summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorStephen Cprek <smcprek@us.ibm.com>2016-04-08 12:50:56 -0500
committerDaniel M. Crowell <dcrowell@us.ibm.com>2016-05-18 12:36:07 -0400
commitfaba45366783533757b3636b0dcf0db2a1b2497e (patch)
tree4a5f897fe0ca810f15a2452aa039205be49a5fb1 /src
parent31800a88f21f37e4efcd6915de38b312788247fd (diff)
downloadtalos-hostboot-faba45366783533757b3636b0dcf0db2a1b2497e.tar.gz
talos-hostboot-faba45366783533757b3636b0dcf0db2a1b2497e.zip
Change securerom test to use current hw hash key
Change-Id: Icb596e6c69fadd2f7b8109876a92db04763f206f RTC: 68883 ForwardPort: yes Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/23066 Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Tested-by: FSP CI Jenkins Reviewed-by: Christian R. Geddes <crgeddes@us.ibm.com> Reviewed-by: Matthew A. Ploetz <maploetz@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com> Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/23070
Diffstat (limited to 'src')
-rwxr-xr-xsrc/build/mkrules/hbfw/img/makefile25
-rwxr-xr-xsrc/build/tools/hb3
-rwxr-xr-xsrc/build/tools/hbDistribute11
-rw-r--r--src/makefile2
-rw-r--r--src/usr/secureboot/base/securerom.C19
-rw-r--r--src/usr/secureboot/base/test/makefile6
-rw-r--r--src/usr/secureboot/base/test/secureromtest.H81
7 files changed, 72 insertions, 75 deletions
diff --git a/src/build/mkrules/hbfw/img/makefile b/src/build/mkrules/hbfw/img/makefile
index c58d05b67..8bd7b4900 100755
--- a/src/build/mkrules/hbfw/img/makefile
+++ b/src/build/mkrules/hbfw/img/makefile
@@ -84,7 +84,11 @@ MVPD_ECC_IMAGE = mvpd.bin.ecc
MVPD_IMAGE = mvpd.bin
CVPD_ECC_IMAGE = cvpd.bin.ecc
PAYLOAD_ECC_IMAGE = payload.bin.ecc
-
+SECUREBOOT_HEADER = secureboot.header
+SECUREBOOT_SIGNED_CONTAINER = secureboot_signed_container
+# DEV_KEY_DIR set by env variable
+SIGN_PREFIX_PARAMS=-flag 0x80000000 -hka ${DEV_KEY_DIR}/hw_key_a -hkb ${DEV_KEY_DIR}/hw_key_b -hkc ${DEV_KEY_DIR}/hw_key_c -skp ${DEV_KEY_DIR}/sw_key_a
+SIGN_BUILD_PARAMS=-skp ${DEV_KEY_DIR}/sw_key_a
ALL_HB_IMAGES = ${BASE_IMAGES} \
${BASE_W_HEADER_IMAGE} \
${BASE_ECC_IMAGE} ${EXT_ECC_IMAGE} \
@@ -114,12 +118,7 @@ cp_hbfiles: .SPECTARG
currentsb -chain
ecc --inject ${BASE_IMAGE} --output ${BASE_ECC_IMAGE} --p8
ecc --inject ${BASE_W_HEADER_IMAGE} --output ${BASE_W_HEADER_ECC_IMAGE} --p8
- # dd command will pad image up to the next 4K page
- dd if=${EXT_IMAGE} of=${EXT_PAD_IMAGE} ibs=4k count=1280 conv=sync
- ecc --inject ${EXT_PAD_IMAGE} --output ${EXT_ECC_IMAGE} --p8
- .if(${FAKEPNOR} != "")
- dd if=${EXT_IMAGE} of=${EXT_FAKE_IMAGE} ibs=5120k conv=sync
- .endif
+
# Add version header w/ HBRT sha hash
echo -en VERSION\\0 > ${HBRT_SHA_IMAGE}
sha512sum ${HBRT_IMAGE} | awk '{print $$1}' | xxd -pr -r >> ${HBRT_SHA_IMAGE}
@@ -143,6 +142,18 @@ cp_hbfiles: .SPECTARG
dd if=${TEMP_IMAGE} of=${EXT_HEADER_IMAGE} ibs=5120k conv=sync
.endif
ecc --inject ${EXT_HEADER_IMAGE} --output ${EXT_ECC_HEADER_IMAGE} --p8
+ dd if=${EXT_IMAGE} of=${EXT_PAD_IMAGE} ibs=4k count=1280 conv=sync
+ ecc --inject ${EXT_PAD_IMAGE} --output ${EXT_ECC_IMAGE} --p8
+
+ # Test signed container, SIGNING_DIR set by env variable
+ .if(${SECUREBOOT} && ${SIGNING_DIR})
+ # Key prefix used for all partitions
