diff options
| author | Nick Bofferding <bofferdn@us.ibm.com> | 2017-04-22 17:15:03 -0500 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-05-08 14:12:48 -0400 |
| commit | 8527fc2b9549b9b6782fdffde29ff8713e677bc4 (patch) | |
| tree | eb277c60fcf28eec2116546c2ce4be6ca4a53144 /src/usr/pnor/pnor_utils.C | |
| parent | b93bb1c4e5151e309231a6b667bc98deaf98572f (diff) | |
| download | talos-hostboot-8527fc2b9549b9b6782fdffde29ff8713e677bc4.tar.gz talos-hostboot-8527fc2b9549b9b6782fdffde29ff8713e677bc4.zip | |
Support gracefully adding signing headers to PNOR sections
Change-Id: Ie8ce7672a41c0b6230918911f59ada5443c552f5
RTC: 170650
CMVC-Coreq: 1022416
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/39869
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/pnor/pnor_utils.C')
| -rw-r--r-- | src/usr/pnor/pnor_utils.C | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/src/usr/pnor/pnor_utils.C b/src/usr/pnor/pnor_utils.C index a5950bc20..0f484d77e 100644 --- a/src/usr/pnor/pnor_utils.C +++ b/src/usr/pnor/pnor_utils.C @@ -319,6 +319,28 @@ PNOR::parseEntries (ffs_hdr* i_ffs_hdr, ((io_TOC[secId].size * 8 ) / 9); } + // @TODO RTC 173489 + // Remove once FSP fully supports signing of PNOR sections that did + // not previously have a sha512 header. Until then, turn off the SHA512 + // bit if it doesn't match known header types +#ifndef BOOTLOADER + if(io_TOC[secId].version & FFS_VERS_SHA512) + { + bool hasKnownHeader = true; + l_errhdl = PNOR::hasKnownHeader(static_cast<SectionId>(secId), + io_TOC[secId],hasKnownHeader); + if(l_errhdl) + { + break; + } + + if(!hasKnownHeader) + { + io_TOC[secId].version &= ~FFS_VERS_SHA512; + } + } +#endif + #ifdef BOOTLOADER io_TOC[secId].secure = PNOR::isEnforcedSecureSection(secId); #elif !defined(__HOSTBOOT_RUNTIME) // runtime is handled by rt_pnor code @@ -454,6 +476,6 @@ bool PNOR::cmpSecurebootMagicNumber(const uint8_t* i_vaddr) bool PNOR::hasNonSecureHeader(const PNOR::SectionData_t& i_secInfo) { - return i_secInfo.version == FFS_VERS_SHA512 && + return (i_secInfo.version & FFS_VERS_SHA512) && !i_secInfo.secure; } |
