diff options
| author | Stephen Cprek <smcprek@us.ibm.com> | 2017-09-27 16:22:04 -0500 |
|---|---|---|
| committer | William G. Hoffa <wghoffa@us.ibm.com> | 2017-11-01 16:17:58 -0400 |
| commit | 89c19d7e3a5b6f2781636ca5373672f38d8f0a13 (patch) | |
| tree | 009a08dbf556fcb21259ada013bc9d211d4a460d | |
| parent | 141c67de2310692873ff1c3f977a1c6e5d4300ca (diff) | |
| download | talos-hostboot-89c19d7e3a5b6f2781636ca5373672f38d8f0a13.tar.gz talos-hostboot-89c19d7e3a5b6f2781636ca5373672f38d8f0a13.zip | |
Process Components in Master Container Lid
Change-Id: I31523494f462c88addb51973f605b2ed72674e97
RTC: 125304
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/46840
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
| -rw-r--r-- | src/include/usr/runtime/preverifiedlidmgr.H | 33 | ||||
| -rw-r--r-- | src/include/usr/secureboot/trustedbootif.H | 3 | ||||
| -rw-r--r-- | src/include/usr/util/util_reasoncodes.H | 6 | ||||
| -rw-r--r-- | src/include/usr/util/utillidmgr.H | 2 | ||||
| -rw-r--r-- | src/include/usr/util/utilmclmgr.H | 110 | ||||
| -rw-r--r-- | src/usr/runtime/populate_hbruntime.C | 24 | ||||
| -rw-r--r-- | src/usr/runtime/preverifiedlidmgr.C | 137 | ||||
| -rw-r--r-- | src/usr/secureboot/trusted/base/trustedboot_base.C | 3 | ||||
| -rw-r--r-- | src/usr/util/test/testmclmgr.H | 105 | ||||
| -rw-r--r-- | src/usr/util/utillidmgr.C | 2 | ||||
| -rw-r--r-- | src/usr/util/utilmclmgr.C | 459 |
11 files changed, 836 insertions, 48 deletions
diff --git a/src/include/usr/runtime/preverifiedlidmgr.H b/src/include/usr/runtime/preverifiedlidmgr.H index ca096e5e1..185a0d24f 100644 --- a/src/include/usr/runtime/preverifiedlidmgr.H +++ b/src/include/usr/runtime/preverifiedlidmgr.H @@ -66,6 +66,24 @@ class PreVerifiedLidMgr const uint64_t i_addr, const size_t i_size); + /** + * @brief Load PNOR section into HB reserved memory + * + * @param[in] i_sec - PNOR section ID + * @param[in] i_addr - Virtual Address of PNOR section + * @param[in] i_size - Size of PNOR section + * @param[in] i_isPhypComp - Indicates if PHYP lids + * NOTE: PHYP lids go to address HRMOR - 4K + * @param[out] o_resvMemAddr - Mainstore address Lid was put in + * + * @return Error handle if error + */ + static errlHndl_t loadFromMCL(const uint32_t i_lidId, + const uint64_t i_addr, + const size_t i_size, + const bool i_isPhypComp, + uint64_t &o_resvMemAddr); + protected: /** @@ -106,14 +124,20 @@ class PreVerifiedLidMgr const uint64_t i_addr, const size_t i_size); + /** + * @brief Internal implementation of loadFromMCL function. + */ + errlHndl_t _loadFromMCL(const uint32_t i_lidId, + const uint64_t i_addr, + const size_t i_size, + const bool i_isPhypComp, + uint64_t &o_resvMemAddr); + // Private Members/Variables // Cache the payload type static TARGETING::PAYLOAD_KIND cv_payloadKind; - // Bool to check if the first PHYP lid has been loaded or not. - static bool cv_phypLidSeen; - // Collection of data needed for Hostboot Reserved Memory struct ResvMemInfo { @@ -131,7 +155,7 @@ class PreVerifiedLidMgr // Collection of data needed for Hostboot Reserved Memory static ResvMemInfo cv_resvMemInfo; - // Location for PHYP lids to go. + // Collection of data needed for PHYP's placement into HB reserved memory static ResvMemInfo cv_phypResvMemInfo; // Map of what lids have been loaded already. @@ -197,6 +221,7 @@ class PreVerifiedLidMgr // Allow test cases to have direct access friend class PreVerifiedLidMgrTest; + friend class MasterContainerLidMgrTest; }; diff --git a/src/include/usr/secureboot/trustedbootif.H b/src/include/usr/secureboot/trustedbootif.H index 8f79756d9..41ba6ece9 100644 --- a/src/include/usr/secureboot/trustedbootif.H +++ b/src/include/usr/secureboot/trustedbootif.H @@ -44,6 +44,9 @@ namespace TRUSTEDBOOT { + // Const string to append to PCR extension messages + extern const char* const FW_KEY_HASH_EXT; + struct _TpmLogMgr; // Hostboot code just maps the TpmTarget type, which shared APIs use, as a diff --git a/src/include/usr/util/util_reasoncodes.H b/src/include/usr/util/util_reasoncodes.H index f90784c77..77fd1e628 100644 --- a/src/include/usr/util/util_reasoncodes.H +++ b/src/include/usr/util/util_reasoncodes.H @@ -49,7 +49,8 @@ namespace Util UTIL_TCE_UNMAP_PSIHB = 0x0F, // UtilTceMgr::unmapPsiHostBridge UTIL_MCL_INIT_MEM = 0x10, // MasterContainerLidMgr::initMem UTIL_MCL_REL_MEM = 0x11, // MasterContainerLidMgr::releaseMem - + UTIL_MCL_PROCESS_COMP = 0x12, // MasterContainerLidMgr::processComponent + UTIL_MCL_VERIFY_EXT = 0x13, // MasterContainerLidMgr::verifyExtend }; enum ReasonCode @@ -77,7 +78,8 @@ namespace Util UTIL_TCE_BLOCK_UNMAP_FAIL = UTIL_COMP_ID | 0x15, UTIL_MM_BLOCK_MAP_FAILED = UTIL_COMP_ID | 0x16, UTIL_MM_BLOCK_UNMAP_FAILED = UTIL_COMP_ID | 0x17, - + UTIL_MCL_SIZE_MISMATCH = UTIL_COMP_ID | 0x18, + UTIL_MCL_COMPID_MISMATCH = UTIL_COMP_ID | 0x19, }; }; diff --git a/src/include/usr/util/utillidmgr.H b/src/include/usr/util/utillidmgr.H index 725e51671..c2ac2d9a0 100644 --- a/src/include/usr/util/utillidmgr.H +++ b/src/include/usr/util/utillidmgr.H @@ -50,7 +50,7 @@ enum LidId TEST_LIDID = 0x00000111, OCC_LIDID = 0x81e00430, OCC_CONTAINER_LIDID = 0x80d0000b, - MCL_LIDID = 0x80D00020, + MCL_LIDID = 0x80d00020, // TODO RTC 172767 Make utillidmgr LIDID structure attribute driven WOF_LIDID = 0x81e00440, WOF_CONTAINER_LIDID = 0x80d00015, diff --git a/src/include/usr/util/utilmclmgr.H b/src/include/usr/util/utilmclmgr.H index 58a73bae4..f33d4001f 100644 --- a/src/include/usr/util/utilmclmgr.H +++ b/src/include/usr/util/utilmclmgr.H @@ -40,7 +40,11 @@ namespace MCL // Component ID(name) within MCL typedef std::array<uint8_t,16> ComponentID; -// Defines to simplify syntax when checking for the MCL and POWERVM comp ids +// Component ID in string form +// NOTE: ComponentID in the MCL does not include NULL terminator so include room +typedef char CompIdString[17]; + +// Constants to simplify checking for the MCL and POWERVM comp ids extern const ComponentID g_MclCompId; extern const ComponentID g_PowervmCompId; @@ -194,8 +198,46 @@ struct CompInfo void print() const; }; +// Comparator to ensure PHYP is always the first component to be processed +struct CompOrderCompare { + bool operator() (const ComponentID& lhs, const ComponentID& rhs) const + { + if((lhs == g_PowervmCompId)) + { + return true; + } + else if ((rhs == g_PowervmCompId)) + { + return false; + } + + return lhs<rhs; + } +}; + // Structure for Comp Info cache -typedef std::map<ComponentID, CompInfo> CompInfoMap; +typedef std::map<ComponentID, CompInfo, CompOrderCompare> CompInfoMap; + +/** + * @brief Convert Component ID to a char* + * Helpful for trace + * + * @param[in] i_compId - Component ID to convert + * @param[out] o_compIdStr - Component ID String + * + * @return N/A + */ +void compIdToString(const ComponentID i_compId, CompIdString o_compIdStr); + +/** + * @brief Convert/truncate Component ID to a uint64_t + * Helpful for FFDC + * + * @param[in] i_compId - Component ID to convert + * + * @return uint64_t - truncated Component ID + */ +uint64_t compIdToInt(const ComponentID i_compId); // @brief Class to manager the Master Container Lid provided by the FSP class MasterContainerLidMgr @@ -214,6 +256,12 @@ class MasterContainerLidMgr */ ~MasterContainerLidMgr(); + /** + * @brief Process each component in the MCL. + * See: processComponent for more info + */ + errlHndl_t processComponents(); + protected: /** @@ -280,6 +328,52 @@ class MasterContainerLidMgr */ void printCompInfoCache(); + /** + * @brief Process single component in the MCL. + * Loads, verifies, tpm extends lids and loads into hb resv memory + * + * @param[in] i_compId - Component Id + * @param[in] io_compInfo - Component info of component to process + * + * @return Error handle if error + */ + errlHndl_t processComponent(const ComponentID& i_compId, + CompInfo& io_compInfo); + + /** + * @brief Load all lids associated with a Component into contiguous memory + * NOTE: updates the lid sizes in CompInfo + * + * @param[in] io_compInfo - Component info of component to verify + * @param[out] o_totalSize - Size of all lids reported by the FSP + * + * @return Error handle if error + */ + errlHndl_t loadLids(CompInfo& io_compInfo, size_t& o_totalSize); + + /** + * @brief Verify and Extend Component + * + * @param[in] i_compId - Component Id + * @param[in] io_compInfo - Component info of component to verify + * + * @return Error handle if error + * Note: Will not return on Secure Verification Error + */ + errlHndl_t verifyExtend(const ComponentID& i_compId, + CompInfo& io_compInfo); + + /** + * @brief TPM extend information for secure components + * + * @param[in] i_compId - Component Id + * @param[in] i_conHdr - Container header with information to extend + * + * @return Error handle if error + */ + errlHndl_t tpmExtend(const ComponentID& i_compId, + const SECUREBOOT::ContainerHeader& i_conHdr) const; + // Physical addresses reserved for the MCL itself uint64_t iv_mclAddr; @@ -292,15 +386,27 @@ class MasterContainerLidMgr // Maximum size of memory for temp MCL mgr workspace size_t iv_tmpSize; + // Maximum size based on MCL or temp components + size_t iv_maxSize; + // Pointer to MCL virtual address space void* iv_pMclVaddr; // Pointer to MCL temp virtual address space void* iv_pTempVaddr; + // Pointer to either MCL or TMP virtual address spaces + void* iv_pVaddr; + // Cache Components and their corresponding lids CompInfoMap iv_compInfoCache; + // Indicates that Master Container Lid has a header + bool iv_hasHeader; + + // Cache current comp id string for easy tracing + CompIdString iv_curCompIdStr; + // Allow test cases to call custom constructors and have direct access friend class ::MasterContainerLidMgrTest; }; diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C index 028f92802..12a6fba9f 100644 --- a/src/usr/runtime/populate_hbruntime.C +++ b/src/usr/runtime/populate_hbruntime.C @@ -72,6 +72,7 @@ #include <stdio.h> #include <runtime/populate_hbruntime.H> #include <runtime/preverifiedlidmgr.H> +#include <util/utilmclmgr.H> namespace RUNTIME @@ -646,6 +647,7 @@ errlHndl_t populate_HbRsvMem(uint64_t i_nodeId) { TRACFCOMP( g_trac_runtime, ENTER_MRK"populate_HbRsvMem> i_nodeId=%d", i_nodeId ); errlHndl_t l_elog = nullptr; + bool l_preVerLidMgrLock = false; do { // Wipe out our cache of the NACA/SPIRA pointers @@ -1074,6 +1076,7 @@ errlHndl_t populate_HbRsvMem(uint64_t i_nodeId) // Initialize Pre-Verified Lid manager PreVerifiedLidMgr::initLock(l_prevDataAddr, l_prevDataSize, i_nodeId); + l_preVerLidMgrLock = true; // Handle all Pre verified PNOR sections for (const auto secId : preVerifiedPnorSections) @@ -1084,14 +1087,33 @@ errlHndl_t populate_HbRsvMem(uint64_t i_nodeId) break; } } - PreVerifiedLidMgr::unlock(); if (l_elog) { break; } + // @TODO RTC:125304 enable when PHYP changes necessary for pre-verified + // lids are in a fips release +/* + // Load lids from Master Container Lid Container provided by FSP + if (INITSERVICE::spBaseServicesEnabled()) + { + MCL::MasterContainerLidMgr l_mcl; + l_elog = l_mcl.processComponents(); + if(l_elog) + { + break; + } + } +*/ } while(0); + // If lock obtained, always unlock Pre verified lid manager + if (l_preVerLidMgrLock) + { + PreVerifiedLidMgr::unlock(); + } + TRACFCOMP( g_trac_runtime, EXIT_MRK"populate_HbRsvMem> l_elog=%.8X", ERRL_GETRC_SAFE(l_elog) ); return(l_elog); } // end populate_HbRsvMem diff --git a/src/usr/runtime/preverifiedlidmgr.C b/src/usr/runtime/preverifiedlidmgr.C index 0f3398721..4e5d9a2dc 100644 --- a/src/usr/runtime/preverifiedlidmgr.C +++ b/src/usr/runtime/preverifiedlidmgr.C @@ -34,13 +34,14 @@ #include <util/singleton.H> #include <stdio.h> #include <arch/ppc.H> +#include <targeting/common/target.H> +#include <targeting/common/attributes.H> extern trace_desc_t *g_trac_runtime; // Set static variables TARGETING::PAYLOAD_KIND PreVerifiedLidMgr::cv_payloadKind = TARGETING::PAYLOAD_KIND_NONE; std::map<uint64_t,bool> PreVerifiedLidMgr::cv_lidsLoaded {}; -bool PreVerifiedLidMgr::cv_phypLidSeen = false; PreVerifiedLidMgr::ResvMemInfo* PreVerifiedLidMgr::cv_pResvMemInfo = nullptr; PreVerifiedLidMgr::ResvMemInfo PreVerifiedLidMgr::cv_resvMemInfo {}; PreVerifiedLidMgr::ResvMemInfo PreVerifiedLidMgr::cv_phypResvMemInfo {}; @@ -75,6 +76,19 @@ errlHndl_t PreVerifiedLidMgr::loadFromPnor(const PNOR::SectionId i_sec, i_size); } +errlHndl_t PreVerifiedLidMgr::loadFromMCL(const uint32_t i_lidId, + const uint64_t i_addr, + const size_t i_size, + const bool i_isPhypComp, + uint64_t &o_resvMemAddr) +{ + return Singleton<PreVerifiedLidMgr>::instance()._loadFromMCL(i_lidId, + i_addr, + i_size, + i_isPhypComp, + o_resvMemAddr); +} + /******************** Private Implementations of Static Public Methods ********************/ @@ -86,12 +100,11 @@ void PreVerifiedLidMgr::_initLock(const uint64_t i_prevAddr, mutex_lock(&cv_mutex); cv_payloadKind = TARGETING::PAYLOAD_KIND_NONE; - cv_phypLidSeen = false; // Default Reserved Memory Information cv_resvMemInfo.rangeId = i_rangeId; - cv_resvMemInfo.curAddr = i_prevAddr; - cv_resvMemInfo.prevSize = i_prevSize; + cv_resvMemInfo.curAddr = ALIGN_PAGE(i_prevAddr); + cv_resvMemInfo.prevSize = ALIGN_PAGE(i_prevSize); // PHYP Reserved Memory Information cv_phypResvMemInfo.rangeId = i_rangeId; @@ -131,7 +144,6 @@ void PreVerifiedLidMgr::_initLock(const uint64_t i_prevAddr, void PreVerifiedLidMgr::_unlock() { - TRACFCOMP(g_trac_runtime, "PreVerifiedLidMgr::_unlock"); mutex_unlock(&cv_mutex); } @@ -162,16 +174,14 @@ errlHndl_t PreVerifiedLidMgr::_loadFromPnor(const PNOR::SectionId i_sec, break; } - // Get next available HB resverved memory address + // Get next available HB reserved memory address cv_pResvMemInfo->curAddr = getNextAddress(i_size); - // @TODO RTC:178163 remove need for l_loadImage bool l_loadImage = false; if(cv_payloadKind == TARGETING::PAYLOAD_KIND_PHYP) { - // @TODO RTC:178163 enable when we can Load ALL pre-verfied lids - // There are checks in phyp for ANY hdat entry marked "RHB_TYPE_VERIFIED_LIDS" - // If there are any missing phyp will fail to boot. + // @TODO RTC:178163 enable when PHYP changes necessary for pre-verified + // lids are in a fips release /* l_loadImage = true; // Verified Lid - Header Only @@ -184,7 +194,7 @@ errlHndl_t PreVerifiedLidMgr::_loadFromPnor(const PNOR::SectionId i_sec, l_errl = RUNTIME::setNextHbRsvMemEntry(HDAT::RHB_TYPE_VERIFIED_LIDS, cv_pResvMemInfo->rangeId, cv_pResvMemInfo->curAddr, - getAlignedSize(PAGE_SIZE), + PAGE_SIZE, l_containerLidStr); if(l_errl) { @@ -202,7 +212,7 @@ errlHndl_t PreVerifiedLidMgr::_loadFromPnor(const PNOR::SectionId i_sec, l_errl = RUNTIME::setNextHbRsvMemEntry(HDAT::RHB_TYPE_VERIFIED_LIDS, cv_pResvMemInfo->rangeId, cv_pResvMemInfo->curAddr+PAGE_SIZE, - getAlignedSize(i_size), + i_size, l_lidStr); if(l_errl) { @@ -254,6 +264,83 @@ errlHndl_t PreVerifiedLidMgr::_loadFromPnor(const PNOR::SectionId i_sec, return l_errl; } +errlHndl_t PreVerifiedLidMgr::_loadFromMCL(const uint32_t i_lidId, + const uint64_t i_addr, + const size_t i_size, + const bool i_isPhypComp, + uint64_t &o_resvMemAddr) +{ + mutex_lock(&cv_loadImageMutex); + + TRACFCOMP(g_trac_runtime, ENTER_MRK"PreVerifiedLidMgr::_loadFromMCL lid = 0x%X", + i_lidId); + + errlHndl_t l_errl = nullptr; + + // Switch to Different Memory Info for PHYP component + if (i_isPhypComp) + { + cv_pResvMemInfo = &cv_phypResvMemInfo; + TRACFCOMP( g_trac_runtime, "PreVerifiedLidMgr::_loadFromMCL - Loading Special Component PHYP"); + } + + do { + + // Only load if not previously done. + if( isLidLoaded(i_lidId) ) + { + TRACFCOMP( g_trac_runtime, "PreVerifiedLidMgr::_loadFromMCL - lid 0x%08X already loaded", + i_lidId); + continue; + } + + // Get next available HB reserved memory address + cv_pResvMemInfo->curAddr = getNextAddress(i_size); + + // Return the address the lid was loaded to the caller + o_resvMemAddr = cv_pResvMemInfo->curAddr; + + if(cv_payloadKind == TARGETING::PAYLOAD_KIND_PHYP) + { + // Verified Lid + char l_lidStr[Util::lidIdStrLength] {}; + snprintf (l_lidStr, Util::lidIdStrLength, "%08X",i_lidId); + l_errl = RUNTIME::setNextHbRsvMemEntry(HDAT::RHB_TYPE_VERIFIED_LIDS, + cv_pResvMemInfo->rangeId, + cv_pResvMemInfo->curAddr, + i_size, + l_lidStr); + if(l_errl) + { + TRACFCOMP( g_trac_runtime, ERR_MRK"PreVerifiedLidMgr::_loadFromMCL - setNextHbRsvMemEntry Lid content failed"); + break; + } + + // Load image into HB reserved memory + l_errl = loadImage(i_addr, i_size); + if(l_errl) + { + TRACFCOMP( g_trac_runtime, ERR_MRK"PreVerifiedLidMgr::_loadFromMCL - Load Image failed"); + break; + } + + // Indicate the lid has been loaded + cv_lidsLoaded.insert(std::make_pair(i_lidId, true)); + } + + } while (0); + + // Force switch back to default reserved memory info + cv_pResvMemInfo = &cv_resvMemInfo; + + TRACFCOMP(g_trac_runtime, EXIT_MRK"PreVerifiedLidMgr::_loadFromMCL lid = 0x%X", + i_lidId); + + mutex_unlock(&cv_loadImageMutex); + + return l_errl; +} + /******************** Private/Protected Methods ********************/ @@ -293,22 +380,29 @@ bool PreVerifiedLidMgr::isLidLoaded(uint32_t i_lidId) errlHndl_t PreVerifiedLidMgr::loadImage(const uint64_t i_imgAddr, const size_t i_imgSize) { - TRACFCOMP( g_trac_runtime, ENTER_MRK"PreVerifiedLidMgr::loadImage"); + TRACFCOMP( g_trac_runtime, ENTER_MRK"PreVerifiedLidMgr::loadImage addr = 0x%X, size = 0x%X", + i_imgAddr, i_imgSize); errlHndl_t l_errl = nullptr; do { uint64_t l_tmpVaddr = 0; + size_t l_alignedSize = ALIGN_PAGE(i_imgSize); + // Load the Verified image into HB resv memory - l_errl = RUNTIME::mapPhysAddr(cv_pResvMemInfo->curAddr, i_imgSize, l_tmpVaddr); + l_errl = RUNTIME::mapPhysAddr(cv_pResvMemInfo->curAddr, l_alignedSize, l_tmpVaddr); if(l_errl) { TRACFCOMP( g_trac_runtime, ERR_MRK"PreVerifiedLidMgr::loadImage - mapPhysAddr failed"); break; } + TRACFCOMP(g_trac_runtime, "PreVerifiedLidMgr::loadImage - curAddr 0x%X, size 0x%X, vaddr 0x%X", + cv_pResvMemInfo->curAddr, i_imgSize, l_tmpVaddr); + // Include Header page from pnor image. + // NOTE: Do not use aligned size for memcpy memcpy(reinterpret_cast<void*>(l_tmpVaddr), reinterpret_cast<void*>(i_imgAddr), i_imgSize); @@ -320,9 +414,18 @@ errlHndl_t PreVerifiedLidMgr::loadImage(const uint64_t i_imgAddr, break; } - // Update previous size using aligned size for OPAL alignment even if that - // means there is some wasted space. - cv_pResvMemInfo->prevSize = getAlignedSize(i_imgSize); + if(cv_payloadKind == TARGETING::PAYLOAD_KIND_SAPPHIRE) + { + // Update previous size using aligned size for OPAL alignment even if + // that means there is some wasted space. + cv_pResvMemInfo->prevSize = getAlignedSize(i_imgSize); + } + else + { + // align previous size to page size to ensure starting addresses are + // page aligned. + cv_pResvMemInfo->prevSize = l_alignedSize; + } } while(0); diff --git a/src/usr/secureboot/trusted/base/trustedboot_base.C b/src/usr/secureboot/trusted/base/trustedboot_base.C index a429e9b3d..806ecd91e 100644 --- a/src/usr/secureboot/trusted/base/trustedboot_base.C +++ b/src/usr/secureboot/trusted/base/trustedboot_base.C @@ -62,10 +62,11 @@ TRAC_INIT( & g_trac_trustedboot, "TRBOOT", KILOBYTE ); namespace TRUSTEDBOOT { -#ifdef CONFIG_TPMDD // Const string to append to PCR extension messages const char* const FW_KEY_HASH_EXT = " FW KEY HASH"; +#ifdef CONFIG_TPMDD + /// Global object to store system trusted boot data SystemData systemData; diff --git a/src/usr/util/test/testmclmgr.H b/src/usr/util/test/testmclmgr.H index d5ce9eec5..9f425a285 100644 --- a/src/usr/util/test/testmclmgr.H +++ b/src/usr/util/test/testmclmgr.H @@ -31,15 +31,22 @@ #include <util/utilmclmgr.H> #include "../utilbase.H" #include <usr/vmmconst.h> +#include <runtime/preverifiedlidmgr.H> namespace MCL { -// Defines to simplify list initialzer syntax -#define COMP_TEST1 {0x54,0x45,0x53,0x54,0x31} -#define COMP_TEST2 {0x54,0x45,0x53,0x54,0x32} -#define COMP_TEST3 {0x54,0x45,0x53,0x54,0x33} -#define COMP_TEST4 {0x54,0x45,0x53,0x54,0x34} +// Constants to simplify code +const ComponentID COMP_TEST1 {"TEST1"}; +const ComponentID COMP_TEST2 {"TEST2"}; +const