diff options
| author | Stephen Cprek <smcprek@us.ibm.com> | 2017-10-31 13:01:30 -0500 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-11-19 15:54:51 -0500 |
| commit | 81279c1d146d8ee920494c7817cdd72f165dd373 (patch) | |
| tree | d616d0914823c8c25592e8276e0610ba1c9d2a28 /src/usr/runtime/preverifiedlidmgr.C | |
| parent | 63a026113332464fc3bcc73369ba35bfe8f62b6f (diff) | |
| download | talos-hostboot-81279c1d146d8ee920494c7817cdd72f165dd373.tar.gz talos-hostboot-81279c1d146d8ee920494c7817cdd72f165dd373.zip | |
Secure Boot: Fix lid load from HB reserved memory issues at runtime
- Force all PNOR sections we load from HB rserved memory to be secure
Only exception is the RINGOVD section, in which we use a fake header
- Add fake header when Secureboot compiled out or a section is never
signed as there is no secure header preserved in virtual memory
RTC: 171708
RTC: 180063
Change-Id: Ibbbd7be24ee7b199e73451c63b2c2d1f86a2c2d8
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49020
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/runtime/preverifiedlidmgr.C')
| -rw-r--r-- | src/usr/runtime/preverifiedlidmgr.C | 66 |
1 files changed, 60 insertions, 6 deletions
diff --git a/src/usr/runtime/preverifiedlidmgr.C b/src/usr/runtime/preverifiedlidmgr.C index 16cf15c10..62671860f 100644 --- a/src/usr/runtime/preverifiedlidmgr.C +++ b/src/usr/runtime/preverifiedlidmgr.C @@ -36,6 +36,8 @@ #include <arch/ppc.H> #include <targeting/common/target.H> #include <targeting/common/attributes.H> +#include <secureboot/containerheader.H> +#include <runtime/common/runtime_utils.H> extern trace_desc_t *g_trac_runtime; @@ -47,6 +49,8 @@ PreVerifiedLidMgr::ResvMemInfo PreVerifiedLidMgr::cv_resvMemInfo {}; PreVerifiedLidMgr::ResvMemInfo PreVerifiedLidMgr::cv_phypResvMemInfo {}; mutex_t PreVerifiedLidMgr::cv_mutex = MUTEX_INITIALIZER; mutex_t PreVerifiedLidMgr::cv_loadImageMutex = MUTEX_INITIALIZER; +bool PreVerifiedLidMgr::cv_addFakeHdrs = false; +PNOR::SectionId PreVerifiedLidMgr::cv_curPnorSecId = PNOR::INVALID_SECTION; /******************** Public Methods @@ -156,6 +160,27 @@ errlHndl_t PreVerifiedLidMgr::_loadFromPnor(const PNOR::SectionId i_sec, TRACFCOMP(g_trac_runtime, ENTER_MRK"PreVerifiedLidMgr::_loadFromPnor - sec %s", PNOR::SectionIdToString(i_sec)); +#ifdef CONFIG_SECUREBOOT + // If SB compiled in, only add fake secure header if the section is never + // signed. e.g. RINGOVD section + // Otherwise always add fake secure header when SB compiled out + if (!RUNTIME::isPreVerifiedSectionSecure(i_sec)) + { +#endif + // Check if Header is mising + if (!PNOR::cmpSecurebootMagicNumber( + reinterpret_cast<uint8_t*>(i_addr))) + { + TRACFCOMP(g_trac_runtime, "PreVerifiedLidMgr::_loadFromPnor adding fake header to %s", + PNOR::SectionIdToString(i_sec)); + // Add fake headers to pnor loads + cv_addFakeHdrs = true; + cv_curPnorSecId = i_sec; + } +#ifdef CONFIG_SECUREBOOT + } +#endif + errlHndl_t l_errl = nullptr; do { @@ -206,10 +231,11 @@ errlHndl_t PreVerifiedLidMgr::_loadFromPnor(const PNOR::SectionId i_sec, { char l_lidStr[Util::lidIdStrLength] {}; snprintf (l_lidStr, Util::lidIdStrLength, "%08X",l_lids.lid); + assert(i_size > PAGE_SIZE, "PreVerifiedLidMgr::_loadFromPnor - caller did not include size of header for total size"); l_errl = RUNTIME::setNextHbRsvMemEntry(HDAT::RHB_TYPE_VERIFIED_LIDS, cv_pResvMemInfo->rangeId, cv_pResvMemInfo->curAddr+PAGE_SIZE, - i_size, + i_size-PAGE_SIZE, l_lidStr); if(l_errl) { @@ -253,6 +279,10 @@ errlHndl_t PreVerifiedLidMgr::_loadFromPnor(const PNOR::SectionId i_sec, } while(0); + // Force fake header bool to be false and clear cur PNOR section id + cv_addFakeHdrs = false; + cv_curPnorSecId = PNOR::INVALID_SECTION; + TRACFCOMP( g_trac_runtime, EXIT_MRK"PreVerifiedLidMgr::_loadFromPnor"); mutex_unlock(&cv_loadImageMutex); @@ -271,6 +301,9 @@ errlHndl_t PreVerifiedLidMgr::_loadFromMCL(const uint32_t i_lidId, TRACFCOMP(g_trac_runtime, ENTER_MRK"PreVerifiedLidMgr::_loadFromMCL lid = 0x%X", i_lidId); + // Force fake header bool to be false in MCL path + cv_addFakeHdrs = false; + errlHndl_t l_errl = nullptr; // Switch to Different Memory Info for PHYP component @@ -396,11 +429,32 @@ errlHndl_t PreVerifiedLidMgr::loadImage(const uint64_t i_imgAddr, TRACDCOMP(g_trac_runtime, "PreVerifiedLidMgr::loadImage - curAddr 0x%X, size 0x%X, vaddr 0x%X", cv_pResvMemInfo->curAddr, i_imgSize, l_tmpVaddr); - // Include Header page from pnor image. - // NOTE: Do not use aligned size for memcpy - memcpy(reinterpret_cast<void*>(l_tmpVaddr), - reinterpret_cast<void*>(i_imgAddr), - i_imgSize); + // Inject a fake header when loading from PNOR and secureboot is compiled + // out. + if(cv_addFakeHdrs) + { + TRACDCOMP(g_trac_runtime, "PreVerifiedLidMgr::loadImage fake header load"); + SECUREBOOT::ContainerHeader l_fakeHdr(i_imgSize, + SectionIdToString(cv_curPnorSecId)); + // Inject Fake header into reserved memory + memcpy(reinterpret_cast<void*>(l_tmpVaddr), + l_fakeHdr.fakeHeader(), + PAGE_SIZE); + // Include rest of image after header + // NOTE: Do not use aligned size for memcpy + assert(i_imgSize > PAGE_SIZE, "PreVerifiedLidMgr::loadImage - caller did not include size of header for total size"); + memcpy(reinterpret_cast<void*>(l_tmpVaddr+PAGE_SIZE), + reinterpret_cast<void*>(i_imgAddr), + i_imgSize-PAGE_SIZE); + } + else + { + TRACDCOMP(g_trac_runtime, "PreVerifiedLidMgr::loadImage default load"); + // NOTE: Do not use aligned size for memcpy + memcpy(reinterpret_cast<void*>(l_tmpVaddr), + reinterpret_cast<void*>(i_imgAddr), + i_imgSize); + } l_errl = RUNTIME::unmapVirtAddr(l_tmpVaddr); if(l_errl) |
