Verify ComponentID and Extend PAYLOAD

While verifying the PAYLOAD in memory before moving it to its final location, this commit parses the PAYLOAD's header and verifies that it has the correct componentId. It also extends the PAYLOAD information to the TPM. Change-Id: Ie333d1ba5919b36919b207f25ad60806359ed710 RTC:168745 Backport: release-fips910 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/52837 Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Mike Baiocchi <mbaiocch@us.ibm.com> 2018-01-26 17:51:38 -0600
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2018-02-01 17:59:52 -0500
commit: 1d437c8dc54886f43ab77447f0456c49f5b69c04 (patch)
tree: d44fb64613a6b23e25c99f31daa6b0e2436c325e /src/usr/util
parent: 4046ab053d85e0a531532f1a40894efb9361c83c (diff)
download: talos-hostboot-1d437c8dc54886f43ab77447f0456c49f5b69c04.tar.gz
talos-hostboot-1d437c8dc54886f43ab77447f0456c49f5b69c04.zip
1 files changed, 27 insertions, 22 deletions
diff --git a/src/usr/util/utilmclmgr.C b/src/usr/util/utilmclmgr.C
index bcf0432bb..a89c124b8 100644
--- a/src/usr/util/utilmclmgr.C
+++ b/src/usr/util/utilmclmgr.C
@@ -42,6 +42,7 @@ const size_t MclCompSectionPadSize = 16;
 
 const ComponentID g_MclCompId {"MSTCONT"};
 const ComponentID g_PowervmCompId {"POWERVM"};
+const ComponentID g_OpalCompId {"OPAL"};
 
 void compIdToString(const ComponentID i_compId, CompIdString o_compIdStr)
 {
@@ -605,21 +606,6 @@ errlHndl_t MasterContainerLidMgr::verifyExtend(const ComponentID& i_compId,
     if( (io_compInfo.flags & CompFlags::SIGNED_PRE_VERIFY) ==
          CompFlags::SIGNED_PRE_VERIFY)
     {
-        // Only verify the lids if in secure mode
-        if (SECUREBOOT::enabled())
-        {
-            // Verify Container - some combination of Lids
-
-            l_errl = SECUREBOOT::verifyContainer(iv_pVaddr,
-                                             extractLidIds(io_compInfo.lidIds));
-            if (l_errl)
-            {
-                UTIL_FT(ERR_MRK"MasterContainerLidMgr::verifyExtend - failed verifyContainer");
-                SECUREBOOT::handleSecurebootFailure(l_errl);
-                assert(false,"Bug! handleSecurebootFailure shouldn't return!");
-            }
-        }
-
         // Parse Container Header
         SECUREBOOT::ContainerHeader l_conHdr;
         l_errl = l_conHdr.setHeader(iv_pVaddr);
@@ -635,15 +621,34 @@ errlHndl_t MasterContainerLidMgr::verifyExtend(const ComponentID& i_compId,
         io_compInfo.unprotectedSize = l_conHdr.totalContainerSize() -
                                       l_conHdr.payloadTextSize();
 
-        // Verify the component in the Secure Header matches the MCL
-        l_errl = SECUREBOOT::verifyComponentId(l_conHdr, iv_curCompIdStr);
+        // Only verify the lids if in secure mode
+        if (SECUREBOOT::enabled())
+        {
+            // Verify Container - some combination of Lids
+            l_errl = SECUREBOOT::verifyContainer(iv_pVaddr,
+                                             extractLidIds(io_compInfo.lidIds));
+            if (l_errl)
+            {
+                UTIL_FT(ERR_MRK"MasterContainerLidMgr::verifyExtend - failed verifyContainer");
+                SECUREBOOT::handleSecurebootFailure(l_errl);
+                assert(false,"Bug! handleSecurebootFailure shouldn't return!");
+            }
+
+            // Verify the component in the Secure Header matches the MCL
+            l_errl = SECUREBOOT::verifyComponentId(l_conHdr, iv_curCompIdStr);
+            if (l_errl)
+            {
+                l_errl->collectTrace(UTIL_COMP_NAME);
+                break;
+            }
+        }
+
+        l_errl = tpmExtend(i_compId, l_conHdr);
         if (l_errl)
         {
             l_errl->collectTrace(UTIL_COMP_NAME);
             break;
         }
-
-        tpmExtend(i_compId, l_conHdr);
     }
     } while(0);
 
@@ -653,7 +658,7 @@ errlHndl_t MasterContainerLidMgr::verifyExtend(const ComponentID& i_compId,
 }
 
 errlHndl_t MasterContainerLidMgr::tpmExtend(const ComponentID& i_compId,
-                            const SECUREBOOT::ContainerHeader& i_conHdr) const
+                            const SECUREBOOT::ContainerHeader& i_conHdr)
 {
     UTIL_DT(ENTER_MRK"MasterContainerLidMgr::tpmExtend");
 
@@ -681,7 +686,7 @@ errlHndl_t MasterContainerLidMgr::tpmExtend(const ComponentID& i_compId,
     if (l_errl)
     {
         UTIL_FT(ERR_MRK "MasterContainerLidMgr::tpmExtend - pcrExtend() (payload text hash) failed for component %s",
-                  iv_curCompIdStr);
+                  i_conHdr.componentId());
         break;
     }
 
@@ -694,7 +699,7 @@ errlHndl_t MasterContainerLidMgr::tpmExtend(const ComponentID& i_compId,
     if (l_errl)
     {
         UTIL_FT(ERR_MRK "MasterContainerLidMgr::tpmExtend - pcrExtend() (FW key hash) failed for component %s",
-                iv_curCompIdStr);
+                i_conHdr.componentId());
         break;
     }
author	Mike Baiocchi <mbaiocch@us.ibm.com>	2018-01-26 17:51:38 -0600
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2018-02-01 17:59:52 -0500
commit	1d437c8dc54886f43ab77447f0456c49f5b69c04 (patch)
tree	d44fb64613a6b23e25c99f31daa6b0e2436c325e /src/usr/util
parent	4046ab053d85e0a531532f1a40894efb9361c83c (diff)
download	talos-hostboot-1d437c8dc54886f43ab77447f0456c49f5b69c04.tar.gz talos-hostboot-1d437c8dc54886f43ab77447f0456c49f5b69c04.zip