diff options
| author | Stephen Cprek <smcprek@us.ibm.com> | 2017-10-31 13:01:30 -0500 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-11-19 15:54:51 -0500 |
| commit | 81279c1d146d8ee920494c7817cdd72f165dd373 (patch) | |
| tree | d616d0914823c8c25592e8276e0610ba1c9d2a28 /src/include/usr/secureboot | |
| parent | 63a026113332464fc3bcc73369ba35bfe8f62b6f (diff) | |
| download | talos-hostboot-81279c1d146d8ee920494c7817cdd72f165dd373.tar.gz talos-hostboot-81279c1d146d8ee920494c7817cdd72f165dd373.zip | |
Secure Boot: Fix lid load from HB reserved memory issues at runtime
- Force all PNOR sections we load from HB rserved memory to be secure
Only exception is the RINGOVD section, in which we use a fake header
- Add fake header when Secureboot compiled out or a section is never
signed as there is no secure header preserved in virtual memory
RTC: 171708
RTC: 180063
Change-Id: Ibbbd7be24ee7b199e73451c63b2c2d1f86a2c2d8
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49020
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/include/usr/secureboot')
| -rw-r--r-- | src/include/usr/secureboot/containerheader.H | 50 |
1 files changed, 45 insertions, 5 deletions
diff --git a/src/include/usr/secureboot/containerheader.H b/src/include/usr/secureboot/containerheader.H index 255566c9d..f7e924d9b 100644 --- a/src/include/usr/secureboot/containerheader.H +++ b/src/include/usr/secureboot/containerheader.H @@ -28,6 +28,8 @@ #include <errl/errlentry.H> #include <secureboot/service.H> #include <securerom/ROM.H> +#include <limits.h> +#include <array> // Forward Declaration class SecureRomManagerTest; @@ -54,18 +56,37 @@ class ContainerHeader ContainerHeader(const void* i_header): iv_isValid(false),iv_hdrBytesRead(0) { - assert(i_header != NULL); + assert(i_header != nullptr); iv_pHdrStart = reinterpret_cast<const uint8_t*>(i_header); - memset(&iv_headerInfo, 0x00, sizeof(iv_headerInfo)); - memset(iv_hwKeyHash, 0, sizeof(SHA512_t)); - memset(iv_componentId,0x00,sizeof(iv_componentId)); + initVars(); parse_header(i_header); }; /** + * @brief ContainerHeader + * + * This constructor generates a fake header with minimal information + * + * @param[in] i_totalSize Total Container Size + * @param[in] i_compId Component ID + */ + ContainerHeader(const size_t i_totalSize, + const char* i_compId): + iv_isValid(false),iv_hdrBytesRead(0),iv_fakeHeader{} + { + initVars(); + genFakeHeader(i_totalSize, i_compId); + }; + + /** + * @brief Initialize internal variables + */ + void initVars(); + + /** * @brief Destructor */ - ~ContainerHeader(){}; + ~ContainerHeader(){} /** * @brief Retrieves total container size (includes header, payload text, @@ -158,6 +179,13 @@ class ContainerHeader */ const char* componentId() const; + /** + * @brief Returns the container's fake header + * + * @return const uint8_t* fake header + */ + const uint8_t* fakeHeader() const; + private: /** * @brief Default Constructor in private to prevent being instantiated @@ -259,6 +287,18 @@ class ContainerHeader void safeMemCpyAndInc(void* i_dest, const uint8_t* &io_hdr, const size_t i_size); + // Pointer to fake header generated + std::array<uint8_t,PAGE_SIZE> iv_fakeHeader; + + /** + * @brief Generate fake header with limited information + * + * @param[in] i_totalSize Total container size + * @param[in] i_compId Component ID + */ + void genFakeHeader(const size_t i_totalSize, + const char* const i_compId); + friend class ::SecureRomManagerTest; }; |
