[Skiboot] [PATCH 3/3] mambo: enable use of real Container Verification Code

Stewart Smith stewart at linux.ibm.com
Mon Jul 29 11:44:30 AEST 2019 

Make skiboot.tcl able to load and use a CVC blob from a real system.
This code comes from the src/securerom/ code in Hostboot.

we now use this in the sreset_world and hello_world test cases when we
do a secure boot run of them

Signed-off-by: Stewart Smith <stewart at linux.ibm.com>
---
 external/mambo/skiboot.tcl                   | 70 ++++++++++++++++++--
 test/hello_world/run_mambo_p9_hello_world.sh |  1 +
 test/sreset_world/run_mambo_p9_sreset.sh     |  1 +
 3 files changed, 66 insertions(+), 6 deletions(-)

diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl
index 60a0f30b807e..d7887ff2c5a6 100644
--- a/external/mambo/skiboot.tcl
+++ b/external/mambo/skiboot.tcl
@@ -297,6 +297,13 @@ foreach pmem_size $pmem_sizes { # PMEM_VOLATILE
 }
 
 
+# Add device tree entry for reserved memory
+set reserved_memory [mysim of addchild $root_node "reserved-memory" ""]
+mysim of addprop $reserved_memory int "#size-cells" 2
+mysim of addprop $reserved_memory int "#address-cells" 2
+mysim of addprop $reserved_memory empty "ranges" ""
+
+
 # Default NVRAM is blank and will be formatted by Skiboot if no file is provided
 set fake_nvram_start $cpio_end
 set fake_nvram_size 0x40000
@@ -308,11 +315,34 @@ if { [info exists env(SKIBOOT_NVRAM)] } {
     mysim mcm 0 memory fread $fake_nvram_start $fake_nvram_size $fake_nvram_file
 }
 
-# Add device tree entry for NVRAM
-set reserved_memory [mysim of addchild $root_node "reserved-memory" ""]
-mysim of addprop $reserved_memory int "#size-cells" 2
-mysim of addprop $reserved_memory int "#address-cells" 2
-mysim of addprop $reserved_memory empty "ranges" ""
+set cvc_code_start [expr $fake_nvram_start + $fake_nvram_size]
+set cvc_code_end $cvc_code_start
+set cvc_code_size 0
+if { [info exists env(SKIBOOT_CVC_CODE)] } {
+
+    set cvc_file $env(SKIBOOT_CVC_CODE)
+
+    set cvc_code_size [file size $cvc_file]
+    mysim mcm 0 memory fread $cvc_code_start $cvc_code_size $cvc_file
+    set cvc_code_end [expr $cvc_code_start + $cvc_code_size]
+}
+
+if { [info exists env(SKIBOOT_CVC_CODE)] } {
+    # Set up Device Tree for Container Verification Code
+    set hb [mysim of addchild $root_node "ibm,hostboot" ""]
+    set hb_reserved_memory [mysim of addchild $hb "reserved-memory" ""]
+    mysim of addprop $hb_reserved_memory int "#address-cells" 2
+    mysim of addprop $hb_reserved_memory int "#size-cells" 2
+    set hb_cvc_code_node [mysim of addchild $hb_reserved_memory "ibm,secure-crypt-algo-code" [format %x $cvc_code_start]]
+    set reg [list $cvc_code_start $cvc_code_size]
+    mysim of addprop $hb_cvc_code_node array64 "reg" reg
+    mysim of addprop $hb_cvc_code_node empty "name" "ibm,secure-crypt-algo-code"
+
+    set cvc_code_node [mysim of addchild $reserved_memory "ibm,secure-crypt-algo-code" [format %x $cvc_code_start]]
+    set reg [list $cvc_code_start $cvc_code_size]
+    mysim of addprop $cvc_code_node array64 "reg" reg
+    mysim of addprop $cvc_code_node empty "name" "ibm,secure-crypt-algo-code"
+}
 
 set initramfs_res [mysim of addchild $reserved_memory "initramfs" ""]
 set reg [list $cpio_start $cpio_size ]
@@ -324,6 +354,7 @@ set reg [list $fake_nvram_start $fake_nvram_size ]
 mysim of addprop $fake_nvram_node array64 "reg" reg
 mysim of addprop $fake_nvram_node empty "name" "ibm,fake-nvram"
 
+
 set opal_node [mysim of addchild $root_node "ibm,opal" ""]
 
