Sign and Verify the hostboot runtime partition (port from p8)

Change-Id: I04d303b2fe08a9c3fff4e9f3cc0be9768279637d RTC: 171706 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/39521 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Stephen Cprek <smcprek@us.ibm.com> 2017-04-20 11:02:58 -0500
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2017-04-28 15:46:38 -0400
commit: 942885a519471aa18706f6b48400beb9c009d329 (patch)
tree: 7016969be50671de1ba8ebabf68c95fd294e1261
parent: e53a2e5cd5b152d6e565f56867f1f8cd435e7556 (diff)
download: talos-hostboot-942885a519471aa18706f6b48400beb9c009d329.tar.gz
talos-hostboot-942885a519471aa18706f6b48400beb9c009d329.zip
3 files changed, 33 insertions, 7 deletions
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl
index 5edc38d0a..d343c50c9 100755
--- a/src/build/buildpnor/genPnorImages.pl
+++ b/src/build/buildpnor/genPnorImages.pl
@@ -537,8 +537,9 @@ sub manipulateImages
         # Sections that have secureboot support. Secureboot still must be
         # enabled for secureboot actions on these partitions to occur.
         # @TODO securebootp9 re-enable with SBE/SBEC/PAYLOAD secureboot ports
-        my $isNormalSecure = ($eyeCatch eq "SBE");
-        #$isNormalSecure ||= ($eyeCatch eq "HBRT");
+        my $isNormalSecure ||= ($eyeCatch eq "HBBL");
+        $isNormalSecure ||= ($eyeCatch eq "SBE");
+        $isNormalSecure ||= ($eyeCatch eq "HBRT");
         #$isNormalSecure ||= ($eyeCatch eq "SBEC");
         $isNormalSecure ||= ($eyeCatch eq "PAYLOAD");
         #$isNormalSecure ||= ($eyeCatch eq "OCC");
@@ -547,9 +548,11 @@ sub manipulateImages
 
         my $isSpecialSecure = ($eyeCatch eq "HBB");
         $isSpecialSecure ||= ($eyeCatch eq "HBD");
-        $isSpecialSecure ||= ($eyeCatch eq "HBBL");
         #$isSpecialSecure ||= ($eyeCatch eq "HBI");
 
+        # Used to indicate security is supported in firmware
+        my $secureSupported = $isNormalSecure || $isSpecialSecure;
+
         # If there is a non-default header for this section, use it instead
         my $header = $sb_hdrs{DEFAULT};
         if(exists $sb_hdrs{$eyeCatch})
@@ -609,7 +612,7 @@ sub manipulateImages
                 $fsp_prefix.=".header";
                 # Add secure container header
                 # @TODO RTC:155374 Remove when official signing supported
-                if ($secureboot && $isSpecialSecure)
+                if ($secureboot && $secureSupported)
                 {
                     $callerHwHdrFields{configure} = 1;
                     # @TODO securebootp9 re-enable hash page table with vfs page table port
diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C
index 995f76302..93ed6e4ee 100644
--- a/src/usr/runtime/populate_hbruntime.C
+++ b/src/usr/runtime/populate_hbruntime.C
@@ -913,6 +913,14 @@ errlHndl_t populate_HbRsvMem(uint64_t i_nodeId)
             l_label = HBRT_RSVD_MEM__CODE;
             l_labelSize = strlen(l_label) + 1;
 
+#ifdef CONFIG_SECUREBOOT
+            l_elog = loadSecureSection(PNOR::HB_RUNTIME);
+            if(l_elog)
+            {
+                break;
+            }
+#endif
+
             PNOR::SectionInfo_t l_pnorInfo;
             l_elog = getSectionInfo( PNOR::HB_RUNTIME , l_pnorInfo);
             if (l_elog)
diff --git a/src/usr/testcore/rtloader/loader.H b/src/usr/testcore/rtloader/loader.H
index 8914c709b..a5167ff45 100644
--- a/src/usr/testcore/rtloader/loader.H
+++ b/src/usr/testcore/rtloader/loader.H
@@ -43,6 +43,7 @@
 #include <pnor/ecc.H>
 #include <ipmi/ipmiif.H>
 #include <targeting/common/attributeTank.H>
+#include <config.h>
 
 trace_desc_t* g_trac_hbrt = NULL;
 TRAC_INIT(&g_trac_hbrt, "HBRT_TEST", 2*KILOBYTE);
@@ -54,11 +55,25 @@ class RuntimeLoaderTest : public CxxTest::TestSuite
         void testLoader()
         {
             static const uint64_t HEADER_OFFSET = 0x2000;
-
+            errlHndl_t l_errl = nullptr;
+
+#ifdef CONFIG_SECUREBOOT
+            // load secure section
+            // TODO RTC: 157475 Since this is a test case and unload is
+            // merely a stub function at this point in time, add a call
+            // to unload later when the aforementioned story is implemented.
+            l_errl = loadSecureSection(PNOR::HB_RUNTIME);
+            if(l_errl)
+            {
+                TS_WARN("Could not securely load runtime section.");
+                delete l_errl;
+                l_errl = nullptr;
+                return;
+            }
+#endif
             PNOR::SectionInfo_t runtimeSection;
 
-            errlHndl_t l_errl =
-                PNOR::getSectionInfo(PNOR::HB_RUNTIME, runtimeSection);
+            l_errl = PNOR::getSectionInfo(PNOR::HB_RUNTIME, runtimeSection);
 
             if (l_errl)
             {
author	Stephen Cprek <smcprek@us.ibm.com>	2017-04-20 11:02:58 -0500
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2017-04-28 15:46:38 -0400
commit	942885a519471aa18706f6b48400beb9c009d329 (patch)
tree	7016969be50671de1ba8ebabf68c95fd294e1261
parent	e53a2e5cd5b152d6e565f56867f1f8cd435e7556 (diff)
download	talos-hostboot-942885a519471aa18706f6b48400beb9c009d329.tar.gz talos-hostboot-942885a519471aa18706f6b48400beb9c009d329.zip