ComponentID COMP_TEST3 {"TEST3"}; +// Component ids are not null terminated. So test a 16 byte comp ID +// NOTE: You cannot use a CHAR initializer list equal to the size of the array +// as the compiler expects a space for the null terminator. +// So setting the hex values directly. +// ASCII: TESTMAXSIZEOFSTR +const ComponentID COMP_TEST4 {0x54,0x45,0x53,0x54,0x4d,0x41,0x58,0x53, + 0x49,0x5a,0x45,0x4f,0x46,0x53,0x54,0x52}; // Define deault vectors to simplify syntax const std::vector<uint32_t> defaultLids {0xA1234567, 0x89ABCDEF, 0x13579246}; @@ -92,7 +99,7 @@ public: initMcl(); } - TestMcl(std::vector<uint32_t>& i_lids) + TestMcl(const std::vector<uint32_t>& i_lids) : iv_size(0),iv_bufferCur(nullptr),iv_bufferStart(nullptr), iv_pHeader(nullptr), iv_compInfoCache{}, iv_testLids{i_lids}, iv_testComps{defaultComps} @@ -100,8 +107,8 @@ public: initMcl(); } - TestMcl(std::vector<uint32_t>& i_lids, - std::vector<std::pair<ComponentID,bool> >& i_comps) + TestMcl(const std::vector<uint32_t>& i_lids, + const std::vector<std::pair<ComponentID,bool> >& i_comps) : iv_size(0),iv_bufferCur(nullptr),iv_bufferStart(nullptr), iv_pHeader(nullptr), iv_compInfoCache{}, iv_testLids{i_lids}, iv_testComps{i_comps} @@ -235,6 +242,88 @@ public: UTIL_FT(EXIT_MRK"testMCLparser complete"); } + + void testProcessMclComponents() + { + UTIL_FT(ENTER_MRK"testProcessMclComponents start" ); + + errlHndl_t l_errl = nullptr; + + // Generate test MCL with test lids + TestMcl l_TestMcl { {Util::TEST_LIDID, Util::TEST_LIDID}, + {{COMP_TEST1,false}} + }; + + // Pass test MCL to MCL manager + MasterContainerLidMgr l_mcl(l_TestMcl.iv_bufferStart, + l_TestMcl.iv_size); + + // Ensure the Comp Info Caches match + if (l_TestMcl.iv_compInfoCache != l_mcl.iv_compInfoCache) + { + TS_FAIL("testProcessMclComponents> Comp Info Caches do not match"); + } + + PreVerifiedLidMgr::initLock(PREVERLIDMGR_TEST_ADDR); + + // Get Instance of Pre-Verified lid manager + auto l_preVerLidMgr = PreVerifiedLidMgr::getInstance(); + + // Clear lids loaded cache as other test cases fill it in. + l_preVerLidMgr.cv_lidsLoaded.clear(); + + l_errl = l_mcl.processComponents(); + if(l_errl) + { + errlCommit(l_errl,UTIL_COMP_ID); + TS_FAIL("testProcessMclComponents> processComponents failed"); + } + + PreVerifiedLidMgr::unlock(); + + UTIL_FT(EXIT_MRK"testProcessMclComponents complete"); + } + + void testProcessSecureMclComponents() + { + UTIL_FT(ENTER_MRK"testProcessSecureMclComponents start" ); + + errlHndl_t l_errl = nullptr; + + // Generate test MCL with Secure Lids + TestMcl l_TestMcl { {Util::TEST_LIDID, Util::TEST_LIDID}, + {{COMP_TEST2,true}} + }; + + // Pass test MCL to MCL manager + MasterContainerLidMgr l_mcl(l_TestMcl.iv_bufferStart, + l_TestMcl.iv_size); + + // Ensure the Comp Info Caches match + if (l_TestMcl.iv_compInfoCache != l_mcl.iv_compInfoCache) + { + TS_FAIL("testProcessSecureMclComponents> Comp Info Caches do not match"); + } + + PreVerifiedLidMgr::initLock(PREVERLIDMGR_TEST_ADDR); + + // Get Instance of Pre-Verified lid manager + auto l_preVerLidMgr = PreVerifiedLidMgr::getInstance(); + + // Clear lids loaded cache as other test cases fill it in. + l_preVerLidMgr.cv_lidsLoaded.clear(); + + l_errl = l_mcl.processComponents(); + if(l_errl) + { + errlCommit(l_errl,UTIL_COMP_ID); + TS_FAIL("testProcessSecureMclComponents> processComponents failed"); + } + + PreVerifiedLidMgr::unlock(); + + UTIL_FT(EXIT_MRK"testProcessSecureMclComponents complete"); + } }; #endif
\ No newline at end of file diff --git a/src/usr/util/utillidmgr.C b/src/usr/util/utillidmgr.C index f8ef376e0..6ab0751f8 100644 --- a/src/usr/util/utillidmgr.C +++ b/src/usr/util/utillidmgr.C @@ -830,7 +830,7 @@ void UtilLidMgr::updateLid(uint32_t i_lidId) //different extension. sprintf(iv_lidFileName, "%x.lidbin", iv_lidId); iv_isLidInPnor = getLidPnorSectionInfo(iv_lidId, iv_lidPnorInfo); - UTIL_FT(INFO_MRK "UtilLidMgr: LID 0x%.8X in pnor: %d", + UTIL_DT(INFO_MRK "UtilLidMgr: LID 0x%.8X in pnor: %d", iv_lidId ,iv_isLidInPnor); iv_isLidInVFS = VFS::module_exists(iv_lidFileName); diff --git a/src/usr/util/utilmclmgr.C b/src/usr/util/utilmclmgr.C index a3f9077ff..79e527621 100644 --- a/src/usr/util/utilmclmgr.C +++ b/src/usr/util/utilmclmgr.C @@ -30,17 +30,33 @@ #include <errl/errlentry.H> #include <errl/errlmanager.H> #include <initservice/initserviceif.H> +#include <secureboot/trustedbootif.H> +#include <runtime/preverifiedlidmgr.H> +#include <limits.h> namespace MCL { const size_t MclCompSectionPadSize = 16; -// Defines to simplify list initialzer syntax -#define COMP_MSTCONT {0x4d,0x53,0x54,0x43,0x4f,0x4e,0x54} -#define COMP_POWERVM {0x50,0x4f,0x57,0x45,0x52,0x56,0x4d} -const ComponentID g_MclCompId = COMP_MSTCONT; -const ComponentID g_PowervmCompId = COMP_POWERVM; +const ComponentID g_MclCompId {"MSTCONT"}; +const ComponentID g_PowervmCompId {"POWERVM"}; + +void compIdToString(const ComponentID i_compId, CompIdString o_compIdStr) +{ + memcpy(o_compIdStr, + i_compId.data(), + sizeof(ComponentID)); +} + +uint64_t