diff options
author | Stephen Cprek <smcprek@us.ibm.com> | 2017-03-16 14:55:36 -0500 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-03-30 10:59:38 -0400 |
commit | 7e53643075803b2654bebec85f693c90d1b503f6 (patch) | |
tree | 67d6fbfb13b8b74dcb72cca54320e0d4efab39bf /src/usr/pnor/pnor_common.C | |
parent | da8ebbbccc858f874bb9841a1a23390798d4f14d (diff) | |
download | talos-hostboot-7e53643075803b2654bebec85f693c90d1b503f6.tar.gz talos-hostboot-7e53643075803b2654bebec85f693c90d1b503f6.zip |
Secureboot best effort compatibility support
Change-Id: I1671459ca58684b14f65f322ff6dccddcaad40a2
RTC: 170685
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/38104
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/pnor/pnor_common.C')
-rw-r--r-- | src/usr/pnor/pnor_common.C | 58 |
1 files changed, 50 insertions, 8 deletions
diff --git a/src/usr/pnor/pnor_common.C b/src/usr/pnor/pnor_common.C index f766e3937..bc5e2b173 100644 --- a/src/usr/pnor/pnor_common.C +++ b/src/usr/pnor/pnor_common.C @@ -235,12 +235,15 @@ errlHndl_t PNOR::parseTOC( uint8_t* i_tocBuffer,SectionData_t * o_TOC) ffs_entry* l_err_entry = NULL; - PNOR::parseEntries(l_ffs_hdr, l_errCode, o_TOC, l_err_entry); - - if(l_errCode != NO_ERROR) + l_errhdl = PNOR::parseEntries(l_ffs_hdr, l_errCode, o_TOC, l_err_entry); + if (l_errhdl) { - TRACFCOMP(g_trac_pnor, "PNOR::parseTOC parseEntries" - " parse entries returned an error"); + TRACFCOMP(g_trac_pnor, "PNOR::parseTOC parseEntries returned an error log"); + break; + } + else if(l_errCode != NO_ERROR) + { + TRACFCOMP(g_trac_pnor, "PNOR::parseTOC parseEntries returned an error code"); o_TOC = NULL; /* @errortype * @moduleid PNOR::MOD_PNORRP_READTOC @@ -295,9 +298,7 @@ errlHndl_t PNOR::parseTOC( uint8_t* i_tocBuffer,SectionData_t * o_TOC) // @TODO RTC 168021 Remove legacy extensions when all // secure sections are supported - auto isSecure = PNOR::isSecureSection(l_secId); - if ( o_TOC[l_secId].version == FFS_VERS_SHA512 - && !isSecure) + if (PNOR::hasNonSecureHeader(o_TOC[l_secId])) { // Never extend the base image through this path, it will be // handled elsewhere @@ -385,3 +386,44 @@ bool PNOR::isInhibitedSection(const uint32_t i_section) #endif } +errlHndl_t PNOR::setSecure(const uint32_t i_secId, + PNOR::SectionData_t* io_TOC) +{ + errlHndl_t l_errhdl = nullptr; + + assert(io_TOC != nullptr, "PNOR::setSecure received a NULL toc to modify"); + + do { + + // Set secure field based on enforced policy + io_TOC[i_secId].secure = PNOR::isEnforcedSecureSection(i_secId); + +#ifndef __HOSTBOOT_RUNTIME +#ifdef CONFIG_SECUREBOOT_BEST_EFFORT + if (io_TOC[i_secId].secure) + { + // Apply best effort policy by checking if the section appears to have a + // secure header + size_t l_size = sizeof(ROM_MAGIC_NUMBER); + auto l_buf = new uint8_t[l_size](); + auto l_target = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL; + // Read first 8 bytes of section data from the PNOR DD + // Note: Do not need to worry about ECC as the 9th byte is the first + // ECC byte. + l_errhdl = DeviceFW::deviceRead(l_target, l_buf, l_size, + DEVICE_PNOR_ADDRESS(0,io_TOC[i_secId].flashAddr)); + if (l_errhdl) + { + break; + } + + // Check if first 8 bytes match the Secureboot Magic Number + io_TOC[i_secId].secure &= PNOR::cmpSecurebootMagicNumber(l_buf); + } +#endif +#endif + + } while (0); + + return l_errhdl; +} |