diff options
author | Mike Baiocchi <mbaiocch@us.ibm.com> | 2017-06-06 10:47:33 -0500 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-06-11 12:10:13 -0400 |
commit | b7400ba903b8cbf288126872599474833b452319 (patch) | |
tree | fcd7a57c27c4cac082b8ada055afb4c63635afd8 /src/include | |
parent | c79f8d9cf862147f53b3976e7947683111ed202c (diff) | |
download | talos-hostboot-b7400ba903b8cbf288126872599474833b452319.tar.gz talos-hostboot-b7400ba903b8cbf288126872599474833b452319.zip |
Verify the correct HW Key Hash is used in Customized SBE Image
This commit keeps track of what HW Key Hash is added to HBBL before
customizing the SBE Image and then checks that this HW Key Hash is found
in the customized SBE Image. It did this by updating getHwKeyHashFromSbeImage()
to possibly read the HW Key Hash from system memory along with its default
behavior of reading it from a SBE Seeprom.
Change-Id: I0139fb959102de74b12874f30e7d2ec0bf918e3f
RTC:175330
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/41453
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Martin Gloff <mgloff@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/usr/sbe/sbeif.H | 21 | ||||
-rw-r--r-- | src/include/usr/sbe/sbereasoncodes.H | 2 | ||||
-rw-r--r-- | src/include/usr/secureboot/service.H | 9 |
3 files changed, 26 insertions, 6 deletions
diff --git a/src/include/usr/sbe/sbeif.H b/src/include/usr/sbe/sbeif.H index bdb09a493..1f59c9047 100644 --- a/src/include/usr/sbe/sbeif.H +++ b/src/include/usr/sbe/sbeif.H @@ -103,22 +103,35 @@ namespace SBE /** * @brief Retrieves the HW Key Hash from the Bootloader (HBBL) Section - * of the SBE Image located on a SBE Seeprom + * of the SBE Image. By default, the image is read from a SBE + * SEEPROM (where ECC is removed), but it also can be read from + * a SBE Image in System Memory * * @param[in] i_target Target Processor of the SBE SEEPPROM. * Assert if nullptr. + * NOTE: Ignored if i_image_ptr specifies an image + * (ie, != nullptr). * * @param[in] i_seeprom Specific SEEPROM on the processor to read the * HW Key Hash from. * Assert if neither SBE_PRIMARY nor SBE_BACKUP. + * NOTE: Ignored if i_image_ptr specifies an image + * (ie, != nullptr). * * @param[out] o_hash HW Key Hash returned from the Processor SEEPROM * + * @param[in] i_image_ptr Defaults to nullptr. + * If nullptr, then read SBE Image from i_target + * and i_seeprom. + * If not nullptr, read SBE Image from system + * memory pointed to by this parameter. + * * @return errlHndl_t Error log handle on failure; otherwise nullptr */ - errlHndl_t getHwKeyHashFromSbeSeeprom(TARGETING::Target* i_target, - EEPROM::eeprom_chip_types_t i_seeprom, - SHA512_t o_hash); + errlHndl_t getHwKeyHashFromSbeImage(TARGETING::Target* i_target, + EEPROM::eeprom_chip_types_t i_seeprom, + SHA512_t o_hash, + const void * i_image_ptr = nullptr); } //end namespace SBE diff --git a/src/include/usr/sbe/sbereasoncodes.H b/src/include/usr/sbe/sbereasoncodes.H index 380a65aeb..335de7f71 100644 --- a/src/include/usr/sbe/sbereasoncodes.H +++ b/src/include/usr/sbe/sbereasoncodes.H @@ -103,7 +103,7 @@ enum sbeReasonCode ERROR_FROM_XIP_DELETE = SBE_COMP_ID | 0x18, ERROR_FROM_XIP_FIND = SBE_COMP_ID | 0x19, - + SBE_MISMATCHED_HW_KEY_HASH = SBE_COMP_ID | 0x1A, }; }; // end SBE diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H index 94fa09ec5..f72809e8b 100644 --- a/src/include/usr/secureboot/service.H +++ b/src/include/usr/secureboot/service.H @@ -40,7 +40,14 @@ typedef uint8_t SHA512_t[SHA512_DIGEST_LENGTH]; */ inline uint32_t sha512_to_u32(SHA512_t i_hash) { - return *(reinterpret_cast<uint32_t*>(reinterpret_cast<char*>(i_hash))); + if (i_hash == nullptr) + { + return 0; + } + else + { + return *(reinterpret_cast<uint32_t*>(reinterpret_cast<char*>(i_hash))); + } }; typedef std::vector< std::pair<void*,size_t> > blobPair_t; |