 # Allow P9 to use all idle states
@@ -548,10 +579,18 @@ mconfig enable_stb SKIBOOT_ENABLE_MAMBO_STB 0
 
 if { [info exists env(SKIBOOT_ENABLE_MAMBO_STB)] } {
     set stb_node [ mysim of addchild $root_node "ibm,secureboot" "" ]
-    mysim of addprop $stb_node string "compatible" "ibm,secureboot-v1-softrom"
+
+    # For P8 we still use the softrom emulation
+    if { $default_config == "PEGASUS" || ! [info exists env(SKIBOOT_CVC_CODE)] } {
+	mysim of addprop $stb_node string "compatible" "ibm,secureboot-v1-softrom"
+    } else {
+	# on P9 we can use the real CVC
+	mysim of addprop $stb_node string "compatible" "ibm,secureboot-v2"
+    }
 #    mysim of addprop $stb_node string "secure-enabled" ""
     mysim of addprop $stb_node string "trusted-enabled" ""
     mysim of addprop $stb_node string "hash-algo" "sha512"
+    mysim of addprop $stb_node int "hw-key-hash-size" 64
     set hw_key_hash {}
     lappend hw_key_hash 0x40d487ff
     lappend hw_key_hash 0x7380ed6a
@@ -570,6 +609,25 @@ if { [info exists env(SKIBOOT_ENABLE_MAMBO_STB)] } {
     lappend hw_key_hash 0xfb708535
     lappend hw_key_hash 0x1d01d6d1
     mysim of addprop $stb_node array "hw-key-hash" hw_key_hash
+
+    if { $default_config != "PEGASUS" && [info exists env(SKIBOOT_CVC_CODE)] } {
+	set cvc_node [ mysim of addchild $stb_node "ibm,cvc" "" ]
+	mysim of addprop $cvc_node string "compatible" "ibm,container-verification-code"
+	mysim of addprop $cvc_node int "memory-region" $hb_cvc_code_node
+
+	# I'm sure hardcoding these addresses will *never* cause us a problem...
+	set sha_node [ mysim of addchild $cvc_node "ibm,cvc-service" [format %x 0x40]]
+	mysim of addprop $sha_node string "name" "ibm,cvc-service"
+	mysim of addprop $sha_node string "compatible" "ibm,cvc-sha512"
+	mysim of addprop $sha_node int "reg" 0x40
+	mysim of addprop $sha_node int "version" 1
+
+	set verify_node [ mysim of addchild $cvc_node "ibm,cvc-service" [format %x 0x50]]
+	mysim of addprop $verify_node string "name" "ibm,cvc-service"
+	mysim of addprop $verify_node string "compatible" "ibm,cvc-verify"
+	mysim of addprop $verify_node int "reg" 0x50
+	mysim of addprop $verify_node int "version" 1
+    }
 }
 
 # Kernel command line args, appended to any from the device tree
diff --git a/test/hello_world/run_mambo_p9_hello_world.sh b/test/hello_world/run_mambo_p9_hello_world.sh
index 9560527a0c2a..1074229efeb0 100755
--- a/test/hello_world/run_mambo_p9_hello_world.sh
+++ b/test/hello_world/run_mambo_p9_hello_world.sh
@@ -25,6 +25,7 @@ fi
 
 if [ -n "$SKIBOOT_ENABLE_MAMBO_STB" ]; then
     export SKIBOOT_ZIMAGE=$(pwd)/test/hello_world/hello_kernel/hello_kernel.stb
+    export SKIBOOT_CVC_CODE=$(pwd)/external/mambo/CVC
 else
     export SKIBOOT_ZIMAGE=$(pwd)/test/hello_world/hello_kernel/hello_kernel
 fi
diff --git a/test/sreset_world/run_mambo_p9_sreset.sh b/test/sreset_world/run_mambo_p9_sreset.sh
index 926ce3e49d3e..1e8662460a3e 100755
--- a/test/sreset_world/run_mambo_p9_sreset.sh
+++ b/test/sreset_world/run_mambo_p9_sreset.sh
@@ -25,6 +25,7 @@ fi
 
 if [ -n "$SKIBOOT_ENABLE_MAMBO_STB" ]; then
     export SKIBOOT_ZIMAGE=$(pwd)/test/sreset_world/sreset_kernel/sreset_kernel.stb
+    export SKIBOOT_CVC_CODE=$(pwd)/external/mambo/CVC
 else
     export SKIBOOT_ZIMAGE=$(pwd)/test/sreset_world/sreset_kernel/sreset_kernel
 fi
-- 
2.21.0

More information about the Skiboot mailing list