[Skiboot] [PATCH 0/3] Use real Container Verification Code in Mambo
oohall at gmail.com
Thu Nov 28 13:37:02 AEDT 2019
On Mon, Jul 29, 2019 at 11:45 AM Stewart Smith <stewart at linux.ibm.com> wrote:
> Secure Boot (for firmware) on POWER9 uses an in-memory copy of the
> Container Verification Code (CVC), which the source comes from hostboot,
> and the data structure is set up as part of early boot in the SBE and
> Prior to this patchset, the way we simulated secure boot was to have a
> "fake" securerom that was really just calling mbedtls sha512 and
> comparing the hashes. This worked Well Enough(TM) for P8 and P9 testing,
> but didn't reflect the guts of what would happen on real hardware.
> This patchset grabs a dump of the CVC code from a real machine set up
> for development keys, and we can thus make the *exact* same calls into
> it as what occurs on real hardware.
> The CVC code is imported as a blob rather the source from
> hostboot/src/securerom and the various bits of setup mostly for
> maintaining one's sanity.
> This also will help in the testing of the mmu patchset as for some
> reason when we enter the CVC code we clear r2, which adds a bit of fun
> and adventure to the whole endeavour.
series merged to master as 12610da1bacf3578849eefe8f8d70cc289f4b87a
I squashed patch 2 into 3 and truncated the trailing zero bytes from
the cvc blob too.
> Stewart Smith (3):
> libstb: export CVC/securerom code memory range
> Add CVC code dump for use with Mambo
> mambo: enable use of real Container Verification Code
> external/mambo/CVC | Bin 0 -> 65535 bytes
> external/mambo/README.md | 11 +++
> external/mambo/skiboot.tcl | 70 +++++++++++++++++--
> libstb/cvc.c | 21 +++++-
> test/hello_world/run_mambo_p9_hello_world.sh | 1 +
> test/sreset_world/run_mambo_p9_sreset.sh | 1 +
> 6 files changed, 97 insertions(+), 7 deletions(-)
> create mode 100644 external/mambo/CVC
> Skiboot mailing list
> Skiboot at lists.ozlabs.org
More information about the Skiboot