diff options
author | Stephen Cprek <smcprek@us.ibm.com> | 2017-03-01 10:44:16 -0600 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-04-10 17:46:57 -0400 |
commit | a7bf050d4ddba121d7502939fc0c4ce517ef8e42 (patch) | |
tree | e2f58591ec40a0f113d258f5b69dbbfcb1b397ab | |
parent | b8169717c26a8eb780569c50cce29ca47d3bb9fa (diff) | |
download | talos-hostboot-a7bf050d4ddba121d7502939fc0c4ce517ef8e42.tar.gz talos-hostboot-a7bf050d4ddba121d7502939fc0c4ce517ef8e42.zip |
Add header to and verify Hostboot Bootloader for sbe update
Change-Id: I2704ad9a110a52fe0ff0e290fdd9205a42bbd050
RTC:159915
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/38326
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Martin Gloff <mgloff@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
-rw-r--r-- | src/build/buildpnor/defaultPnorLayout.xml | 17 | ||||
-rwxr-xr-x | src/build/buildpnor/genPnorImages.pl | 13 | ||||
-rw-r--r-- | src/usr/pnor/pnor_utils.C | 3 | ||||
-rw-r--r-- | src/usr/sbe/sbe_update.C | 21 | ||||
-rw-r--r-- | src/usr/secureboot/base/securerommgr.C | 4 |
5 files changed, 43 insertions, 15 deletions
diff --git a/src/build/buildpnor/defaultPnorLayout.xml b/src/build/buildpnor/defaultPnorLayout.xml index eb592147b..54d4bc516 100644 --- a/src/build/buildpnor/defaultPnorLayout.xml +++ b/src/build/buildpnor/defaultPnorLayout.xml @@ -215,17 +215,20 @@ Layout Description <ecc/> </section> <section> - <description>Hostboot Bootloader (22.5K)</description> + <description>Hostboot Bootloader (28K)</description> <eyeCatch>HBBL</eyeCatch> <physicalOffset>0x2ABB000</physicalOffset> - <physicalRegionSize>0x6000</physicalRegionSize> + <!-- Physical Size includes Header rounded to ECC valid size --> + <!-- Max size of actual HBBL content is 20K and 22.5K with ECC --> + <physicalRegionSize>0x7000</physicalRegionSize> <side>sideless</side> + <sha512Version/> <ecc/> </section> <section> <description>Global Data (36K)</description> <eyeCatch>GLOBAL</eyeCatch> - <physicalOffset>0x2AC1000</physicalOffset> + <physicalOffset>0x2AC2000</physicalOffset> <physicalRegionSize>0x9000</physicalRegionSize> <side>sideless</side> <ecc/> @@ -233,7 +236,7 @@ Layout Description <section> <description>Ref Image Ring Overrides (20K)</description> <eyeCatch>RINGOVD</eyeCatch> - <physicalOffset>0x2ACA000</physicalOffset> + <physicalOffset>0x2ACB000</physicalOffset> <physicalRegionSize>0x5000</physicalRegionSize> <side>sideless</side> <ecc/> @@ -241,7 +244,7 @@ Layout Description <section> <description>SecureBoot Key Transition Partition (16K)</description> <eyeCatch>SBKT</eyeCatch> - <physicalOffset>0x2ACF000</physicalOffset> + <physicalOffset>0x2AD0000</physicalOffset> <physicalRegionSize>0x4000</physicalRegionSize> <side>sideless</side> <ecc/> @@ -249,7 +252,7 @@ Layout Description <section> <description>OCC Lid (1.125M)</description> <eyeCatch>OCC</eyeCatch> - <physicalOffset>0x2AD3000</physicalOffset> + <physicalOffset>0x2AD4000</physicalOffset> <physicalRegionSize>0x120000</physicalRegionSize> <side>sideless</side> <ecc/> @@ -259,7 +262,7 @@ Layout Description <!-- We need 266KB per module sort, going to support 10 sorts by default, plus ECC --> <eyeCatch>WOFDATA</eyeCatch> - <physicalOffset>0x2BF3000</physicalOffset> + <physicalOffset>0x2BF4000</physicalOffset> <physicalRegionSize>0x300000</physicalRegionSize> <side>sideless</side> <ecc/> diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl index 10aaf0917..fc9b8bd9e 100755 --- a/src/build/buildpnor/genPnorImages.pl +++ b/src/build/buildpnor/genPnorImages.pl @@ -42,6 +42,9 @@ use constant BASE_IMAGE_TOTAL_CONTAINER_SIZE => 0x000000000007EF80; use constant BASE_IMAGE_TARGET_HRMOR => 0x0000000008000000; use constant BASE_IMAGE_INSTRUCTION_START_STACK_POINTER => 0x0000000008280000; +# Max HBBL content