diff options
| author | Nick Bofferding <bofferdn@us.ibm.com> | 2017-10-20 21:13:34 -0500 |
|---|---|---|
| committer | William G. Hoffa <wghoffa@us.ibm.com> | 2017-11-03 09:45:20 -0400 |
| commit | 07d75753d59419ea6ba9ee3bd930e0aa8e7e7fd5 (patch) | |
| tree | 78633da60312ff8cfd54807f787219036e976621 /src/include/usr/secureboot | |
| parent | 47f275a6bd3b2104a82d9786122afd6fe25f05de (diff) | |
| download | blackbird-hostboot-07d75753d59419ea6ba9ee3bd930e0aa8e7e7fd5.tar.gz blackbird-hostboot-07d75753d59419ea6ba9ee3bd930e0aa8e7e7fd5.zip | |
Secure Boot: Enforce PNOR section component IDs
- In secure mode, bootloader will enforce that HBB component ID is set
- In secure mode, Hostboot will enforce that PNOR component IDs are set
Change-Id: I04f3bbc45417b3229003c56e1083e1fc31c01cd7
RTC: 179422
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/48711
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
Diffstat (limited to 'src/include/usr/secureboot')
| -rw-r--r-- | src/include/usr/secureboot/secure_reasoncodes.H | 1 | ||||
| -rw-r--r-- | src/include/usr/secureboot/service.H | 20 |
2 files changed, 21 insertions, 0 deletions
diff --git a/src/include/usr/secureboot/secure_reasoncodes.H b/src/include/usr/secureboot/secure_reasoncodes.H index 98fe38d3c..f633ef7b2 100644 --- a/src/include/usr/secureboot/secure_reasoncodes.H +++ b/src/include/usr/secureboot/secure_reasoncodes.H @@ -40,6 +40,7 @@ namespace SECUREBOOT MOD_SECURE_READ_REG = 0x06, MOD_SECURE_WRITE_REG = 0x07, MOD_SECURE_SETTINGS_INIT = 0x08, + MOD_SECURE_VERIFY_COMPONENT = 0x09, }; enum SECUREReasonCode diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H index 4c4d43d3c..c4dc31334 100644 --- a/src/include/usr/secureboot/service.H +++ b/src/include/usr/secureboot/service.H @@ -58,6 +58,8 @@ typedef uint8_t PAGE_TABLE_ENTRY_t[HASH_PAGE_TABLE_ENTRY_SIZE]; namespace SECUREBOOT { + class ContainerHeader; + /** @brief Perform initialization of Secureboot for the Base image. * * - Copy secure header from original location. @@ -223,6 +225,24 @@ namespace SECUREBOOT const SHA512_t* i_hwKeyHash = nullptr); /** + * @brief Verify component ID in a container header against a reference + * component ID. Up to 8 ASCII characters, not including NULL, will be + * compared (thus, it is critical that all components are unique with + * respect to the first 8 bytes). + * + * @param[in] i_containerHeader Verified container's header + * @param[in] i_pComponentString Reference component ID string; must not be + * nullptr or function will assert. + * + * @return errlHndl_t Error log handle + * @retval nullptr Component ID verification succeeded + * @retval !nullptr Error; component ID verification failed + */ + errlHndl_t verifyComponent( + const ContainerHeader& i_containerHeader, + const char* i_pComponentId); + + /** * @brief Hash Signed Blob * * @param[in] i_blob Void pointer to effective address of blob |
