diff options
author | Nick Bofferding <bofferdn@us.ibm.com> | 2016-07-27 23:50:49 -0500 |
---|---|---|
committer | William G. Hoffa <wghoffa@us.ibm.com> | 2017-05-15 08:43:29 -0400 |
commit | 5d6ef02f7aaae15ec2cccaae05ddc160beca6972 (patch) | |
tree | 9b132d0ff7ec13aae536a98c69911669992c10c3 /src/build | |
parent | e95660b04860c56cd8a04c93021300cc7feaccb0 (diff) | |
download | talos-hostboot-5d6ef02f7aaae15ec2cccaae05ddc160beca6972.tar.gz talos-hostboot-5d6ef02f7aaae15ec2cccaae05ddc160beca6972.zip |
Port fake secureboot header script from p8
- Created new genfakeheader script to generate fake secureboot headers
- Added script to the hb distribute flow
Change-Id: I08f3e21073de31b64b6973211fd7d52c4687f426
RTC: 174017
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/40418
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
Diffstat (limited to 'src/build')
-rwxr-xr-x | src/build/buildpnor/genfakeheader.pl | 223 | ||||
-rw-r--r-- | src/build/mkrules/dist.targets.mk | 2 | ||||
-rwxr-xr-x | src/build/mkrules/hbfw/img/makefile | 1 |
3 files changed, 226 insertions, 0 deletions
diff --git a/src/build/buildpnor/genfakeheader.pl b/src/build/buildpnor/genfakeheader.pl new file mode 100755 index 000000000..164f30a93 --- /dev/null +++ b/src/build/buildpnor/genfakeheader.pl @@ -0,0 +1,223 @@ +#!/usr/bin/perl +# IBM_PROLOG_BEGIN_TAG +# This is an automatically generated prolog. +# +# $Source: src/build/buildpnor/genfakeheader.pl $ +# +# OpenPOWER HostBoot Project +# +# Contributors Listed Below - COPYRIGHT 2016 +# [+] International Business Machines Corp. +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. See the License for the specific language governing +# permissions and limitations under the License. +# +# IBM_PROLOG_END_TAG + +use strict; +use Getopt::Long; +use Pod::Usage; +use 5.010; +use constant HEADER_SIZE => 4096; + +my $outputFile = ""; +my $payloadTextHash = ""; +my $payloadTextSize=0; +my $payloadDataSize=0; +my $help=0; +my $man=0; + +GetOptions( + "output-file=s" => \$outputFile, + "payload-text-hash=s" => \$payloadTextHash, + "payload-text-size=s" => \$payloadTextSize, + "payload-data-size=s" => \$payloadDataSize, + "help" => \$help, + "man" => \$man) || pod2usage(-verbose=>0); + +pod2usage(-verbose => 1) if $help; +pod2usage(-verbose => 2) if $man; + +if( (length($payloadTextHash) != 128) + || ($payloadTextHash =~ /[^a-fA-F0-9]/ )) +{ + print STDERR "\nERROR: --payload-text-hash must " + . "be 64 ASCII hex bytes. Example: --payload-text-hash=" + . "e41110deec6c3bd7914bf792a2e51b0c8eaebe8d30f9360324598" + . "1b32106a13beafb6cdddd36e48947d35723d166ac08f0be93d2c6" + . "8e2640b539952e6fe819c6\n\n"; + pod2usage(-verbose=>1); +} + +if($payloadTextSize == 0) +{ + print STDERR "\nERROR: --payload-text-size must be non-zero\n"; + pod2usage(-verbose=>1); +} + +if($outputFile eq "") +{ + print STDERR "\nERROR: --output-file must not be empty\n"; + pod2usage(-verbose=>1); +} + +sub pack8byte { + my($value) = @_; + return pack("NN" , (($value >> 32) & 0xFFFFFFFF), + ($value & 0xFFFFFFFF)); +} + +sub pack4byte { + my($value) = @_; + return pack("N",$value); +} + +sub pack2byte { + my($value) = @_; + return pack("n",$value); +} + +sub pack1byte { + my($value) = @_; + return pack("C",$value); +} + +sub createFakeHeader { + + my ($containerSize,$hrmor, + $stack,$textSize,$textHash) = @_; + + # Array of [ field size (bytes), field value ] pairs + my @sizeValAoA = ( + [4,0x17082011], # Magic number + [2,1], # Container version + [8,$containerSize], # Container size + [8,$hrmor], # HRMOR + [8,$stack], # Stack address + [132*3,0], # 3xHW public keys + [2,1], # Header version + [1,1], # Hash algo + [1,1], # Sign