Verify the correct HW Key Hash is used in Customized SBE Image

This commit keeps track of what HW Key Hash is added to HBBL before customizing the SBE Image and then checks that this HW Key Hash is found in the customized SBE Image. It did this by updating getHwKeyHashFromSbeImage() to possibly read the HW Key Hash from system memory along with its default behavior of reading it from a SBE Seeprom. Change-Id: I0139fb959102de74b12874f30e7d2ec0bf918e3f RTC:175330 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/41453 Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Reviewed-by: Martin Gloff <mgloff@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Mike Baiocchi <mbaiocch@us.ibm.com> 2017-06-06 10:47:33 -0500
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2017-06-11 12:10:13 -0400
commit: b7400ba903b8cbf288126872599474833b452319 (patch)
tree: fcd7a57c27c4cac082b8ada055afb4c63635afd8 /src/include
parent: c79f8d9cf862147f53b3976e7947683111ed202c (diff)
download: talos-hostboot-b7400ba903b8cbf288126872599474833b452319.tar.gz
talos-hostboot-b7400ba903b8cbf288126872599474833b452319.zip
3 files changed, 26 insertions, 6 deletions
diff --git a/src/include/usr/sbe/sbeif.H b/src/include/usr/sbe/sbeif.H
index bdb09a493..1f59c9047 100644
--- a/src/include/usr/sbe/sbeif.H
+++ b/src/include/usr/sbe/sbeif.H
@@ -103,22 +103,35 @@ namespace SBE
 
     /**
      * @brief Retrieves the HW Key Hash from the Bootloader (HBBL) Section
-     *        of the SBE Image located on a SBE Seeprom
+     *        of the SBE Image. By default, the image is read from a SBE
+     *        SEEPROM (where ECC is removed), but it also can be read from
+     *        a SBE Image in System Memory
      *
      * @param[in] i_target    Target Processor of the SBE SEEPPROM.
      *                        Assert if nullptr.
+     *                        NOTE: Ignored if i_image_ptr specifies an image
+     *                        (ie, != nullptr).
      *
      * @param[in] i_seeprom   Specific SEEPROM on the processor to read the
      *                        HW Key Hash from.
      *                        Assert if neither SBE_PRIMARY nor SBE_BACKUP.
+     *                        NOTE: Ignored if i_image_ptr specifies an image
+     *                        (ie, != nullptr).
      *
      * @param[out] o_hash     HW Key Hash returned from the Processor SEEPROM
      *
+     * @param[in] i_image_ptr  Defaults to nullptr.
+     *                         If nullptr, then read SBE Image from i_target
+     *                         and i_seeprom.
+     *                         If not nullptr, read SBE Image from system
+     *                         memory pointed to by this parameter.
+     *
      * @return errlHndl_t     Error log handle on failure; otherwise nullptr
      */
-    errlHndl_t getHwKeyHashFromSbeSeeprom(TARGETING::Target* i_target,
-                                          EEPROM::eeprom_chip_types_t i_seeprom,
-                                          SHA512_t o_hash);
+    errlHndl_t getHwKeyHashFromSbeImage(TARGETING::Target* i_target,
+                                        EEPROM::eeprom_chip_types_t i_seeprom,
+                                        SHA512_t o_hash,
+                                        const void * i_image_ptr = nullptr);
 
 } //end namespace SBE
 
diff --git a/src/include/usr/sbe/sbereasoncodes.H b/src/include/usr/sbe/sbereasoncodes.H
index 380a65aeb..335de7f71 100644
--- a/src/include/usr/sbe/sbereasoncodes.H
+++ b/src/include/usr/sbe/sbereasoncodes.H
@@ -103,7 +103,7 @@ enum sbeReasonCode
 
     ERROR_FROM_XIP_DELETE               = SBE_COMP_ID | 0x18,
     ERROR_FROM_XIP_FIND                 = SBE_COMP_ID | 0x19,
-
+    SBE_MISMATCHED_HW_KEY_HASH          = SBE_COMP_ID | 0x1A,
 };
 
 };  // end SBE
diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H
index 94fa09ec5..f72809e8b 100644
--- a/src/include/usr/secureboot/service.H
+++ b/src/include/usr/secureboot/service.H
@@ -40,7 +40,14 @@ typedef uint8_t SHA512_t[SHA512_DIGEST_LENGTH];
  */
 inline uint32_t sha512_to_u32(SHA512_t i_hash)
 {
-   return *(reinterpret_cast<uint32_t*>(reinterpret_cast<char*>(i_hash)));
+   if (i_hash == nullptr)
+   {
+       return 0;
+   }
+   else
+   {
+       return *(reinterpret_cast<uint32_t*>(reinterpret_cast<char*>(i_hash)));
+   }
 };
 
 typedef std::vector< std::pair<void*,size_t> > blobPair_t;
author	Mike Baiocchi <mbaiocch@us.ibm.com>	2017-06-06 10:47:33 -0500
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2017-06-11 12:10:13 -0400
commit	b7400ba903b8cbf288126872599474833b452319 (patch)
tree	fcd7a57c27c4cac082b8ada055afb4c63635afd8 /src/include
parent	c79f8d9cf862147f53b3976e7947683111ed202c (diff)
download	talos-hostboot-b7400ba903b8cbf288126872599474833b452319.tar.gz talos-hostboot-b7400ba903b8cbf288126872599474833b452319.zip