From 82f341573515e1dd39c622a955e08d3ab669b458 Mon Sep 17 00:00:00 2001 From: Stephen Cprek Date: Tue, 5 Dec 2017 16:46:54 -0600 Subject: Fix incorrect size for entries going into hb resv memory Sections that do not have Secure Headers and need one injected were not passing in the correct size to preverifiedlidmgr. e.g. RINGOVD section or when SB is compiled out Change-Id: I6e8c775a9a1d3f89473c55af6efc8109fb378c99 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/50545 Tested-by: Jenkins Server Tested-by: FSP CI Jenkins Reviewed-by: Nicholas E. Bofferding Reviewed-by: Michael Baiocchi Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Reviewed-by: Daniel M. Crowell --- src/include/usr/secureboot/containerheader.H | 4 ++-- src/usr/runtime/populate_hbruntime.C | 13 +++++++------ src/usr/secureboot/base/test/securerommgrtest.H | 14 ++++++++++---- src/usr/secureboot/common/containerheader.C | 6 +++--- 4 files changed, 22 insertions(+), 15 deletions(-) diff --git a/src/include/usr/secureboot/containerheader.H b/src/include/usr/secureboot/containerheader.H index 1905ac39d..daebbcfb6 100644 --- a/src/include/usr/secureboot/containerheader.H +++ b/src/include/usr/secureboot/containerheader.H @@ -293,10 +293,10 @@ class ContainerHeader * @brief Generate fake header with minimal information and stores in * instance variable * - * @param[in] i_totalSize Total container size + * @param[in] i_size Size of content to add header to * @param[in] i_compId Component ID */ - void genFakeHeader(const size_t i_totalSize, + void genFakeHeader(const size_t i_size, const char* const i_compId); friend class ::SecureRomManagerTest; diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C index e7ebbea54..b4c700de2 100644 --- a/src/usr/runtime/populate_hbruntime.C +++ b/src/usr/runtime/populate_hbruntime.C @@ -605,21 +605,22 @@ errlHndl_t hbResvLoadSecureSection (const PNOR::SectionId i_sec, // Check if the section is expected to have a secure header regardless // of compile options +#ifdef CONFIG_SECUREBOOT if (i_secHdrExpected) { -#ifdef CONFIG_SECUREBOOT // If section is signed, only the protected size was loaded into memory l_imgSize = l_info.secureProtectedPayloadSize; // Include secure header // NOTE: we do not preserve the header in virtual memory when SB // is compiled out. So "-PAGESIZE" only works when SB is compiled in l_pnorVaddr -= PAGESIZE; -#endif - // Add size for secure header. - // NOTE: if SB compiled out, a header will be injected later so - // preserve space for the header. - l_imgSize += PAGESIZE; } +#endif + // Add size for secure header, as a header is REQUIRED for lid load + // from hostboot reserved memory to work in every scenario. + // NOTE: if SB compiled out or a header is never added, one will be + // injected later with min information. So preserve space for the header. + l_imgSize += PAGESIZE; // Load Pnor section into HB reserved memory l_elog = PreVerifiedLidMgr::loadFromPnor(i_sec, l_pnorVaddr, l_imgSize); diff --git a/src/usr/secureboot/base/test/securerommgrtest.H b/src/usr/secureboot/base/test/securerommgrtest.H index 115813d3d..3dee8952e 100644 --- a/src/usr/secureboot/base/test/securerommgrtest.H +++ b/src/usr/secureboot/base/test/securerommgrtest.H @@ -555,7 +555,7 @@ class SecureRomManagerTest : public CxxTest::TestSuite { TRACFCOMP(g_trac_secure,"SecureRomManagerTest::test_fakeHeader"); - const size_t l_totalContainerSize = 0x10000; + const size_t l_payloadSize = 0x10000; // Purposely make a comp id larger than SW_HDR_COMP_ID_SIZE_BYTES // otherwise strncmp below needs a different size const char* l_compId = "FAKEHEADERTEST"; @@ -564,7 +564,7 @@ class SecureRomManagerTest : public CxxTest::TestSuite // Simple call constructor to create fake header and make sure it // does not cause an error SECUREBOOT::ContainerHeader l_fakeHdr; - errlHndl_t l_errl = l_fakeHdr.setFakeHeader(l_totalContainerSize, + errlHndl_t l_errl = l_fakeHdr.setFakeHeader(l_payloadSize, l_compId); if (l_errl) { @@ -573,8 +573,14 @@ class SecureRomManagerTest : public CxxTest::TestSuite break; } - // Payload Text Size should be the total container size minus the header - if(l_fakeHdr.payloadTextSize() != (l_totalContainerSize - PAGE_SIZE)) + // Total Container size should be payload size + PAGE_SIZE(header size) + if(l_fakeHdr.totalContainerSize() != (l_payloadSize + PAGE_SIZE)) + { + TS_FAIL("SecureRomManagerTest::test_fakeHeader: total container size was not parsed correctly"); + } + + // Check that payload text size was assigned correctly. + if(l_fakeHdr.payloadTextSize() != (l_payloadSize)) { TS_FAIL("SecureRomManagerTest::test_fakeHeader: payload text size was not parsed correctly"); break; diff --git a/src/usr/secureboot/common/containerheader.C b/src/usr/secureboot/common/containerheader.C index 47ccfebea..e01b09b8b 100644 --- a/src/usr/secureboot/common/containerheader.C +++ b/src/usr/secureboot/common/containerheader.C @@ -171,7 +171,7 @@ void ContainerHeader::initVars() memset(iv_componentId,0x00,sizeof(iv_componentId)); } -void ContainerHeader::genFakeHeader(const size_t i_totalSize, +void ContainerHeader::genFakeHeader(const size_t i_size, const char* const i_compId) { SecureHeaderInfo info {}; @@ -182,7 +182,7 @@ void ContainerHeader::genFakeHeader(const size_t i_totalSize, /*---- ROM_container_raw ----*/ info.hw_hdr.magic_number = ROM_MAGIC_NUMBER; info.hw_hdr.version = CONTAINER_VERSION; - info.hw_hdr.container_size = i_totalSize; + info.hw_hdr.container_size = i_size + PAGE_SIZE; // The rom code has a placeholder for the prefix in the first struct so // skip it size_t l_size = offsetof(ROM_container_raw, prefix); @@ -212,7 +212,7 @@ void ContainerHeader::genFakeHeader(const size_t i_totalSize, strncpy(info.sw_hdr.component_id, i_compId,SW_HDR_COMP_ID_SIZE_BYTES); info.sw_hdr.ver_alg.hash_alg = HASH_ALG_SHA512; info.sw_hdr.ver_alg.sig_alg = SIG_ALG_ECDSA521; - info.sw_hdr.payload_size = i_totalSize - PAGE_SIZE; + info.sw_hdr.payload_size = i_size; l_size = offsetof(ROM_sw_header_raw, ecid); l_size += info.hw_prefix_hdr.ecid_count * ECID_SIZE; -- cgit v1.2.1