[Skiboot] [PATCH v2] libstb/trustedboot: Enable trusted_measure in fast-reboot path

Thu Mar 15 23:31:29 AEDT 2018

Currently in fast-reboot path trusted measure is not functioning
due to the tpm_cleanup happening in full IPL which un-registers
all the tpms.

It fails with below messages
[xxx,3] STB: BOOTKERNEL NOT MEASURED. Already exited from boot services
[xxx,3] STB: EV_SEPARATOR (pcr0) NOT MEASURED. No TPM registered/enabled

This patch enables it by enabling the boot_services_exited flag and
doing the tpm_cleanup only when trusted boot mode is OFF.

Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe at linux.vnet.ibm.com>
---
 core/fast-reboot.c   | 6 ++++++
 libstb/tpm_chip.c    | 1 +
 libstb/trustedboot.c | 8 ++++----
 libstb/trustedboot.h | 2 ++
 4 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/core/fast-reboot.c b/core/fast-reboot.c
index 0fe16cc..c7853d2 100644
--- a/core/fast-reboot.c
+++ b/core/fast-reboot.c
@@ -30,6 +30,7 @@
 #include <ipmi.h>
 #include <direct-controls.h>
 #include <nvram.h>
+#include "libstb/trustedboot.h"
 
 /* Flag tested by the OPAL entry code */
 static volatile bool fast_boot_release;
@@ -330,6 +331,11 @@ void __noreturn fast_reboot_entry(void)
 	cpu_set_sreset_enable(true);
 	cpu_set_ipi_enable(true);
 
+	/* We are loading the BOOTKERNEL from PNOR, in order to function
+	 * trusted_measure, enable boot services flag
+	 */
+	boot_services_exited = false;
+
 	/* Start preloading kernel and ramdisk */
 	start_preload_kernel();
 
diff --git a/libstb/tpm_chip.c b/libstb/tpm_chip.c
index 2858caf..58e5f75 100644
--- a/libstb/tpm_chip.c
+++ b/libstb/tpm_chip.c
@@ -313,6 +313,7 @@ int tpm_extendl(TPM_Pcr pcr,
 void tpm_add_status_property(void) {
 	struct tpm_chip *tpm;
 	list_for_each(&tpm_list, tpm, link) {
+		dt_check_del_prop(tpm->node, "status");
 		dt_add_property_string(tpm->node, "status",
 				       tpm->enabled ? "okay" : "disabled");
 	}
diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c
index 151e4e1..0f1f50b 100644
--- a/libstb/trustedboot.c
+++ b/libstb/trustedboot.c
@@ -31,7 +31,7 @@
 
 static bool trusted_mode = false;
 static bool trusted_init = false;
-static bool boot_services_exited = false;
+bool boot_services_exited;
 
 /*
  * This maps a PCR for each resource we can measure. The PCR number is
@@ -127,8 +127,10 @@ int trustedboot_exit_boot_services(void)
 
 	boot_services_exited = true;
 
-	if (!trusted_mode)
+	if (!trusted_mode) {
+		tpm_cleanup();
 		goto out_free;
+	}
 
 #ifdef STB_DEBUG
 	prlog(PR_NOTICE, "ev_separator.event: %s\n", ev_separator.event);
@@ -156,8 +158,6 @@ int trustedboot_exit_boot_services(void)
 	tpm_add_status_property();
 
 out_free:
-	tpm_cleanup();
-
 	return (failed) ? -1 : 0;
 }
 
diff --git a/libstb/trustedboot.h b/libstb/trustedboot.h
index 3003c80..bb4fcb6 100644
--- a/libstb/trustedboot.h
+++ b/libstb/trustedboot.h
@@ -19,6 +19,8 @@
 
 #include <platform.h>
 
+extern bool boot_services_exited;
+
 void trustedboot_init(void);
 
 /**
-- 
2.7.4