compIdToInt(const ComponentID i_compId) +{ + uint64_t l_compId {}; + + memcpy(&l_compId, i_compId.data(), sizeof(l_compId)); + + return l_compId; +} //////////////////////////////////////////////////////////////////////////////// // CompInfo @@ -66,8 +82,9 @@ void CompInfo::print() const MasterContainerLidMgr::MasterContainerLidMgr() : iv_mclAddr(MCL_ADDR), iv_mclSize(MCL_SIZE), iv_tmpAddr(MCL_TMP_ADDR), - iv_tmpSize(MCL_TMP_SIZE), iv_pMclVaddr(nullptr), iv_pTempVaddr(nullptr), - iv_compInfoCache{} + iv_tmpSize(MCL_TMP_SIZE), iv_maxSize(0), iv_pMclVaddr(nullptr), + iv_pTempVaddr(nullptr), iv_pVaddr(nullptr), iv_compInfoCache{}, + iv_hasHeader(true) { initMcl(); } @@ -75,8 +92,9 @@ MasterContainerLidMgr::MasterContainerLidMgr() MasterContainerLidMgr::MasterContainerLidMgr(const void* i_pMcl, const size_t i_size) : iv_mclAddr(MCL_ADDR), iv_mclSize(MCL_SIZE), iv_tmpAddr(MCL_TMP_ADDR), - iv_tmpSize(MCL_TMP_SIZE), iv_pMclVaddr(nullptr), iv_pTempVaddr(nullptr), - iv_compInfoCache{} + iv_tmpSize(MCL_TMP_SIZE), iv_maxSize(0), iv_pMclVaddr(nullptr), + iv_pTempVaddr(nullptr), iv_pVaddr(nullptr), iv_compInfoCache{}, + iv_hasHeader(false) { initMcl(i_pMcl, i_size); } @@ -84,6 +102,7 @@ MasterContainerLidMgr::MasterContainerLidMgr(const void* i_pMcl, MasterContainerLidMgr::~MasterContainerLidMgr() { // Release all address spaces + releaseMem(iv_tmpAddr, iv_pMclVaddr); releaseMem(iv_tmpAddr, iv_pTempVaddr); } @@ -91,15 +110,24 @@ void MasterContainerLidMgr::initMcl(const void* i_pMcl, const size_t i_mclSize) { UTIL_FT(ENTER_MRK"MasterContainerLidMgr::initMcl"); + errlHndl_t l_errl = nullptr; + // Add MCL itself to Cache but don't add to comp order CompInfo l_compHdrInfo(CompFlags::SIGNED_PRE_VERIFY); LidInfo l_hdrLidInfo(Util::MCL_LIDID); l_compHdrInfo.lidIds.push_back(l_hdrLidInfo); iv_compInfoCache.insert(std::make_pair(g_MclCompId, l_compHdrInfo)); + // Cache Component ID string + compIdToString(g_MclCompId, iv_curCompIdStr); + // Initialize MCL address space initMem(iv_mclAddr, iv_mclSize, iv_pMclVaddr); + // Use MCL address and size for parsing + iv_pVaddr = iv_pMclVaddr; + iv_maxSize = iv_mclSize; + if(i_pMcl != nullptr) { // set cached MCL pointer with custom MCL @@ -107,15 +135,29 @@ void MasterContainerLidMgr::initMcl(const void* i_pMcl, const size_t i_mclSize) } else { - // Load Lid + // No custom MCL, load default way + l_errl = processComponent(g_MclCompId, + iv_compInfoCache.at(g_MclCompId)); + if (l_errl) + { + uint64_t l_reasonCode = l_errl->reasonCode(); + UTIL_FT(ERR_MRK"MasterContainerLidMgr::initMcl failed to process MCL shutting down rc=0x%08X", + l_reasonCode); + errlCommit(l_errl,UTIL_COMP_ID); + INITSERVICE::doShutdown(l_reasonCode); + } } // Parse all Components in MCL parseMcl(); - // Initialize temporary space for processing lids + // Initialize temporary space for processing other components initMem(iv_tmpAddr, iv_tmpSize, iv_pTempVaddr); + // Switch to temp address and size for all other components + iv_pVaddr = iv_pTempVaddr; + iv_maxSize = iv_tmpSize; + UTIL_FT(EXIT_MRK"MasterContainerLidMgr::initMcl"); } @@ -161,6 +203,8 @@ void MasterContainerLidMgr::releaseMem(const uint64_t i_physAddr, if (l_errl) { uint64_t l_reasonCode = l_errl->reasonCode(); + UTIL_FT(ERR_MRK"MasterContainerLidMgr::releaseMem failed to release memory rc=0x%08X", + l_reasonCode); errlCommit(l_errl,UTIL_COMP_ID); INITSERVICE::doShutdown(l_reasonCode); } @@ -212,6 +256,8 @@ void MasterContainerLidMgr::initMem(const uint64_t i_physAddr, if (l_errl) { uint64_t l_reasonCode = l_errl->reasonCode(); + UTIL_FT(ERR_MRK"MasterContainerLidMgr::initMem failed to initialize memory rc=0x%08X", + l_reasonCode); errlCommit(l_errl,UTIL_COMP_ID); INITSERVICE::doShutdown(l_reasonCode); } @@ -227,6 +273,12 @@ void MasterContainerLidMgr::parseMcl() auto l_pMcl = reinterpret_cast<const uint8_t*>(iv_pMclVaddr); + // If MCL has a header make sure to skip over it for parsing + if (iv_hasHeader) + { + l_pMcl += PAGESIZE; + } + // Parse MCL header auto l_pMclHdr = reinterpret_cast<const MclHeader*>(l_pMcl); uint8_t l_totalComponents = l_pMclHdr->numComponents; @@ -272,4 +324,389 @@ void MasterContainerLidMgr::printCompInfoCache() } } +errlHndl_t MasterContainerLidMgr::processComponents() +{ + errlHndl_t l_errl = nullptr; + + for (auto & compInfoPair : iv_compInfoCache) + { + // Skip the MCL itself as it's already been processed + if (compInfoPair.first == g_MclCompId) + { + continue; + } + + // Cache Component ID string + compIdToString(compInfoPair.first, iv_curCompIdStr); + + l_errl = processComponent(compInfoPair.first, compInfoPair.second); + if (l_errl) + { + UTIL_FT(ERR_MRK"MasterContainerLidMgr::processComponents - failed for componentId %s", + iv_curCompIdStr); + break; + } + // Print Comp Info after loading lid and verifying + iv_compInfoCache.at(compInfoPair.first).print(); + } + + return l_errl; +} + +errlHndl_t MasterContainerLidMgr::processComponent(const ComponentID& i_compId, + CompInfo& io_compInfo) +{ + UTIL_FT(ENTER_MRK"MasterContainerLidMgr::processComponent %s", + iv_curCompIdStr); + + errlHndl_t l_errl = nullptr; + bool l_skipLoad = false; + + do { + + // @TODO RTC:125304 Provide support for a preloaded PHYP + // Check if Component is POWERVM + bool isPhypComp = (i_compId == g_PowervmCompId) ? true : false; + // Still skip PHYP if (!isTCEmode) + if (isPhypComp) + { + // Skip Lid loading if PHYP component and in TCEmode + l_skipLoad = true; + // Only Skip PHYP if not in TCEmode + UTIL_FT("MasterContainerLidMgr::processComponent skipping POWERVM compoenent"); + break; + } + + // Only process compoenents if they are marked PRE_VERIFY + if( (io_compInfo.flags & CompFlags::PRE_VERIFY) != + CompFlags::PRE_VERIFY) + { + UTIL_FT("MasterContainerLidMgr::processComponent not a pre-verify section skipping..."); + break; + } + + // Total size of all Lids in component reoprted by the FSP + size_t l_reportedSize = 0; + if (!l_skipLoad) + { + // Load lids into temp mainstore memory + l_errl = loadLids(io_compInfo, l_reportedSize); + if (l_errl) + { + break; + } + } + // Set total size of component. + // Note: It will be reassigned later if a secure header is present + io_compInfo.totalSize = l_reportedSize; + + // Verify component's lids + l_errl = verifyExtend(i_compId, io_compInfo); + if (l_errl) + { + break; + } + + // Ensure the total size of all lids fit in the mainstore memory region + if (io_compInfo.totalSize > iv_maxSize) + { + UTIL_FT(ERR_MRK"MasterContainerLidMgr::processComponent - Invalid size. Component total size=0x%X, max size =0x%X", + io_compInfo.totalSize, iv_maxSize); + /*@ + * @errortype + * @moduleid Util::UTIL_MCL_PROCESS_COMP + * @reasoncode Util::UTIL_LIDMGR_INVAL_SIZE + * @userdata1[0:31] Total Size of Component + * @userdata1[32:63] Max size of memory region + * @userdata2 Component ID [truncated to 8 bytes] + * @devdesc Error processing component for Mcl Mgr + * @custdesc Firmware Error + */ + l_errl = new ERRORLOG::ErrlEntry( + ERRORLOG::ERRL_SEV_UNRECOVERABLE, + Util::UTIL_MCL_PROCESS_COMP, + Util::UTIL_LIDMGR_INVAL_SIZE, + TWO_UINT32_TO_UINT64( + TO_UINT32(io_compInfo.totalSize), + TO_UINT32(iv_maxSize)), + compIdToInt(i_compId), + true); //software callout + l_errl->collectTrace(UTIL_COMP_NAME); + break; + } + + // Ensure what was read by the FSP matches the total size found in the + // Secure Header. If there is no secure header, this path should not be hit. + // *NOTE: Skip check if lid loading was skipped + if ( !l_skipLoad && (io_compInfo.totalSize != l_reportedSize)) + { + UTIL_FT(ERR_MRK"MasterContainerLidMgr::processComponent - Size Mismatch. Component total size=0x%X, size read by FSP=0x%X", + io_compInfo.totalSize, l_reportedSize); + /*@ + * @errortype + * @moduleid Util::UTIL_MCL_PROCESS_COMP + * @reasoncode Util::UTIL_MCL_SIZE_MISMATCH + * @userdata1[0:31] Total Size of Component + * @userdata1[32:63] Size read by FSP + * @userdata2 Component ID [truncated to 8 bytes] + * @devdesc Error processing component for Mcl Mgr + * @custdesc Firmware Error + */ + l_errl = new ERRORLOG::ErrlEntry( + ERRORLOG::ERRL_SEV_UNRECOVERABLE, + Util::UTIL_MCL_PROCESS_COMP, + Util::UTIL_MCL_SIZE_MISMATCH, + TWO_UINT32_TO_UINT64( + TO_UINT32(io_compInfo.totalSize), + TO_UINT32(l_reportedSize)), + compIdToInt(i_compId), + true); //software callout + l_errl->collectTrace(UTIL_COMP_NAME); + break; + } + + // Clear unused memory + if (io_compInfo.totalSize < iv_maxSize) + { + // Get pointer to end of used space + uint8_t* l_pUnused = reinterpret_cast<uint8_t*>(iv_pVaddr) + + io_compInfo.totalSize; + memset(l_pUnused, 0, iv_maxSize - io_compInfo.totalSize); + } + + // Only load lids into HB reserved memory if component is preverified + if( (io_compInfo.flags & CompFlags::PRE_VERIFY) == + CompFlags::PRE_VERIFY) + { + auto l_curAddr = reinterpret_cast<uint64_t>(iv_pVaddr); + bool l_firstLid = true; + for (auto & lidInfo : io_compInfo.lidIds) + { + uint64_t l_addr = 0; + // Load Pnor section into HB reserved memory + l_errl = PreVerifiedLidMgr::loadFromMCL(lidInfo.id, + l_curAddr, + lidInfo.size, + isPhypComp, + l_addr); + if(l_errl) + { + break; + } + // Increment tmp address by lid size + l_curAddr += lidInfo.size; + + // Save starting address of entire component, not each lid + if (l_firstLid) + { + // Set mainstore memory address in cache + io_compInfo.mainstoreAddr = l_addr; + l_firstLid = false; + } + } + if(l_errl) + { + break; + } + } + + } while(0); + + UTIL_FT(EXIT_MRK"MasterContainerLidMgr::processComponent"); + + return l_errl; +} + +errlHndl_t MasterContainerLidMgr::loadLids(CompInfo& io_compInfo, + size_t& o_totalSize) +{ + UTIL_FT(ENTER_MRK"MasterContainerLidMgr::loadLids"); + errlHndl_t l_errl = nullptr; + + // Force total size to zero + o_totalSize = 0; + // Pointer to mainstore memory temp space + uint8_t* l_pLidVaddr = reinterpret_cast<uint8_t*>(iv_pVaddr); + // Remaining size to load lids into + size_t l_remainSize = iv_maxSize; + + // Iterate through all Lids associated with a component + // NOTE: iterate by