diff options
| author | Nick Bofferding <bofferdn@us.ibm.com> | 2017-01-25 13:10:08 -0600 |
|---|---|---|
| committer | William G. Hoffa <wghoffa@us.ibm.com> | 2017-02-02 15:06:55 -0500 |
| commit | a42bbccdd949bc4b78e856087019c73a126420d4 (patch) | |
| tree | 5fdc402c77c9578d3ddbcd4095cfe887f0f44cf6 /src/include | |
| parent | 31591a027b6d76be0cd081d3bcce2e746fdc7623 (diff) | |
| download | talos-hostboot-a42bbccdd949bc4b78e856087019c73a126420d4.tar.gz talos-hostboot-a42bbccdd949bc4b78e856087019c73a126420d4.zip | |
Support extending sections to PCRs
- Ported p8 secureboot PCR extension code
Change-Id: I2bbf6ee6b2980c2fbe32dfb9cad25e9e2aba3285
RTC: 167581
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/35632
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/runtime/interface.h | 12 | ||||
| -rw-r--r-- | src/include/usr/secureboot/header.H | 11 | ||||
| -rw-r--r-- | src/include/usr/secureboot/service.H | 24 |
3 files changed, 33 insertions, 14 deletions
diff --git a/src/include/runtime/interface.h b/src/include/runtime/interface.h index 6681e49ca..f5eb2cba1 100644 --- a/src/include/runtime/interface.h +++ b/src/include/runtime/interface.h @@ -5,7 +5,7 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2013,2016 */ +/* Contributors Listed Below - COPYRIGHT 2013,2017 */ /* [+] International Business Machines Corp. */ /* */ /* */ @@ -655,10 +655,10 @@ typedef struct runtimeInterfaces * Must not be NULL. Container is assumed to be stripped of any ECC * and must start with a valid secure header (which contains the * container size information) - * @param[in] i_pHwHashKey Pointer to a valid hardware hash key. + * @param[in] i_pHwKeyHash Pointer to a valid hardware keys' hash. * Must not be NULL. - * @param[in] i_hwHashKeySize Size of the hardware hash key. - * A value which incorrectly states the size of the hardware hash key + * @param[in] i_hwKeyHashSize Size of the hardware keys' hash. + * A value which incorrectly states the size of the hardware keys' hash * will be detected as a verification error or worse, an illegal memory * access. Must not be 0. * @note If secureboot is compiled out, the function pointer will be set to @@ -672,8 +672,8 @@ typedef struct runtimeInterfaces */ int (*verify_container)( const void* i_pContainer, - const void* i_pHwHashKey, - size_t i_hwHashKeySize); + const void* i_pHwKeyHash, + size_t i_hwKeyHashSize); // Reserve some space for future growth. // do NOT ever change this number, even if you add functions. diff --git a/src/include/usr/secureboot/header.H b/src/include/usr/secureboot/header.H index f7a5121c6..4ad1f0e7e 100644 --- a/src/include/usr/secureboot/header.H +++ b/src/include/usr/secureboot/header.H @@ -5,7 +5,7 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2013,2016 */ +/* Contributors Listed Below - COPYRIGHT 2013,2017 */ /* [+] International Business Machines Corp. */ /* */ /* */ @@ -59,10 +59,8 @@ namespace SECUREBOOT iv_data=NULL; } - // TODO securebootp9 This is from p9 code. See the corresponding - // comment in header.C for more info. - /** @brief Extract header from original HRMOR - 1 page address. */ - void loadBaseHeader(); + // @TODO RTC 168021 Converge to single method of reading + // secure header /** * @brief Extracts base image (HBB) header (ECC removed) from @@ -73,6 +71,9 @@ namespace SECUREBOOT */ void loadSecurely(); + // @TODO RTC 168021 Converge to single method of reading + // secure header + /** * @brief Caches non-secure PNOR copy of the base image (HBB) * header (ECC removed) to support extending HBB measurements diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H index 99772b429..afb3ed934 100644 --- a/src/include/usr/secureboot/service.H +++ b/src/include/usr/secureboot/service.H @@ -28,9 +28,13 @@ #include <errl/errlentry.H> #include <config.h> #include <secureboot/settings.H> +#include <utility> #include <cstdint> typedef uint8_t SHA512_t[64]; + +typedef std::vector< std::pair<void*,size_t> > blobPair_t; + /* From sha512.h: */ #define SHA512_DIGEST_LENGTH 64 typedef uint8_t __attribute__((aligned(8))) sha2_hash_t[ \ @@ -160,12 +164,26 @@ namespace SECUREBOOT errlHndl_t hashBlob(const void * i_blob, size_t i_size, SHA512_t o_buf); /** - * @brief Retrieve the internal hardware hash key from secure ROM - * object. + * @brief Retrieve the internal hardware keys' hash used to validate + * containers * @param[out] o_hash Reference to the sha2_hash_t array to copy the * hash to. */ - void getHwHashKeys(sha2_hash_t o_hash); + void getHwKeyHash(sha2_hash_t o_hash); + + /* + * @brief Hash the concatenation of N Blobs + * + * Asserts if any blob pointer is NULL + * + * @param[in] i_blobs Vector of pairs composed of a void + * pointer to effective address and size + * of the blob to concatenate + * @param[out] o_buf SHA512 hash + * + * @return errlHndl_t NULL on success + */ + errlHndl_t hashConcatBlobs(const blobPair_t &i_blobs, SHA512_t o_buf); /** * @brief Common secureboot handler for secureboot failures. |
