Secure Boot: Enforce PNOR section component IDs

- In secure mode, bootloader will enforce that HBB component ID is set - In secure mode, Hostboot will enforce that PNOR component IDs are set Change-Id: I04f3bbc45417b3229003c56e1083e1fc31c01cd7 RTC: 179422 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/48711 Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
author: Nick Bofferding <bofferdn@us.ibm.com> 2017-10-20 21:13:34 -0500
committer: William G. Hoffa <wghoffa@us.ibm.com> 2017-11-03 09:45:20 -0400
commit: 07d75753d59419ea6ba9ee3bd930e0aa8e7e7fd5 (patch)
tree: 78633da60312ff8cfd54807f787219036e976621 /src/include
parent: 47f275a6bd3b2104a82d9786122afd6fe25f05de (diff)
download: talos-hostboot-07d75753d59419ea6ba9ee3bd930e0aa8e7e7fd5.tar.gz
talos-hostboot-07d75753d59419ea6ba9ee3bd930e0aa8e7e7fd5.zip
7 files changed, 95 insertions, 7 deletions
diff --git a/src/include/bootloader/bootloader_trace.H b/src/include/bootloader/bootloader_trace.H
index 129b9a303..3b3fa262a 100644
--- a/src/include/bootloader/bootloader_trace.H
+++ b/src/include/bootloader/bootloader_trace.H
@@ -77,6 +77,12 @@ enum BootloaderTraces
     /** Bootloader main verifyContainer skip verification - SAB unset */
     BTLDR_TRC_MAIN_VERIFY_SAB_UNSET          = 0x19,
 
+    /** Bootloader main verifyComponent succeeded */
+    BTLDR_TRC_COMP_ID_VERIFY_SUCCESS         = 0x1A,
+
+    /** Bootloader main verifyComponent failed */
+    BTLDR_TRC_COMP_ID_VERIFY_FAILED          = 0x1B,
+
     /** Bootloader handleMMIO started */
     BTLDR_TRC_HANDLEMMIO_START               = 0x20,
 
diff --git a/src/include/bootloader/hbblreasoncodes.H b/src/include/bootloader/hbblreasoncodes.H
index 392b7e4b3..1a4dbc98f 100644
--- a/src/include/bootloader/hbblreasoncodes.H
+++ b/src/include/bootloader/hbblreasoncodes.H
@@ -49,6 +49,7 @@ namespace Bootloader
         MOD_PNORACC_GETHBBSECT           = 0x04, /**< bl_pnorAccess.C : get HBB sect */
         MOD_BOOTLOADER_VERIFY            = 0x05, /**< bootloader.C : verifyContainer */
         MOD_BOOTLOADER_ASSERT            = 0x06, /**< bootloader.H assert */
+        MOD_BOOTLOADER_VERIFY_COMP_ID    = 0x07, /**< bootloader.C : verifyComponent */
     };
 
 /**
diff --git a/src/include/string.h b/src/include/string.h
index 589507c06..ca1a0ba4c 100755..100644
--- a/src/include/string.h
+++ b/src/include/string.h
@@ -5,7 +5,7 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* Contributors Listed Below - COPYRIGHT 2010,2014                        */
+/* Contributors Listed Below - COPYRIGHT 2010,2017                        */
 /* [+] International Business Machines Corp.                              */
 /*                                                                        */
 /*                                                                        */
@@ -42,6 +42,7 @@ extern "C"
     char* strcpy(char* d, const char* s);
     char* strncpy(char* d, const char* s, size_t l);
     int strcmp(const char* s1, const char* s2) __attribute__((pure));
+    int strncmp(const char* s1, const char* s2, size_t l) __attribute__((pure));
     size_t strlen(const char* s1) __attribute__((pure));
     size_t strnlen(const char* s1, size_t n) __attribute__((pure));
 
diff --git a/src/include/usr/errl/errlreasoncodes.H b/src/include/usr/errl/errlreasoncodes.H
index 1e7f2ea77..f9d03c246 100644
--- a/src/include/usr/errl/errlreasoncodes.H
+++ b/src/include/usr/errl/errlreasoncodes.H
@@ -62,7 +62,7 @@ namespace ERRORLOG
         ERRL_LAST_ERR             = ERRL_COMP_ID | 0xFF
     };
 
-    // Identifiers for ERRL user data sections.
+    // Identifiers for ERRL user data subsections.
     enum errlUserDetailDataSubsection
     {
         ERRL_UDT_NOFORMAT         = 0x00,
@@ -74,6 +74,13 @@ namespace ERRORLOG
         ERRL_UDT_CALLOUT          = 0x06,
         ERRL_UDT_PRINTK           = 0x07,
         ERRL_UDT_SENSOR           = 0x08,
+        ERRL_UDT_STRING_SET       = 0x09,
+    };
+
+    // Identifiers for ERRL user data subsection versions
+    enum errlUserDetailDataSubsectionVersion
+    {
+        ERRL_UDT_STRING_SET_VER_1 = 0x01,
     };
 };
 
diff --git a/src/include/usr/errl/errludstring.H b/src/include/usr/errl/errludstring.H
index f8e4cd3d7..c3d8ecdee 100644
--- a/src/include/usr/errl/errludstring.H
+++ b/src/include/usr/errl/errludstring.H
@@ -5,7 +5,9 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* COPYRIGHT International Business Machines Corp. 2012,2014              */
+/* Contributors Listed Below - COPYRIGHT 2012,2017                        */
+/* [+] International Business Machines Corp.                              */
+/*                                                                        */
 /*                                                                        */
 /* Licensed under the Apache License, Version 2.0 (the "License");        */
 /* you may not use this file except in compliance with the License.       */
@@ -57,10 +59,60 @@ public:
      */
     virtual ~ErrlUserDetailsString();
 