+ ${SIGNING_DIR}/prefix -good -of ${SECUREBOOT_HEADER} ${SIGN_PREFIX_PARAMS}
+ dd if=/dev/zero count=1 | tr "\000" "\377" > ${TEMP_IMAGE}
+ ${SIGNING_DIR}/build -good -if ${SECUREBOOT_HEADER} -of ${SECUREBOOT_SIGNED_CONTAINER} -bin ${TEMP_IMAGE} ${SIGN_BUILD_PARAMS}
+ .endif
+
+ # Pad and add ECC to other partitions that do not need headers
# create data for a test partition in pnor
dd if=/dev/urandom of=${TESTDATA} count=1 bs=32K
ecc --inject ${TESTDATA} --output ${TESTDATA_ECC} --p8
diff --git a/src/build/tools/hb b/src/build/tools/hb
index 7865c4069..f5d2620fc 100755
--- a/src/build/tools/hb
+++ b/src/build/tools/hb
@@ -241,6 +241,9 @@ hb_helptext()
echo " #!/bin/sh"
echo " export SANDBOXROOT=~/sandboxes"
echo " export SANDBOXNAME=hostboot"
+ echo " # Dev key signing of images for secureboot"
+ echo " export SIGNING_DIR=/esw/san2/hostboot/secure-boot/secure-boot-scripts/rom_new_header/sign/obj"
+ echo " export DEV_KEY_DIR=/esw/san2/hostboot/secure-boot/dev_keys"
echo
echo " See also:"
echo " All other sub-commands."
diff --git a/src/build/tools/hbDistribute b/src/build/tools/hbDistribute
index d3c07daed..f0b84a29d 100755
--- a/src/build/tools/hbDistribute
+++ b/src/build/tools/hbDistribute
@@ -6,7 +6,9 @@
#
# OpenPOWER HostBoot Project
#
-# COPYRIGHT International Business Machines Corp. 2012,2014
+# Contributors Listed Below - COPYRIGHT 2012,2016
+# [+] International Business Machines Corp.
+#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -41,7 +43,7 @@ print_usage()
echo " --help: Prints usage information"
echo
echo " --test: Includes test images and content instead of non-test."
- echo
+ echo
echo " --release: Create a full release distribution (all targets)."
echo " --vpo: Generate just 'vpo' content."
echo " --simics/--fsp: *default* Generate just 'fsp' content"
@@ -80,6 +82,10 @@ do
DEBUG="-d"
;;
+ "--secureboot")
+ SECUREBOOT=1
+ ;;
+
--*)
echo "ERROR: Unknown option: $ARG"
exit
@@ -118,6 +124,7 @@ fi
mkdir -p $TARGET_DIR
export TARGET_TEST
export TARGET_DIR
+export SECUREBOOT
cd $REPO_ROOT/src/build/mkrules
make -rR ${DEBUG:=} -f dist.targets.mk $TARGET
diff --git a/src/makefile b/src/makefile
index 38dd589f9..9ff3f2b74 100644
--- a/src/makefile
+++ b/src/makefile
@@ -304,7 +304,7 @@ hbicore_test_EXTENDED_MODULES += ${hbicore_EXTENDED_MODULES}
hbicore_test_EXTENDED_MODULES += ${TESTCASE_MODULES}
hbicore_test_DATA_MODULES += testdata
ifndef SKIP_BINARY_FILES
-hbicore_test_DATA_MODULES += test_signed_container
+hbicore_test_DATA_MODULES += secureboot_signed_container
endif
hbicore_test_LDFILE = kernel.ld
diff --git a/src/usr/secureboot/base/securerom.C b/src/usr/secureboot/base/securerom.C
index 4174bf6a6..48b4255cd 100644
--- a/src/usr/secureboot/base/securerom.C
+++ b/src/usr/secureboot/base/securerom.C
@@ -315,7 +315,8 @@ errlHndl_t SecureROM::verifyContainer(void * i_container, size_t i_size)
// Now set hw_key_hash, which is of type sha2_hash_t, to iv_hash_key
memcpy (&l_hw_parms.hw_key_hash, &iv_hash_key, sizeof(sha2_hash_t));
-
+ TRACFBIN(g_trac_secure,"SecureROM::verifyContainer(): hw_key_hash",
+ l_hw_parms.hw_key_hash, sizeof(sha2_hash_t));
/*******************************************************************/
/* Call ROM_verify() function via an assembly call */
