[Skiboot] [PATCH 0/3] Use real Container Verification Code in Mambo

Oliver O'Halloran oohall at gmail.com
Thu Nov 28 13:37:02 AEDT 2019 

On Mon, Jul 29, 2019 at 11:45 AM Stewart Smith <stewart at linux.ibm.com> wrote:
>
> Secure Boot (for firmware) on POWER9 uses an in-memory copy of the
> Container Verification Code (CVC), which the source comes from hostboot,
> and the data structure is set up as part of early boot in the SBE and
> Hostboot.
>
> Prior to this patchset, the way we simulated secure boot was to have a
> "fake" securerom that was really just calling mbedtls sha512 and
> comparing the hashes. This worked Well Enough(TM) for P8 and P9 testing,
> but didn't reflect the guts of what would happen on real hardware.
>
> This patchset grabs a dump of the CVC code from a real machine set up
> for development keys, and we can thus make the *exact* same calls into
> it as what occurs on real hardware.
>
> The CVC code is imported as a blob rather the source from
> hostboot/src/securerom and the various bits of setup mostly for
> maintaining one's sanity.
>
> This also will help in the testing of the mmu patchset as for some
> reason when we enter the CVC code we clear r2, which adds a bit of fun
> and adventure to the whole endeavour.

series merged to master as 12610da1bacf3578849eefe8f8d70cc289f4b87a

I squashed patch 2 into 3 and truncated the trailing zero bytes from
the cvc blob too.

>
> Stewart Smith (3):
>   libstb: export CVC/securerom code memory range
>   Add CVC code dump for use with Mambo
>   mambo: enable use of real Container Verification Code
>
>  external/mambo/CVC                           | Bin 0 -> 65535 bytes
>  external/mambo/README.md                     |  11 +++
>  external/mambo/skiboot.tcl                   |  70 +++++++++++++++++--
>  libstb/cvc.c                                 |  21 +++++-
>  test/hello_world/run_mambo_p9_hello_world.sh |   1 +
>  test/sreset_world/run_mambo_p9_sreset.sh     |   1 +
>  6 files changed, 97 insertions(+), 7 deletions(-)
>  create mode 100644 external/mambo/CVC
>
> --
> 2.21.0
>
> _______________________________________________
> Skiboot mailing list
> Skiboot at lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/skiboot

More information about the Skiboot mailing list