[Skiboot] [PATCH] Recognise signed VERSION partition
Samuel Mendoza-Jonas
sam at mendozajonas.com
Thu May 17 14:26:59 AEST 2018
A few things need to change to support a signed VERSION partition:
- A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE (4K).
- The VERSION partition needs to be loaded after secure/trusted boot is
set up, and therefore after nvram_init().
- Added to the trustedboot resources array.
Signed-off-by: Samuel Mendoza-Jonas <sam at mendozajonas.com>
---
Aside from the partition size changes this is an alternative take to
this earlier patch, trying to move less things around:
http://patchwork.ozlabs.org/patch/897865/
Take your pick!
core/flash.c | 4 +++-
core/init.c | 9 +++++++++
libstb/trustedboot.c | 1 +
platforms/astbmc/common.c | 6 ------
4 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/core/flash.c b/core/flash.c
index 4031e7b3..161b5c90 100644
--- a/core/flash.c
+++ b/core/flash.c
@@ -51,7 +51,7 @@ static u32 nvram_offset, nvram_size;
/* ibm,firmware-versions support */
static char *version_buf;
-static size_t version_buf_size = 0x1000;
+static size_t version_buf_size = 0x2000;
bool flash_reserve(void)
{
@@ -235,6 +235,8 @@ void flash_dt_add_fw_version(void)
fw_version = dt_new(dt_root, "ibm,firmware-versions");
assert(fw_version);
+ if (stb_is_container(version_buf, version_buf_size))
+ numbytes += SECURE_BOOT_HEADERS_SIZE;
for ( ; (numbytes < version_buf_size) && version_buf[numbytes]; numbytes++) {
if (version_buf[numbytes] == '\n') {
version_data[i] = '\0';
diff --git a/core/init.c b/core/init.c
index 3b887a24..a02304e6 100644
--- a/core/init.c
+++ b/core/init.c
@@ -1067,6 +1067,15 @@ void __noreturn __nomcount main_cpu_entry(const void *fdt)
secureboot_init();
trustedboot_init();
+ /*
+ * BMC platforms load version information from flash after
+ * secure/trustedboot init.
+ */
+ if (platform.bmc) {
+ flash_fw_version_preload();
+ flash_dt_add_fw_version();
+ }
+
/* preload the IMC catalog dtb */
imc_catalog_preload();
diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c
index 151e4e16..35b26240 100644
--- a/libstb/trustedboot.c
+++ b/libstb/trustedboot.c
@@ -46,6 +46,7 @@ static struct {
{ RESOURCE_ID_IMA_CATALOG, PCR_2 },
{ RESOURCE_ID_KERNEL, PCR_4 },
{ RESOURCE_ID_CAPP, PCR_2 },
+ { RESOURCE_ID_VERSION, PCR_3 },
};
/*
diff --git a/platforms/astbmc/common.c b/platforms/astbmc/common.c
index 243ad946..3c59f82a 100644
--- a/platforms/astbmc/common.c
+++ b/platforms/astbmc/common.c
@@ -134,9 +134,6 @@ void astbmc_init(void)
astbmc_fru_init();
ipmi_sensor_init();
- /* Preload PNOR VERSION section */
- flash_fw_version_preload();
-
/* As soon as IPMI is up, inform BMC we are in "S0" */
ipmi_set_power_state(IPMI_PWR_SYS_S0_WORKING, IPMI_PWR_NOCHANGE);
@@ -147,9 +144,6 @@ void astbmc_init(void)
/* Setup UART console for use by Linux via OPAL API */
set_opal_console(&uart_opal_con);
-
- /* Add ibm,firmware-versions node */
- flash_dt_add_fw_version();
}
int64_t astbmc_ipmi_power_down(uint64_t request)
--
2.17.0
More information about the Skiboot
mailing list