diff options
author | Stephen Cprek <smcprek@us.ibm.com> | 2017-10-31 13:01:30 -0500 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-11-19 15:54:51 -0500 |
commit | 81279c1d146d8ee920494c7817cdd72f165dd373 (patch) | |
tree | d616d0914823c8c25592e8276e0610ba1c9d2a28 /src/usr/pnor/runtime/rt_pnor.C | |
parent | 63a026113332464fc3bcc73369ba35bfe8f62b6f (diff) | |
download | talos-hostboot-81279c1d146d8ee920494c7817cdd72f165dd373.tar.gz talos-hostboot-81279c1d146d8ee920494c7817cdd72f165dd373.zip |
Secure Boot: Fix lid load from HB reserved memory issues at runtime
- Force all PNOR sections we load from HB rserved memory to be secure
Only exception is the RINGOVD section, in which we use a fake header
- Add fake header when Secureboot compiled out or a section is never
signed as there is no secure header preserved in virtual memory
RTC: 171708
RTC: 180063
Change-Id: Ibbbd7be24ee7b199e73451c63b2c2d1f86a2c2d8
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49020
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/pnor/runtime/rt_pnor.C')
-rw-r--r-- | src/usr/pnor/runtime/rt_pnor.C | 98 |
1 files changed, 51 insertions, 47 deletions
diff --git a/src/usr/pnor/runtime/rt_pnor.C b/src/usr/pnor/runtime/rt_pnor.C index a9c3e4d1e..16707f774 100644 --- a/src/usr/pnor/runtime/rt_pnor.C +++ b/src/usr/pnor/runtime/rt_pnor.C @@ -41,6 +41,8 @@ #include <runtime/customize_attrs_for_payload.H> #include <securerom/ROM.H> #include <config.h> +#include "../pnor_utils.H" +#include <runtime/common/runtime_utils.H> // Trace definition extern trace_desc_t* g_trac_pnor; @@ -155,30 +157,43 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section, errlHndl_t l_err = nullptr; do { - - // TODO: RTC:180063 change this to error out on secure sections as it - // did previously in HB commit cefc4c // Check if Section is invalid or inhibited from loading at runtime. bool l_inhibited = false; + bool l_secure = PNOR::isEnforcedSecureSection(i_section); + bool l_preVerified = RUNTIME::isPreVerifiedSection(i_section); #ifdef CONFIG_SECUREBOOT l_inhibited = PNOR::isInhibitedSection(i_section); #endif - if (i_section == PNOR::INVALID_SECTION || l_inhibited) + if (i_section == PNOR::INVALID_SECTION || l_inhibited || l_secure || + l_preVerified) { TRACFCOMP(g_trac_pnor, "RtPnor::getSectionInfo: Invalid Section %d", static_cast<int>(i_section)); + + if (l_preVerified) + { + TRACFCOMP(g_trac_pnor, ERR_MRK"RtPnor::getSectionInfo: pre-verified sections should be loaded via Hostboot Reserved Memory "); + } #ifdef CONFIG_SECUREBOOT - if (l_inhibited) + else if (l_inhibited) { TRACFCOMP(g_trac_pnor, ERR_MRK"RtPnor::getSectionInfo: attribute overrides inhibited by secureboot"); } + else if (l_secure) + { + TRACFCOMP(g_trac_pnor, ERR_MRK"RtPnor::getSectionInfo: secure sections should be loaded via Hostboot Reserved Memory"); + } #endif + /*@ * @errortype * @moduleid PNOR::MOD_RTPNOR_GETSECTIONINFO * @reasoncode PNOR::RC_RTPNOR_INVALID_SECTION * @userdata1 PNOR::SectionId - * @userdata2[0:63] Inhibited by secureboot + * @userdata2[0:15] Inhibited by secureboot + * @userdata2[16:31] Indication of a secure section + * @userdata2[32:47] Indication of a pre-verified section + * @userdata2[48:63] 0 * @devdesc invalid section passed to getSectionInfo or * section prohibited by secureboot */ @@ -186,7 +201,10 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section, PNOR::MOD_RTPNOR_GETSECTIONINFO, PNOR::RC_RTPNOR_INVALID_SECTION, i_section, - l_inhibited, + FOUR_UINT16_TO_UINT64(l_inhibited, + l_secure, + l_preVerified, + 0), true); break; } @@ -215,58 +233,44 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section, bool l_ecc = (iv_TOC[i_section].integrity&FFS_INTEG_ECC_PROTECT) ? true : false; - // TODO: RTC:180063 change this to error out on secure sections as it - // did previously in HB commit cefc4c - // Only do mapping and read from device to set vaddr if not a secure - // section. Secure sections should load from HB resv memory and will set - // vaddr to 0 - if (iv_TOC[i_section].secure) + void* l_pWorking = nullptr; + void* l_pClean = nullptr; + + //find the section in the map first + if(iv_pnorMap.find(i_section) != iv_pnorMap.end()) { - TRACFCOMP(g_trac_pnor,"RtPnor::getSectionInfo: Warning> Section is secure, so must be loaded from Hb resv memory. vaddr will be set to 0"); - o_info.vaddr = 0; + //get the addresses from the map + PnorAddrPair_t l_addrPair = iv_pnorMap[i_section]; + l_pWorking = l_addrPair.first; + l_pClean = l_addrPair.second; } else { - void* l_pWorking = nullptr; - void* l_pClean = nullptr; - - //find the section in the map first - if(iv_pnorMap.find(i_section) != iv_pnorMap.end()) + //malloc twice -- one working copy and one clean copy + //So, we can diff and write only the dirty bytes + l_pWorking = malloc(l_sizeBytes); + l_pClean = malloc(l_sizeBytes); + + //offset = 0 : read the entire section + l_err = readFromDevice(iv_masterProcId, i_section, 0, l_sizeBytes, + l_ecc, l_pWorking); + if(l_err) { - //get the addresses from the map - PnorAddrPair_t l_addrPair = iv_pnorMap[i_section]; - l_pWorking = l_addrPair.first; - l_pClean = l_addrPair.second; + TRACFCOMP(g_trac_pnor, "RtPnor::getSectionInfo:readFromDevice" + " failed"); + break; } - else - { - //malloc twice -- one working copy and one clean copy - //So, we can diff and write only the dirty bytes - l_pWorking = malloc(l_sizeBytes); - l_pClean = malloc(l_sizeBytes); - - //offset = 0 : read the entire section - l_err = readFromDevice(iv_masterProcId, i_section, 0, l_sizeBytes, - l_ecc, l_pWorking); - if(l_err) - { - TRACFCOMP(g_trac_pnor, "RtPnor::getSectionInfo:readFromDevice" - " failed"); - break; - } - //copy data to another pointer to save a clean copy of data - memcpy(l_pClean, l_pWorking, l_sizeBytes); + //copy data to another pointer to save a clean copy of data + memcpy(l_pClean, l_pWorking, l_sizeBytes); - //save it in the map - iv_pnorMap [i_section] = PnorAddrPair_t(l_pWorking, l_pClean); - } - o_info.vaddr = reinterpret_cast<uint64_t>(l_pWorking); + //save it in the map + iv_pnorMap [i_section] = PnorAddrPair_t(l_pWorking, l_pClean); } - //return the data in the struct o_info.id = i_section; o_info.name = SectionIdToString(i_section); + o_info.vaddr = reinterpret_cast<uint64_t>(l_pWorking); o_info.flashAddr = iv_TOC[i_section].flashAddr; o_info.size = l_sizeBytes; o_info.eccProtected = l_ecc; |