From 07d75753d59419ea6ba9ee3bd930e0aa8e7e7fd5 Mon Sep 17 00:00:00 2001
From: Nick Bofferding <bofferdn@us.ibm.com>
Date: Fri, 20 Oct 2017 21:13:34 -0500
Subject: Secure Boot: Enforce PNOR section component IDs

- In secure mode, bootloader will enforce that HBB component ID is set
- In secure mode, Hostboot will enforce that PNOR component IDs are set

Change-Id: I04f3bbc45417b3229003c56e1083e1fc31c01cd7
RTC: 179422
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/48711
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
---
 src/include/usr/secureboot/secure_reasoncodes.H |  1 +
 src/include/usr/secureboot/service.H            | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+)

(limited to 'src/include/usr/secureboot')

diff --git a/src/include/usr/secureboot/secure_reasoncodes.H b/src/include/usr/secureboot/secure_reasoncodes.H
index 98fe38d3c..f633ef7b2 100644
--- a/src/include/usr/secureboot/secure_reasoncodes.H
+++ b/src/include/usr/secureboot/secure_reasoncodes.H
@@ -40,6 +40,7 @@ namespace SECUREBOOT
         MOD_SECURE_READ_REG             = 0x06,
         MOD_SECURE_WRITE_REG            = 0x07,
         MOD_SECURE_SETTINGS_INIT        = 0x08,
+        MOD_SECURE_VERIFY_COMPONENT     = 0x09,
    };
 
     enum SECUREReasonCode
diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H
index 4c4d43d3c..c4dc31334 100644
--- a/src/include/usr/secureboot/service.H
+++ b/src/include/usr/secureboot/service.H
@@ -58,6 +58,8 @@ typedef uint8_t PAGE_TABLE_ENTRY_t[HASH_PAGE_TABLE_ENTRY_SIZE];
 
 namespace SECUREBOOT
 {
+    class ContainerHeader;
+
     /** @brief Perform initialization of Secureboot for the Base image.
      *
      *  - Copy secure header from original location.
@@ -222,6 +224,24 @@ namespace SECUREBOOT
     errlHndl_t verifyContainer(void * i_container,
                                const SHA512_t* i_hwKeyHash = nullptr);
 
+    /**
+     * @brief Verify component ID in a container header against a reference
+     *     component ID. Up to 8 ASCII characters, not including NULL, will be
+     *     compared (thus, it is critical that all components are unique with
+     *     respect to the first 8 bytes).
+     *
+     * @param[in] i_containerHeader Verified container's header
+     * @param[in] i_pComponentString Reference component ID string; must not be
+     *     nullptr or function will assert.
+     *
+     * @return errlHndl_t Error log handle
+     * @retval nullptr Component ID verification succeeded
+     * @retval !nullptr Error; component ID verification failed
+     */
+    errlHndl_t verifyComponent(
+        const ContainerHeader& i_containerHeader,
+        const char*            i_pComponentId);
+
     /**
      * @brief Hash Signed Blob
      *
-- 
cgit v1.2.3