@@ -333,10 +334,20 @@ errlHndl_t SecureROM::verifyContainer(void * i_container, size_t i_size)
iv_device_ptr);
+ ROM_container_raw* l_container = reinterpret_cast<ROM_container_raw*>(i_container);
+ TRACFCOMP(g_trac_secure,"magic_number 0x%X", l_container->magic_number);
+ TRACFCOMP(g_trac_secure,"version 0x%X", l_container->version);
+ TRACFCOMP(g_trac_secure,"container_size 0x%X", l_container->container_size);
+ TRACFCOMP(g_trac_secure,"target_hrmor 0x%X", l_container->target_hrmor);
+ TRACFCOMP(g_trac_secure,"stack_pointer 0x%X", l_container->stack_pointer);
+ TRACFBIN(g_trac_secure,"hw_pkey_a", l_container->hw_pkey_a, SHA512_DIGEST_LENGTH);
+ TRACFBIN(g_trac_secure,"hw_pkey_b", l_container->hw_pkey_b, SHA512_DIGEST_LENGTH);
+ TRACFBIN(g_trac_secure,"hw_pkey_c", l_container->hw_pkey_c, SHA512_DIGEST_LENGTH);
+ TRACFCOMP(g_trac_secure,"prefix 0x%X", l_container->prefix);
+
l_rc = call_rom_verify(reinterpret_cast<void*>
- (l_rom_verify_startAddr),
- reinterpret_cast<ROM_container_raw*>
- (i_container),
+ (l_rom_verify_startAddr),
+ l_container,
&l_hw_parms);
diff --git a/src/usr/secureboot/base/test/makefile b/src/usr/secureboot/base/test/makefile
index d333bf28d..293daed2e 100644
--- a/src/usr/secureboot/base/test/makefile
+++ b/src/usr/secureboot/base/test/makefile
@@ -5,7 +5,9 @@
#
# OpenPOWER HostBoot Project
#
-# COPYRIGHT International Business Machines Corp. 2013,2014
+# Contributors Listed Below - COPYRIGHT 2013,2016
+# [+] International Business Machines Corp.
+#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,7 +27,7 @@ ROOTPATH = ../../../../..
MODULE = testsecureboot
TESTS = *.H
-BINARY_FILES = $(IMGDIR)/test_signed_container:d0be6f0399eee8ecdc3ded896ecccd2551a439f3
+BINARY_FILES = $(IMGDIR)/secureboot_signed_container:7cff7a85f0db014016a61eac856c3775cd266240
include ${ROOTPATH}/config.mk
diff --git a/src/usr/secureboot/base/test/secureromtest.H b/src/usr/secureboot/base/test/secureromtest.H
index c66c4b62a..9de9aaa80 100644
--- a/src/usr/secureboot/base/test/secureromtest.H
+++ b/src/usr/secureboot/base/test/secureromtest.H
@@ -5,7 +5,9 @@
/* */
/* OpenPOWER HostBoot Project */
/* */
-/* COPYRIGHT International Business Machines Corp. 2013,2014 */
+/* Contributors Listed Below - COPYRIGHT 2013,2016 */
+/* [+] International Business Machines Corp. */
+/* */
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); */
/* you may not use this file except in compliance with the License. */
@@ -41,7 +43,6 @@ extern trace_desc_t* g_trac_secure;
//#define TRACUCOMP(args...) TRACFCOMP(args)
#define TRACUCOMP(args...)
-
/**********************************************************************/
/* UTILITY FUNCTIONS */
/* -- note: these functions do not commit error logs */
@@ -56,18 +57,25 @@ errlHndl_t loadSignedFile( const char * i_signedFile_name,
void unloadSignedFile( void * & io_signedFile_pageAddr,
size_t & io_signedFile_size );
-
-// @todo RTC:34080 - In future key hash will come from HW, but
-// Get the software keys that match the signed container
-void useSwKeyHash(sha2_hash_t * o_sw_key_hash);
+// secureboot_signed_container was generated using this hw hash key. If another
+// key is in pibmem, this test will always fail.
