diff options
| author | Stephen Cprek <smcprek@us.ibm.com> | 2016-04-08 12:50:56 -0500 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2016-05-18 12:36:07 -0400 |
| commit | faba45366783533757b3636b0dcf0db2a1b2497e (patch) | |
| tree | 4a5f897fe0ca810f15a2452aa039205be49a5fb1 /src/usr/secureboot | |
| parent | 31800a88f21f37e4efcd6915de38b312788247fd (diff) | |
| download | talos-hostboot-faba45366783533757b3636b0dcf0db2a1b2497e.tar.gz talos-hostboot-faba45366783533757b3636b0dcf0db2a1b2497e.zip | |
Change securerom test to use current hw hash key
Change-Id: Icb596e6c69fadd2f7b8109876a92db04763f206f
RTC: 68883
ForwardPort: yes
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/23066
Tested-by: Jenkins Server
Tested-by: Jenkins OP Build CI
Tested-by: Jenkins OP HW
Tested-by: FSP CI Jenkins
Reviewed-by: Christian R. Geddes <crgeddes@us.ibm.com>
Reviewed-by: Matthew A. Ploetz <maploetz@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/23070
Diffstat (limited to 'src/usr/secureboot')
| -rw-r--r-- | src/usr/secureboot/base/securerom.C | 19 | ||||
| -rw-r--r-- | src/usr/secureboot/base/test/makefile | 6 | ||||
| -rw-r--r-- | src/usr/secureboot/base/test/secureromtest.H | 81 |
3 files changed, 41 insertions, 65 deletions
diff --git a/src/usr/secureboot/base/securerom.C b/src/usr/secureboot/base/securerom.C index 4174bf6a6..48b4255cd 100644 --- a/src/usr/secureboot/base/securerom.C +++ b/src/usr/secureboot/base/securerom.C @@ -315,7 +315,8 @@ errlHndl_t SecureROM::verifyContainer(void * i_container, size_t i_size) // Now set hw_key_hash, which is of type sha2_hash_t, to iv_hash_key memcpy (&l_hw_parms.hw_key_hash, &iv_hash_key, sizeof(sha2_hash_t)); - + TRACFBIN(g_trac_secure,"SecureROM::verifyContainer(): hw_key_hash", + l_hw_parms.hw_key_hash, sizeof(sha2_hash_t)); /*******************************************************************/ /* Call ROM_verify() function via an assembly call */ @@ -333,10 +334,20 @@ errlHndl_t SecureROM::verifyContainer(void * i_container, size_t i_size) iv_device_ptr); + ROM_container_raw* l_container = reinterpret_cast<ROM_container_raw*>(i_container); + TRACFCOMP(g_trac_secure,"magic_number 0x%X", l_container->magic_number); + TRACFCOMP(g_trac_secure,"version 0x%X", l_container->version); + TRACFCOMP(g_trac_secure,"container_size 0x%X", l_container->container_size); + TRACFCOMP(g_trac_secure,"target_hrmor 0x%X", l_container->target_hrmor); + TRACFCOMP(g_trac_secure,"stack_pointer 0x%X", l_container->stack_pointer); + TRACFBIN(g_trac_secure,"hw_pkey_a", l_container->hw_pkey_a, SHA512_DIGEST_LENGTH); + TRACFBIN(g_trac_secure,"hw_pkey_b", l_container->hw_pkey_b, SHA512_DIGEST_LENGTH); + TRACFBIN(g_trac_secure,"hw_pkey_c", l_container->hw_pkey_c, SHA512_DIGEST_LENGTH); + TRACFCOMP(g_trac_secure,"prefix 0x%X", l_container->prefix); + l_rc = call_rom_verify(reinterpret_cast<void*> - (l_rom_verify_startAddr), - reinterpret_cast<ROM_container_raw*> - (i_container), + (l_rom_verify_startAddr), + l_container, &l_hw_parms); diff --git a/src/usr/secureboot/base/test/makefile b/src/usr/secureboot/base/test/makefile index d333bf28d..293daed2e 100644 --- a/src/usr/secureboot/base/test/makefile +++ b/src/usr/secureboot/base/test/makefile @@ -5,7 +5,9 @@ # # OpenPOWER HostBoot Project # -# COPYRIGHT International Business Machines Corp. 2013,2014 +# Contributors