algo + [8,0], # Unused + [8,0], # Reserved + [4,0], # Flags + [1,1], # SW key count + [8,132], # Size of SW key payload + [64,0], # Hash of SW key payload + [1,0], # ECID count + # ECID array (empty) + [132*3,0], # 3xHW signatures + [132,0], # SW key payload + [2,1], # SW header version + [1,1], # Hash algo version + [1,0], # Unused + [8,0], # Code start offset + [8,0], # Reserved + [4,0], # Flags + [1,0], # Reserved + [8,$textSize], # Size of protected payload + [64,$textHash], # Hash of protected payload + [1,0] # ECID count + # ECID array (empty) + # Padding to 4k boundary + ); + + my %types; + $types{1} = \&pack1byte; + $types{2} = \&pack2byte; + $types{4} = \&pack4byte; + $types{8} = \&pack8byte; + + my $data; + foreach my $i (0 .. $#sizeValAoA) + { + my $size = $sizeValAoA[$i][0]; + my $val = $sizeValAoA[$i][1]; + if(exists $types{$size}) + { + $data .= $types{$size}->($val); + } + elsif($val eq "0") + { + $data .= pack ("@".$size); + } + else + { + $data .= pack ("H*",$val); + } + } + my $len = length($data); + my $pads = HEADER_SIZE-$len; + $data .= pack ("@".$pads); + return $data; +} + +open(OUTFILE, "> $outputFile") + or die "Can't open > $outputFile for writing: $!"; + +my $containerSize= HEADER_SIZE + + $payloadTextSize + $payloadDataSize; +my $data = createFakeHeader ( + $containerSize,0,0,$payloadTextSize, $payloadTextHash ) ; + +print OUTFILE $data; + +close(OUTFILE) + or die "Can't close $outputFile: $!"; + +__END__ + +=head1 NAME + +genfakeheader.pl + +=head1 SYNOPSIS + +genfakeheader.pl + --output-file=HEADER_FILE + --payload-text-hash=TEXT_HASH + --payload-text-size=TEXT_SIZE + [--payload-data-size=DATA_SIZE] + +=head1 OPTIONS + +=over 8 + +=item B<--help> + +Prints a brief help message and exits. + +=item B<--man> + +Prints the manual page and exits. + +=item B<--payload-text-hash>=HASH + +sha512 hash of the protected payload. Must be 64 ASCII hex bytes. + +=item B<--payload-text-size>=SIZE + +Size of protected payload, in bytes. + +=item B<--payload-data-size>=SIZE + +Size of the unprotected payload, in bytes. + +=back + +=head1 DESCRIPTION + +B<genfakeheader.pl> will generate a fake secureboot header +in order to allow unsigned code to work when security is disabled. + +=cut diff --git a/src/build/mkrules/dist.targets.mk b/src/build/mkrules/dist.targets.mk index 2f047bcda..fac1b259c 100644 --- a/src/build/mkrules/dist.targets.mk +++ b/src/build/mkrules/dist.targets.mk @@ -76,6 +76,7 @@ COPY_FILES = \ src/build/hwpf/prcd_compile.tcl:tools \ src/build/buildpnor/buildSbePart.pl:openpower \ src/build/buildpnor/buildpnor.pl:openpower \ + src/build/buildpnor/genfakeheader.pl:openpower \ src/build/buildpnor/genPnorImages.pl:openpower \ src/build/buildpnor/PnorUtils.pm:openpower \ src/build/buildpnor/imprintHwKeyHash:openpower \ @@ -227,6 +228,7 @@ fsp.tar_CONTENTS = \ src/build/mkrules/hbfw/fsp/makefile \ src/build/buildpnor/buildSbePart.pl \ src/build/buildpnor/buildpnor.pl \ + src/build/buildpnor/genfakeheader.pl \ src/build/buildpnor/genPnorImages.pl \ src/build/buildpnor/PnorUtils.pm \ src/build/buildpnor/imprintHwKeyHash \ diff --git a/src/build/mkrules/hbfw/img/makefile b/src/build/mkrules/hbfw/img/makefile index e6bfdba07..3835265ba 100755 --- a/src/build/mkrules/hbfw/img/makefile +++ b/src/build/mkrules/hbfw/img/makefile @@ -215,6 +215,7 @@ clobber_build_sbe_partitions: # --fpartCmd "${FPARTCMD}" --fcpCmd "${FCPCMD}" ################################################## PNOR_BUILD_SCRIPT = ${buildpnor.pl:P} +GEN_FAKE_HEADER_SCRIPT = ${genfakeheader.pl:P} #early hostboot use of this makefile will be against FSP drivers lacking fips_pnor.mk #so need to use tryinclude for now. |