size is 20K +my $MAX_HBBL_SIZE = 20480; + ################################################################################ # Be explicit with POSIX # Everything is exported by default (with a handful of exceptions). This is an @@ -509,7 +512,9 @@ sub manipulateImages #|| ($eyeCatch eq "CAPP") #|| ($eyeCatch eq "BOOTKERNEL"); - my $isSpecialSecure = ($eyeCatch eq "HBB"); + + my $isSpecialSecure = ($eyeCatch eq "HBB") + || ($eyeCatch eq "HBBL"); #|| ($eyeCatch eq "HBI") #|| ($eyeCatch eq "HBD"); @@ -540,15 +545,15 @@ sub manipulateImages # Ensure there is enough room at the end of the HBBL partition # to store the HW keys' hash. my $hbblRawSize = (-s $bin_file or die "Cannot get size of file $bin_file"); - print "HBBL raw size (no padding/ecc) = $hbblRawSize/$size\n"; - if ($hbblRawSize > $size - HW_KEYS_HASH_SIZE) + print "HBBL raw size (no padding/ecc) = $hbblRawSize/$MAX_HBBL_SIZE\n"; + if ($hbblRawSize > $MAX_HBBL_SIZE - HW_KEYS_HASH_SIZE) { die "HBBL cannot fit HW Keys' Hash (64 bytes) at the end without overwriting real data"; } # Pad HBBL to max size run_command("cp $bin_file $tempImages{TEMP_BIN}"); - run_command("dd if=$tempImages{TEMP_BIN} of=$bin_file ibs=$size conv=sync"); + run_command("dd if=$tempImages{TEMP_BIN} of=$bin_file ibs=$MAX_HBBL_SIZE conv=sync"); # Add HW key hash to end of HBBL - 64 Bytes my $hwKeyHashStart = (-s $bin_file or die "Cannot get size of file $bin_file") diff --git a/src/usr/pnor/pnor_utils.C b/src/usr/pnor/pnor_utils.C index 5a8d39065..979b1cb1f 100644 --- a/src/usr/pnor/pnor_utils.C +++ b/src/usr/pnor/pnor_utils.C @@ -360,7 +360,8 @@ bool PNOR::isEnforcedSecureSection(const uint32_t i_section) #ifdef BOOTLOADER return i_section == HB_BASE_CODE; #else - return i_section == HB_EXT_CODE || + return i_section == HB_BOOTLOADER || + i_section == HB_EXT_CODE || i_section == HB_DATA || i_section == SBE_IPL || i_section == CENTAUR_SBE || diff --git a/src/usr/sbe/sbe_update.C b/src/usr/sbe/sbe_update.C index c602fbf9b..4a85db350 100644 --- a/src/usr/sbe/sbe_update.C +++ b/src/usr/sbe/sbe_update.C @@ -1821,6 +1821,7 @@ namespace SBE } const void* hbblPnorPtr = reinterpret_cast<const void*>( pnorInfo.vaddr); + // Use max hbbl size and not the PNOR size. The PNOR size can grow // to add a secure header, but the code size limit is still 20K. TRACFCOMP( g_trac_sbe, "getSbeInfoState() - " @@ -3623,6 +3624,16 @@ namespace SBE break; } + // Load the Bootloader PNOR section into secure memory +#ifdef CONFIG_SECUREBOOT + err = loadSecureSection(PNOR::HB_BOOTLOADER); + if(err) + { + TRACFCOMP( g_trac_sbe, ERR_MRK,"createSbeImageVmmSpace() - Error from loadSecureSection(PNOR::HB_BOOTLOADER)"); + break; + } +#endif + }while(0); TRACDCOMP( g_trac_sbe, @@ -3709,6 +3720,16 @@ namespace SBE PNOR::flush( PNOR::SBE_IPL ); + // Unload the Bootloader PNOR section from secure memory +#ifdef CONFIG_SECUREBOOT + err = unloadSecureSection(PNOR::HB_BOOTLOADER); + if (err) + { + TRACFCOMP( g_trac_sbe, ERR_MRK,"cleanupSbeImageVmmSpace() - Error from unloadSecureSection(PNOR::HB_BOOTLOADER)"); + break; + } +#endif + }while(0); diff --git a/src/usr/secureboot/base/securerommgr.C b/src/usr/secureboot/base/securerommgr.C index 1a21f3350..b51127820 100644 --- a/src/usr/secureboot/base/securerommgr.C +++ b/src/usr/secureboot/base/securerommgr.C @@ -265,12 +265,10 @@ errlHndl_t SecureRomManager::verifyContainer(void * i_container, memset(&l_hw_parms, 0, sizeof(ROM_hw_params)); // Now set hw_key_hash, which is of type sha2_hash_t, to iv_key_hash - memcpy (&l_hw_parms.hw_key_hash, &iv_key_hash, sizeof(sha2_hash_t)); - if (i_hwKeyHash == nullptr) { // Use current hw hash key - memcpy (&l_hw_parms.hw_key_hash, &iv_key_hash, sizeof(sha2_hash_t)); + memcpy (&l_hw_parms.hw_key_hash, iv_key_hash, sizeof(sha2_hash_t)); } else { |