Listed Below - COPYRIGHT 2013,2016 +# [+] International Business Machines Corp. +# # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,7 +27,7 @@ ROOTPATH = ../../../../.. MODULE = testsecureboot TESTS = *.H -BINARY_FILES = $(IMGDIR)/test_signed_container:d0be6f0399eee8ecdc3ded896ecccd2551a439f3 +BINARY_FILES = $(IMGDIR)/secureboot_signed_container:7cff7a85f0db014016a61eac856c3775cd266240 include ${ROOTPATH}/config.mk diff --git a/src/usr/secureboot/base/test/secureromtest.H b/src/usr/secureboot/base/test/secureromtest.H index c66c4b62a..9de9aaa80 100644 --- a/src/usr/secureboot/base/test/secureromtest.H +++ b/src/usr/secureboot/base/test/secureromtest.H @@ -5,7 +5,9 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* COPYRIGHT International Business Machines Corp. 2013,2014 */ +/* Contributors Listed Below - COPYRIGHT 2013,2016 */ +/* [+] International Business Machines Corp. */ +/* */ /* */ /* Licensed under the Apache License, Version 2.0 (the "License"); */ /* you may not use this file except in compliance with the License. */ @@ -41,7 +43,6 @@ extern trace_desc_t* g_trac_secure; //#define TRACUCOMP(args...) TRACFCOMP(args) #define TRACUCOMP(args...) - /**********************************************************************/ /* UTILITY FUNCTIONS */ /* -- note: these functions do not commit error logs */ @@ -56,18 +57,25 @@ errlHndl_t loadSignedFile( const char * i_signedFile_name, void unloadSignedFile( void * & io_signedFile_pageAddr, size_t & io_signedFile_size ); - -// @todo RTC:34080 - In future key hash will come from HW, but -// Get the software keys that match the signed container -void useSwKeyHash(sha2_hash_t * o_sw_key_hash); +// secureboot_signed_container was generated using this hw hash key. If another +// key is in pibmem, this test will always fail. +const uint64_t hw_hash_key[] = +{ + 0x40d487ff7380ed6a, + 0xd54775d5795fea0d, + 0xe2f541fea9db06b8, + 0x466a42a320e65f75, + 0xb48665460017d907, + 0x515dc2a5f9fc5095, + 0x4d6ee0c9b67d219d, + 0xfb7085351d01d6d1 +}; /**********************************************************************/ /* End of UTILITY FUNCTIONS */ /**********************************************************************/ - - class SecureROMTest : public CxxTest::TestSuite { public: @@ -82,11 +90,11 @@ class SecureROMTest : public CxxTest::TestSuite errlHndl_t l_errl = NULL; /*******************************************************************/ - /* Load "test_signed_container" from PNOR to use for verification */ + /* Load "secureboot_signed_container" from PNOR to use for verification */ /*******************************************************************/ // Signed file variables - const char * signedFile_name = "test_signed_container"; + const char * signedFile_name = "secureboot_signed_container"; void * signedFile_pageAddr = NULL; size_t signedFile_size = 0; @@ -106,14 +114,6 @@ class SecureROMTest : public CxxTest::TestSuite "signedFile info: addr = %p, size=0x%x", signedFile_pageAddr, signedFile_size); - - - /*******************************************************************/ - /* @todo RTC:34080 - In future key hash will come from HW, but */ - /* for now, create and initialize a local SecureROM class and */ - /* and then override the hash key variable to use the SW Key Hash */ - /* for the test_signed_container */ - /*******************************************************************/ SecureROM l_sRom; // Call initializeSecureROM() @@ -126,9 +126,8 @@ class SecureROMTest : public CxxTest::TestSuite return; } - // Use Utility Function to load software keys into iv_hash_key - useSwKeyHash( & l_sRom.iv_hash_key); - + // Set hw hash key + memcpy (& l_sRom.iv_hash_key, &hw_hash_key, sizeof(sha2_hash_t)); /*******************************************************************/ /* Call verify function */ @@ -147,9 +146,8 @@ class SecureROMTest : public CxxTest::TestSuite return; } - /*******************************************************************/ - /* Unload "test_signed_container" from memory */ + /* Unload "secureboot_signed_container" from memory */ /*******************************************************************/ if ( signedFile_pageAddr != NULL ) { @@ -157,17 +155,14 @@ class SecureROMTest : public CxxTest::TestSuite } TRACFCOMP(g_trac_secure,EXIT_MRK"SecureROMTest::test_verify"); - }; - }; - /**********************************************************************/ /* UTILITY FUNCTIONS */ /**********************************************************************/ -// Moved test_signed_container from PNOR to paged-in memory +// Moved secureboot_signed_container from PNOR to paged-in memory errlHndl_t loadSignedFile( const char * i_signedFile_name, void * & o_signedFile_pageAddr, size_t & o_signedFile_size ) @@ -176,7 +171,6 @@ errlHndl_t loadSignedFile( const char * i_signedFile_name, errlHndl_t l_errl = NULL; const char * l_signedFile_virtAddr = NULL; - /*******************************************************************/ /* Load file from PNOR to use for verification */ /*******************************************************************/ @@ -203,7 +197,6 @@ errlHndl_t loadSignedFile( const char * i_signedFile_name, return l_errl; } - // Request contiguous memory block to copy in file size_t l_num_pages = ALIGN_PAGE(o_signedFile_size)/PAGESIZE; bool l_isUserspace = true; @@ -226,7 +219,6 @@ errlHndl_t loadSignedFile( const char * i_signedFile_name, void unloadSignedFile( void * & io_signedFile_pageAddr, size_t & io_signedFile_size ) { - // Determine number of pages to be freed size_t l_num_pages = ALIGN_PAGE(io_signedFile_size)/PAGESIZE; @@ -239,35 +231,6 @@ void unloadSignedFile( void * & io_signedFile_pageAddr, TRACUCOMP(g_trac_secure, "unloadSignedFile()> " "Info: sF_pA=%p, size=0x%x (pages=%d)", io_signedFile_pageAddr, io_signedFile_size, l_num_pages); - } - -// @todo RTC:34080 - In future key hash will come from HW, but -// Get the software keys that match the signed container -void useSwKeyHash(sha2_hash_t * o_sw_key_hash) -{ - - - /* On HW hw_key_hash will be pulled from SBE's SEEPROM or PIB Memory */ - - /* For simics/testing, we're hardcoding the value from Dale */ - /* Peterson here, which I've stored here: */ - /* /gsa/rchgsa-h1/00/baiocchi/HB/Story_Notes/Story_64764/ */ - /* Secure_ROM_Files/HB_SW_Files/hdwkeyHash */ - - /* Dale's files' hw-hash-key */ - uint64_t l_hdwkeyHash[] = { 0x6c8206fa4f551088, 0xc8c23af693ed242d, - 0x96824dac71bccf07, 0x73abb342d4bb932f, - 0x9a9a8d72fbf28202, 0xd89fa8fad5658959, - 0xc89ccf0d0205b8ca, 0x2071ba27e18ae0f8 - }; - - // Copy l_hdwkeyHash into sha2_hash_t - memcpy (o_sw_key_hash, &l_hdwkeyHash, sizeof(sha2_hash_t)); - - return; -} - - #endif |
