diff options
| author | Mike Baiocchi <baiocchi@us.ibm.com> | 2013-06-11 14:30:01 -0500 |
|---|---|---|
| committer | A. Patrick Williams III <iawillia@us.ibm.com> | 2013-07-08 10:38:26 -0500 |
| commit | 32526fcbef7d67fbb3d6ab23fc60181b834ed21d (patch) | |
| tree | 72b5305fae334b9579e9f1a7d899fe8752bb9e1c /src/include/usr/secureboot | |
| parent | e60a4810ddce203fd6a2cb5c3a3f1483fa18d6c4 (diff) | |
| download | talos-hostboot-32526fcbef7d67fbb3d6ab23fc60181b834ed21d.tar.gz talos-hostboot-32526fcbef7d67fbb3d6ab23fc60181b834ed21d.zip | |
Base Support for Secure ROM verification
This change adds the basic structure needed to call and
implement a verifcation of a signed container via the
loaded/initliaized Secure ROM device.
Change-Id: Ieada4eb0b557fc556cd12647a698bbfa16aba278
RTC:64764
Reviewed-on: http://gfw160.austin.ibm.com:8080/gerrit/4958
Tested-by: Jenkins Server
Reviewed-by: A. Patrick Williams III <iawillia@us.ibm.com>
Diffstat (limited to 'src/include/usr/secureboot')
| -rw-r--r-- | src/include/usr/secureboot/secure_reasoncodes.H | 10 | ||||
| -rw-r--r-- | src/include/usr/secureboot/service.H | 35 |
2 files changed, 44 insertions, 1 deletions
diff --git a/src/include/usr/secureboot/secure_reasoncodes.H b/src/include/usr/secureboot/secure_reasoncodes.H index eac9dfda9..38d5b7079 100644 --- a/src/include/usr/secureboot/secure_reasoncodes.H +++ b/src/include/usr/secureboot/secure_reasoncodes.H @@ -31,12 +31,20 @@ namespace SECUREBOOT { MOD_SECURE_INVALID = 0x00, MOD_SECURE_BLINDPURGE = 0x01, - }; + MOD_SECURE_ROM_INIT = 0x02, + MOD_SECURE_ROM_VERIFY = 0x03, + MOD_SECURE_ROM_CLEANUP = 0x04, + }; enum SECUREReasonCode { RC_PURGEOP_PENDING = SECURE_COMP_ID | 0x01, RC_PURGEOP_FAIL_COMPLETE = SECURE_COMP_ID | 0x02, + RC_DEV_MAP_FAIL = SECURE_COMP_ID | 0x03, + RC_PAGE_ALLOC_FAIL = SECURE_COMP_ID | 0x04, + RC_SET_PERMISSION_FAIL_EXE = SECURE_COMP_ID | 0x05, + RC_SET_PERMISSION_FAIL_WRITE = SECURE_COMP_ID | 0x06, + RC_ROM_VERIFY = SECURE_COMP_ID | 0x07, }; } diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H index a83d5d510..b640fd978 100644 --- a/src/include/usr/secureboot/service.H +++ b/src/include/usr/secureboot/service.H @@ -23,6 +23,10 @@ #ifndef __SECUREBOOT_SERVICE_H #define __SECUREBOOT_SERVICE_H +#include <errl/errlentry.H> + +typedef uint8_t SHA512_t[64]; + namespace SECUREBOOT { /** @brief Perform initialization of Secureboot for the Base image. @@ -33,9 +37,40 @@ namespace SECUREBOOT */ void* initializeBase(void* unused); + /** + * @brief Initialize Secure Rom by loading it into memory and + * retrieving Hash Keys + * + * @return errlHndl_t NULL on success + */ + errlHndl_t initializeSecureROM(void); + + /** @brief Determines if Secureboot is enabled. */ bool enabled(); + + /** + * @brief Verify Signed Container + * + * @param[in] i_container Void pointer to effective address of container + * @param[in] i_size Size of container in bytes + * + * @return errlHndl_t NULL on success + */ + errlHndl_t verifyContainer(void * i_container, size_t i_size); + + /** + * @brief Hash Signed Blob + * + * @param[in] i_blob Void pointer to effective address of blob + * @param[in] i_size Size of blob in bytes + * @param[out] o_hash SHA512 hash + * + * @return errlHndl_t NULL on success + */ + errlHndl_t hashBlob(void * i_blob, size_t i_size, SHA512_t o_buf); + } #endif |
