diff options
author | Jaymes Wilks <mjwilks@us.ibm.com> | 2016-10-17 12:15:40 -0500 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2016-11-14 17:17:33 -0500 |
commit | 16263a641c48773091dd60b55e28ad77ca5a8574 (patch) | |
tree | 97120f76deb4132a1a1b7ceba8701318c5663a68 /src/include/usr/secureboot/service.H | |
parent | a904e156364a8f0fd5f6bc2b7094f79cf77da1b2 (diff) | |
download | talos-hostboot-16263a641c48773091dd60b55e28ad77ca5a8574.tar.gz talos-hostboot-16263a641c48773091dd60b55e28ad77ca5a8574.zip |
Secure PNOR Resource Provider port from p8
Adds a Secure PNOR Resource Provider (SPNORRP) layer on top of the
original PNORRP to handle verification of secured PNOR sections.
Change-Id: Iff25abf599f3c850197c6e6d23ff03e5edf945bb
RTC:163078
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/31588
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/include/usr/secureboot/service.H')
-rw-r--r-- | src/include/usr/secureboot/service.H | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H index 1cc518007..577b27284 100644 --- a/src/include/usr/secureboot/service.H +++ b/src/include/usr/secureboot/service.H @@ -33,8 +33,22 @@ typedef uint8_t SHA512_t[64]; typedef uint8_t __attribute__((aligned(8))) sha2_hash_t[ \ SHA512_DIGEST_LENGTH / sizeof(uint8_t) ]; +// TODO securebootp9 added for spnorrp.C - service.H needs many more updates +// in order to match the p8 version +const size_t HASH_PAGE_TABLE_ENTRY_SIZE = 32; +typedef uint8_t PAGE_TABLE_ENTRY_t[HASH_PAGE_TABLE_ENTRY_SIZE]; + + namespace SECUREBOOT { + // TODO securebootp9 - the two constants below were taken from master-p8 + // branch (version 2257b1) of service.H underneath secureboot. + // The p9 version of service.H needs many more updates in order to match + // the p8 version. + const uint64_t PROC_SECURITY_SWITCH_REGISTER = 0x00010005ull; + const uint64_t + PROC_SECURITY_SWITCH_TRUSTED_BOOT_MASK = 0x8000000000000000ull; + /** @brief Perform initialization of Secureboot for the Base image. * * - Copy secure header from original location. @@ -60,11 +74,13 @@ namespace SECUREBOOT * @brief Verify Signed Container * * @param[in] i_container Void pointer to effective address of container - * @param[in] i_size Size of container in bytes + * @param[in] i_hwKeyHash Custom hw keys' hash to test against + * [default = nullptr, use current hw hash key] * * @return errlHndl_t NULL on success */ - errlHndl_t verifyContainer(void * i_container, size_t i_size); + errlHndl_t verifyContainer(void * i_container, + const sha2_hash_t* i_hwKeyHash = nullptr); /** * @brief Hash Signed Blob @@ -75,7 +91,7 @@ namespace SECUREBOOT * * @return errlHndl_t NULL on success */ - errlHndl_t hashBlob(void * i_blob, size_t i_size, SHA512_t o_buf); + errlHndl_t hashBlob(const void * i_blob, size_t i_size, SHA512_t o_buf); /** * @brief Retrieve the internal hardware hash key from secure ROM @@ -84,6 +100,15 @@ namespace SECUREBOOT * hash to. */ void getHwHashKeys(sha2_hash_t o_hash); + + /** + * @brief Common secureboot handler for secureboot failures. + * Properly handles callouts etc. + * + * @return i_err - Error log to cascade through failure path. + */ + void handleSecurebootFailure(errlHndl_t &i_err); + } #endif |