[Skiboot] [PATCH 0/3] Use real Container Verification Code in Mambo

Stewart Smith stewart at flamingspork.com
Fri Nov 29 07:18:43 AEDT 2019

On Wed, Nov 27, 2019, at 6:37 PM, Oliver O'Halloran wrote:
> On Mon, Jul 29, 2019 at 11:45 AM Stewart Smith <stewart at linux.ibm.com> wrote:
> >
> > Secure Boot (for firmware) on POWER9 uses an in-memory copy of the
> > Container Verification Code (CVC), which the source comes from hostboot,
> > and the data structure is set up as part of early boot in the SBE and
> > Hostboot.
> >
> > Prior to this patchset, the way we simulated secure boot was to have a
> > "fake" securerom that was really just calling mbedtls sha512 and
> > comparing the hashes. This worked Well Enough(TM) for P8 and P9 testing,
> > but didn't reflect the guts of what would happen on real hardware.
> >
> > This patchset grabs a dump of the CVC code from a real machine set up
> > for development keys, and we can thus make the *exact* same calls into
> > it as what occurs on real hardware.
> >
> > The CVC code is imported as a blob rather the source from
> > hostboot/src/securerom and the various bits of setup mostly for
> > maintaining one's sanity.
> >
> > This also will help in the testing of the mmu patchset as for some
> > reason when we enter the CVC code we clear r2, which adds a bit of fun
> > and adventure to the whole endeavour.
> series merged to master as 12610da1bacf3578849eefe8f8d70cc289f4b87a
> I squashed patch 2 into 3 and truncated the trailing zero bytes from
> the cvc blob too.

Ahh cool. If I was Really Good (TM) I would have built from source from a copy of what's in Hostboot and blah blah blah, but this is probably as good as anything from a practical PoV.

I wonder why they just expose the full 64k and not truncate it down...

More information about the Skiboot mailing list