reference to update lidInfo + for (auto & lidInfo : io_compInfo.lidIds) + { + // Get Lid from FSP + UtilLidMgr l_lidMgr(lidInfo.id); + // Get size of current lid to be loaded + size_t l_lidSize = 0; + l_errl = l_lidMgr.getLidSize(l_lidSize); + if(l_errl) + { + UTIL_FT(ERR_MRK"MasterContainerLidMgr::loadLids - Error getting size of lidId=0x%.8x", + lidInfo.id); + break; + } + // Update lid size + lidInfo.size = l_lidSize; + + // Load lid into vaddr location. API will check if remaining size is + // enough; throwing an error if not. + l_errl = l_lidMgr.getLid(reinterpret_cast<void*>(l_pLidVaddr), + l_remainSize); + if(l_errl) + { + UTIL_FT(ERR_MRK"MasterContainerLidMgr::loadLids - Error getting lidId=0x%.8x", + lidInfo.id); + break; + } + + // Increment vaddr pointer + l_pLidVaddr += l_lidSize; + + // Decrement size remaining in mainstore memory temp space + if (l_lidSize >= l_remainSize) + { + l_remainSize = 0; + } + else + { + l_remainSize -= l_lidSize; + } + + // Increment total size + o_totalSize += l_lidSize; + } + + UTIL_FT(EXIT_MRK"MasterContainerLidMgr::loadLids"); + + return l_errl; +} + +errlHndl_t MasterContainerLidMgr::verifyExtend(const ComponentID& i_compId, + CompInfo& io_compInfo) +{ + UTIL_FT(ENTER_MRK"MasterContainerLidMgr::verifyExtend"); + + errlHndl_t l_errl = nullptr; + + do { + // Only Verify and Extend if Component is Signed and Preverified + if( (io_compInfo.flags & CompFlags::SIGNED_PRE_VERIFY) == + CompFlags::SIGNED_PRE_VERIFY) + { + // Only verify the lids if in secure mode + if (SECUREBOOT::enabled()) + { + // Verify Container - some combination of Lids + l_errl = SECUREBOOT::verifyContainer(iv_pVaddr); + if (l_errl) + { + UTIL_FT(ERR_MRK"MasterContainerLidMgr::verifyExtend - failed verifyContainer"); + SECUREBOOT::handleSecurebootFailure(l_errl); + assert(false,"Bug! handleSecurebootFailure shouldn't return!"); + } + } + + // Parse Container Header + SECUREBOOT::ContainerHeader l_conHdr(iv_pVaddr); + + // Cache size stats into comp info cache + // @TODO RTC:125304 re-enable when total size is supported correctly + //io_compInfo.totalSize = l_conHdr.totalContainerSize(); + io_compInfo.protectedSize = l_conHdr.payloadTextSize(); + //io_compInfo.unprotectedSize = l_conHdr.totalContainerSize() - + // l_conHdr.payloadTextSize(); + + // @TODO RTC:125304 re-enable when component id is supported in lids + if (0)// memcmp(l_conHdr.componentId(), i_compId.data(), + // SW_HDR_COMP_ID_SIZE_BYTES) != 0 ) + { + uint64_t l_secHdrCompId {}; + uint64_t l_mclCompId {}; + memcpy(&l_secHdrCompId, l_conHdr.componentId(), SW_HDR_COMP_ID_SIZE_BYTES); + memcpy(&l_mclCompId, i_compId.data(), SW_HDR_COMP_ID_SIZE_BYTES); + + UTIL_FT(ERR_MRK"MasterContainerLidMgr::verifyExtend - ComponentID mismatch between secure header = %.16llX and master container lid %.16llX", + l_secHdrCompId, l_mclCompId); + /*@ + * @errortype + * @moduleid Util::UTIL_MCL_VERIFY_EXT + * @reasoncode Util::UTIL_MCL_COMPID_MISMATCH + * @userdata1 Secure Header Comp ID + * @userdata2 Master Container Lid Comp ID + * @devdesc Error processing component for Mcl Mgr + * @custdesc Firmware Error + */ + l_errl = new ERRORLOG::ErrlEntry( + ERRORLOG::ERRL_SEV_UNRECOVERABLE, + Util::UTIL_MCL_VERIFY_EXT, + Util::UTIL_MCL_COMPID_MISMATCH, + l_secHdrCompId, + l_mclCompId, + true); //software callout + l_errl->collectTrace(UTIL_COMP_NAME); + break; + } + + tpmExtend(i_compId, l_conHdr); + } + } while(0); + + UTIL_FT(EXIT_MRK"MasterContainerLidMgr::verifyExtend"); + + return l_errl; +} + +errlHndl_t MasterContainerLidMgr::tpmExtend(const ComponentID& i_compId, + const SECUREBOOT::ContainerHeader& i_conHdr) const +{ + UTIL_FT(ENTER_MRK"MasterContainerLidMgr::tpmExtend"); + + errlHndl_t l_errl = nullptr; + + // PCR 4 Message <Component ID> + char pcr4Msg[sizeof(ComponentID)+1]; + memset(pcr4Msg, 0, sizeof(pcr4Msg)); + memcpy(pcr4Msg, &i_compId, sizeof(ComponentID)); + + // PCR 5 Message <Component ID FW KEY HASH> + char pcr5Msg[sizeof(ComponentID)+strlen(TRUSTEDBOOT::FW_KEY_HASH_EXT)+1]; + memset(pcr5Msg, 0, sizeof(pcr5Msg)); + strcat(pcr5Msg,pcr4Msg); + strcat(pcr5Msg,TRUSTEDBOOT::FW_KEY_HASH_EXT); + + do { + + // Extend protected payload hash + l_errl = TRUSTEDBOOT::pcrExtend(TRUSTEDBOOT::PCR_4, + TRUSTEDBOOT::EV_COMPACT_HASH, + reinterpret_cast<const uint8_t*>(i_conHdr.payloadTextHash()), + sizeof(SHA512_t), + pcr4Msg); + if (l_errl) + { + UTIL_FT(ERR_MRK "MasterContainerLidMgr::tpmExtend - pcrExtend() (payload text hash) failed for component %s", + iv_curCompIdStr); + break; + } + + // Extend SW keys hash + l_errl = TRUSTEDBOOT::pcrExtend(TRUSTEDBOOT::PCR_5, + TRUSTEDBOOT::EV_COMPACT_HASH, + reinterpret_cast<const uint8_t*>(i_conHdr.swKeyHash()), + sizeof(SHA512_t), + pcr5Msg); + if (l_errl) + { + UTIL_FT(ERR_MRK "MasterContainerLidMgr::tpmExtend - pcrExtend() (FW key hash) failed for component %s", + iv_curCompIdStr); + break; + } + + } while(0); + + UTIL_FT(EXIT_MRK"MasterContainerLidMgr::tpmExtend"); + + return l_errl; +} + } // end namespace MCL |
