LPC: Routing irq 4, policy: 0 (r=1)
> > [   74.044713816,7] LPC: SerIRQ 4 using route 2 targetted at OPAL
> > [   74.049822308,5] OCC: All Chip Rdy after 0 ms
> > [   74.252505689,0] STB: VERSION verification FAILED. 
> > log=0xffffffffffff8120
> > [   74.255402552,0] STB: secure mode enforced, aborting.
> > [   74.258240099,0] Aborting!
> > CPU 0018 Backtrace:
> >   S: 0000000031cc3a60 R: 000000003001ae60   ._abort+0x4c
> >   S: 0000000031cc3ae0 R: 00000000300a8a40   .secureboot_enforce+0x3c
> >   S: 0000000031cc3b50 R: 00000000300a8f50   .secureboot_verify+0x15c
> >   S: 0000000031cc3c00 R: 0000000030030a9c   .flash_load_resources+0x5fc
> >   S: 0000000031cc3d40 R: 0000000030018d5c   .cpu_process_jobs+0xdc
> >   S: 0000000031cc3e00 R: 0000000030014ec8   .__secondary_cpu_entry+0x44
> >   S: 0000000031cc3e80 R: 0000000030014f1c   .secondary_cpu_entry+0x34
> >   S: 0000000031cc3f00 R: 0000000030002790   secondary_wait+0x8c
> >   --- OPAL boot ---
> > 
> > We need corresponding changes in op-build as well to make it signed.
> 
> Agreed. Hopefully Sam has them up shortly.
> 

Yep the pieces are slowly coming together. Right now we're waiting on
https://github.com/open-power/pnor/pull/97 which in turn is waiting on a
Hostboot patch which I'm sending a V2 for soon.

More information about the Skiboot mailing list