-private:
-    // Disabled
-    ErrlUserDetailsString(const ErrlUserDetailsString &);
-    ErrlUserDetailsString & operator=(const ErrlUserDetailsString &);
+  private:
+
+    // Disable compiler provided default functions
+    ErrlUserDetailsString(
+        const ErrlUserDetailsString &);
+    ErrlUserDetailsString & operator=(
+        const ErrlUserDetailsString &);
+    ErrlUserDetailsString (
+        ErrlUserDetailsString&&) = delete;
+    ErrlUserDetailsString& operator = (
+        ErrlUserDetailsString&&) = delete;
+};
+
+/**
+ * @class ErrlUserDetailsStringSet
+ *
+ * @brief Adds multiple, tagged FFDC strings to an error log as user details
+ *     data
+ */
+class ErrlUserDetailsStringSet : public ErrlUserDetails
+{
+
+  public:
+
+    /**
+     *  @brief Constructor; creates the object
+     */
+    ErrlUserDetailsStringSet();
+
+    /**
+     *  @brief Adds a new tagged string to the object's string cache
+     *
+     *  @param[in] i_pDescriptionString Description of the string to add.  Must
+     *      not be nullptr or function will substitute an error message.
+     *  @param[in] i_pString The string to add.  Must not be nullptr or function
+     *      will substitute an error message.
+     */
+    void add(const char* i_pDescriptionString,
+             const char* i_pString);
+
+    /**
+     *  @brief Destructor
+     */
+    virtual ~ErrlUserDetailsStringSet();
+
+    // Disable compiler provided default functions
+    ErrlUserDetailsStringSet(
+        const ErrlUserDetailsStringSet&) = delete;
+    ErrlUserDetailsStringSet& operator=(
+        const ErrlUserDetailsStringSet&) = delete;
+    ErrlUserDetailsStringSet (
+        ErrlUserDetailsStringSet&&) = delete;
+    ErrlUserDetailsStringSet& operator = (
+        ErrlUserDetailsStringSet&&) = delete;
 };
 
 }
diff --git a/src/include/usr/secureboot/secure_reasoncodes.H b/src/include/usr/secureboot/secure_reasoncodes.H
index 98fe38d3c..f633ef7b2 100644
--- a/src/include/usr/secureboot/secure_reasoncodes.H
+++ b/src/include/usr/secureboot/secure_reasoncodes.H
@@ -40,6 +40,7 @@ namespace SECUREBOOT
         MOD_SECURE_READ_REG             = 0x06,
         MOD_SECURE_WRITE_REG            = 0x07,
         MOD_SECURE_SETTINGS_INIT        = 0x08,
+        MOD_SECURE_VERIFY_COMPONENT     = 0x09,
    };
 
     enum SECUREReasonCode
diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H
index 4c4d43d3c..c4dc31334 100644
--- a/src/include/usr/secureboot/service.H
+++ b/src/include/usr/secureboot/service.H
@@ -58,6 +58,8 @@ typedef uint8_t PAGE_TABLE_ENTRY_t[HASH_PAGE_TABLE_ENTRY_SIZE];
 
 namespace SECUREBOOT
 {
+    class ContainerHeader;
+
     /** @brief Perform initialization of Secureboot for the Base image.
      *
      *  - Copy secure header from original location.
@@ -223,6 +225,24 @@ namespace SECUREBOOT
                                const SHA512_t* i_hwKeyHash = nullptr);
 
     /**
+     * @brief Verify component ID in a container header against a reference
+     *     component ID. Up to 8 ASCII characters, not including NULL, will be
+     *     compared (thus, it is critical that all components are unique with
+     *     respect to the first 8 bytes).
+     *
+     * @param[in] i_containerHeader Verified container's header
+     * @param[in] i_pComponentString Reference component ID string; must not be
+     *     nullptr or function will assert.
+     *
+     * @return errlHndl_t Error log handle
+     * @retval nullptr Component ID verification succeeded
+     * @retval !nullptr Error; component ID verification failed
+     */
+    errlHndl_t verifyComponent(
+        const ContainerHeader& i_containerHeader,
+        const char*            i_pComponentId);
+
+    /**
      * @brief Hash Signed Blob
      *
      * @param[in]  i_blob    Void pointer to effective address of blob
author	Nick Bofferding <bofferdn@us.ibm.com>	2017-10-20 21:13:34 -0500
committer	William G. Hoffa <wghoffa@us.ibm.com>	2017-11-03 09:45:20 -0400
commit	07d75753d59419ea6ba9ee3bd930e0aa8e7e7fd5 (patch)
tree	78633da60312ff8cfd54807f787219036e976621 /src/include
parent	47f275a6bd3b2104a82d9786122afd6fe25f05de (diff)
download	talos-hostboot-07d75753d59419ea6ba9ee3bd930e0aa8e7e7fd5.tar.gz talos-hostboot-07d75753d59419ea6ba9ee3bd930e0aa8e7e7fd5.zip