[Skiboot] [PATCH v3 2/5] libstb: add support for ibm, secureboot-v3 and initialize secure variables if supported by the platform

Eric Richter erichte at linux.ibm.com
Wed Sep 4 07:34:13 AEST 2019 

Platforms determine whether or not they support secure boot by implementing
a specific hook. Prior to initializing firmware secureboot, the platform
hook for secure variables is checked. If it has been implemented, we
increase the secureboot version to "ibm,secureboot-v3" indicating secure
variables are supported.

Signed-off-by: Eric Richter <erichte at linux.ibm.com>
---
 core/init.c         | 4 ++++
 libstb/cvc.c        | 2 +-
 libstb/secureboot.c | 7 ++++++-
 libstb/secureboot.h | 1 +
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/core/init.c b/core/init.c
index cd333dcb..fa2d425a 100644
--- a/core/init.c
+++ b/core/init.c
@@ -35,6 +35,7 @@
 #include <xive.h>
 #include <nvram.h>
 #include <vas.h>
+#include <libstb/secvar/secvar.h>
 #include <libstb/secureboot.h>
 #include <libstb/trustedboot.h>
 #include <phys-map.h>
@@ -1163,6 +1164,9 @@ void __noreturn __nomcount main_cpu_entry(const void *fdt)
 	/* Set the console level */
 	console_log_level();
 
+	/* Check for secvar support, update secureboot compatible if so */
+	probe_secvar();
+
 	/* Secure/Trusted Boot init. We look for /ibm,secureboot in DT */
 	secureboot_init();
 	trustedboot_init();
diff --git a/libstb/cvc.c b/libstb/cvc.c
index dca4ac85..4642cb2a 100644
--- a/libstb/cvc.c
+++ b/libstb/cvc.c
@@ -268,7 +268,7 @@ int cvc_init(void)
 		rc = cvc_secure_rom_init();
 	} else if (version == IBM_SECUREBOOT_SOFTROM) {
 		softrom = true;
-	} else if (version == IBM_SECUREBOOT_V2) {
+	} else if ((version == IBM_SECUREBOOT_V2 ) || (version == IBM_SECUREBOOT_V3)) {
 		rc = cvc_reserved_mem_init(node);
 	} else {
 		prlog(PR_ERR, "%s FAILED. /ibm,secureboot not supported\n",
diff --git a/libstb/secureboot.c b/libstb/secureboot.c
index bfc98f2a..a7d418cf 100644
--- a/libstb/secureboot.c
+++ b/libstb/secureboot.c
@@ -25,6 +25,7 @@ static struct {
 	{ IBM_SECUREBOOT_V1, "ibm,secureboot-v1" },
 	{ IBM_SECUREBOOT_SOFTROM, "ibm,secureboot-v1-softrom" },
 	{ IBM_SECUREBOOT_V2, "ibm,secureboot-v2" },
+	{ IBM_SECUREBOOT_V3, "ibm,secureboot-v3" },
 };
 
 static void secureboot_enforce(void)
@@ -124,7 +125,8 @@ void secureboot_init(void)
 		}
 		hw_key_hash_size = SHA512_DIGEST_LENGTH;
 
-	} else if (version == IBM_SECUREBOOT_V2) {
+	} else if (version == IBM_SECUREBOOT_V2 ||
+		   version == IBM_SECUREBOOT_V3) {
 
 		hw_key_hash_size = dt_prop_get_u32(node, "hw-key-hash-size");
 		if (hw_key_hash_size == 0) {
@@ -157,6 +159,9 @@ void secureboot_init(void)
 	if (cvc_init())
 		secureboot_enforce();
 
+	if (version == IBM_SECUREBOOT_V3) {
+		platform.secvar_init();
+	}
 	secure_init = true;
 }
 
diff --git a/libstb/secureboot.h b/libstb/secureboot.h
index 426483ff..719c6817 100644
--- a/libstb/secureboot.h
+++ b/libstb/secureboot.h
@@ -13,6 +13,7 @@ enum secureboot_version {
 	IBM_SECUREBOOT_V1,
 	IBM_SECUREBOOT_SOFTROM,
 	IBM_SECUREBOOT_V2,
+	IBM_SECUREBOOT_V3,
 };
 
 bool secureboot_is_compatible(struct dt_node *node, int *version, const char **compat);
-- 
2.20.1

More information about the Skiboot mailing list