diff options
author | Stephen Cprek <smcprek@us.ibm.com> | 2017-11-20 16:56:44 -0600 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-12-18 17:27:59 -0500 |
commit | 9ae6e9595f9773d295b7e3ade47088f554c1ed48 (patch) | |
tree | f33427b681154991423fb9faad3476bf4aa17ff4 /src/usr/secureboot/trusted/base | |
parent | 8392e4f606607e505bb99de2a8d229ae69be5efe (diff) | |
download | talos-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.tar.gz talos-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.zip |
Remove Secure Boot workarounds
- Removing the magic number checks that would block sb functionality
if things didn't appear secure
- Remove Best Effort Policy and all of its related code
- Remove the legacy PCR extension
- Remove the non-secure header preservation path.
- Always load HB base image header from the bl to hb data path
vs settings unsecurely out of pnor
Change-Id: Ie638384ac50ed47850985c959ea7a32e5757d64e
RTC: 178520
RTC: 155374
RTC: 173489
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49925
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/secureboot/trusted/base')
-rw-r--r-- | src/usr/secureboot/trusted/base/trustedboot_base.C | 52 |
1 files changed, 17 insertions, 35 deletions
diff --git a/src/usr/secureboot/trusted/base/trustedboot_base.C b/src/usr/secureboot/trusted/base/trustedboot_base.C index 2ec67ef81..801869439 100644 --- a/src/usr/secureboot/trusted/base/trustedboot_base.C +++ b/src/usr/secureboot/trusted/base/trustedboot_base.C @@ -436,18 +436,6 @@ errlHndl_t extendBaseImage() TRACDBIN(g_trac_trustedboot,"Base Header",pHbbHeader, TRUSTEDBOOT::DEFAULT_BIN_TRACE_SIZE); - // TODO: RTC 168021 - // Need to remove this when HBB has a secure header across all platforms - // -or- a more general compatibility mechanism has been created allowing - // some platforms to stage in support - if(!PNOR::cmpSecurebootMagicNumber( - reinterpret_cast<const uint8_t*>(pHbbHeader))) - { - TRACDCOMP(g_trac_trustedboot, INFO_MRK " HBB header is not a secure " - "header; inhibiting extending base image measurement"); - break; - } - // Build a container header object from the raw header SECUREBOOT::ContainerHeader hbbContainerHeader; pError = hbbContainerHeader.setHeader(pHbbHeader); @@ -457,33 +445,27 @@ errlHndl_t extendBaseImage() break; } - const void* pHbbVa = nullptr; - if(!SECUREBOOT::enabled()) + // TPM extension of PNOR sections operates differently when SecureMode is + // enabled/disabled. Provide all possible info and let TPM code handle + // the logic + PNOR::SectionInfo_t l_info; + pError = getSectionInfo(PNOR::HB_BASE_CODE, l_info); + if(pError) { - PNOR::SectionInfo_t l_info; - - // @TODO RTC 168021 Remove this path since header will always be - // cached - pError = getSectionInfo(PNOR::HB_BASE_CODE, l_info); - if(pError) - { - TRACFCOMP(g_trac_trustedboot, ERR_MRK "Failed in call to " - "getSectionInfo for HBB section"); - break; - } + TRACFCOMP(g_trac_trustedboot, ERR_MRK "Failed in call to " + "getSectionInfo for HBB section"); + break; + } - if(l_info.vaddr == 0) - { - assert(false,"BUG! In extendBaseImage(), HBB virtual address " - "was 0"); - } + if(l_info.vaddr == 0) + { + assert(false,"BUG! In extendBaseImage(), HBB virtual address was 0"); + } - pHbbVa = reinterpret_cast<const void*>( - l_info.vaddr); + const void* pHbbVa = reinterpret_cast<const void*>(l_info.vaddr); - TRACDBIN(g_trac_trustedboot,"PNOR Base Code",pHbbVa, - TRUSTEDBOOT::DEFAULT_BIN_TRACE_SIZE); - } + TRACDBIN(g_trac_trustedboot,"PNOR Base Code",pHbbVa, + TRUSTEDBOOT::DEFAULT_BIN_TRACE_SIZE); // Extend the HBB measurement to the TPM pError = extendPnorSectionHash( |