+const uint64_t hw_hash_key[] =
+{
+ 0x40d487ff7380ed6a,
+ 0xd54775d5795fea0d,
+ 0xe2f541fea9db06b8,
+ 0x466a42a320e65f75,
+ 0xb48665460017d907,
+ 0x515dc2a5f9fc5095,
+ 0x4d6ee0c9b67d219d,
+ 0xfb7085351d01d6d1
+};
/**********************************************************************/
/* End of UTILITY FUNCTIONS */
/**********************************************************************/
-
-
class SecureROMTest : public CxxTest::TestSuite
{
public:
@@ -82,11 +90,11 @@ class SecureROMTest : public CxxTest::TestSuite
errlHndl_t l_errl = NULL;
/*******************************************************************/
- /* Load "test_signed_container" from PNOR to use for verification */
+ /* Load "secureboot_signed_container" from PNOR to use for verification */
/*******************************************************************/
// Signed file variables
- const char * signedFile_name = "test_signed_container";
+ const char * signedFile_name = "secureboot_signed_container";
void * signedFile_pageAddr = NULL;
size_t signedFile_size = 0;
@@ -106,14 +114,6 @@ class SecureROMTest : public CxxTest::TestSuite
"signedFile info: addr = %p, size=0x%x",
signedFile_pageAddr, signedFile_size);
-
-
- /*******************************************************************/
- /* @todo RTC:34080 - In future key hash will come from HW, but */
- /* for now, create and initialize a local SecureROM class and */
- /* and then override the hash key variable to use the SW Key Hash */
- /* for the test_signed_container */
- /*******************************************************************/
SecureROM l_sRom;
// Call initializeSecureROM()
@@ -126,9 +126,8 @@ class SecureROMTest : public CxxTest::TestSuite
return;
}
- // Use Utility Function to load software keys into iv_hash_key
- useSwKeyHash( & l_sRom.iv_hash_key);
-
+ // Set hw hash key
+ memcpy (& l_sRom.iv_hash_key, &hw_hash_key, sizeof(sha2_hash_t));
/*******************************************************************/
/* Call verify function */
@@ -147,9 +146,8 @@ class SecureROMTest : public CxxTest::TestSuite
return;
}
-
/*******************************************************************/
- /* Unload "test_signed_container" from memory */
+ /* Unload "secureboot_signed_container" from memory */
/*******************************************************************/
if ( signedFile_pageAddr != NULL )
{
@@ -157,17 +155,14 @@ class SecureROMTest : public CxxTest::TestSuite
}
TRACFCOMP(g_trac_secure,EXIT_MRK"SecureROMTest::test_verify");
-
};
-
};
-
/**********************************************************************/
/* UTILITY FUNCTIONS */
/**********************************************************************/
-// Moved test_signed_container from PNOR to paged-in memory
+// Moved secureboot_signed_container from PNOR to paged-in memory
errlHndl_t loadSignedFile( const char * i_signedFile_name,
void * & o_signedFile_pageAddr,
size_t & o_signedFile_size )
@@ -176,7 +171,6 @@ errlHndl_t loadSignedFile( const char * i_signedFile_name,
errlHndl_t l_errl = NULL;
const char * l_signedFile_virtAddr = NULL;
-
/*******************************************************************/
/* Load file from PNOR to use for verification */
/*******************************************************************/
@@ -203,7 +197,6 @@ errlHndl_t loadSignedFile( const char * i_signedFile_name,
return l_errl;
}
-
// Request contiguous memory block to copy in file
size_t l_num_pages = ALIGN_PAGE(o_signedFile_size)/PAGESIZE;
bool l_isUserspace = true;
@@ -226,7 +219,6 @@ errlHndl_t loadSignedFile( const char * i_signedFile_name,
void unloadSignedFile( void * & io_signedFile_pageAddr,
size_t & io_signedFile_size )
{
-
// Determine number of pages to be freed
size_t l_num_pages = ALIGN_PAGE(io_signedFile_size)/PAGESIZE;
@@ -239,35 +231,6 @@ void unloadSignedFile( void * & io_signedFile_pageAddr,
TRACUCOMP(g_trac_secure, "unloadSignedFile()> "
"Info: sF_pA=%p, size=0x%x (pages=%d)",
io_signedFile_pageAddr, io_signedFile_size, l_num_pages);
-
}
-
-// @todo RTC:34080 - In future key hash will come from HW, but
-// Get the software keys that match the signed container
-void useSwKeyHash(sha2_hash_t * o_sw_key_hash)
-{
-
-
- /* On HW hw_key_hash will be pulled from SBE's SEEPROM or PIB Memory */
-
- /* For simics/testing, we're hardcoding the value from Dale */
- /* Peterson here, which I've stored here: */
- /* /gsa/rchgsa-h1/00/baiocchi/HB/Story_Notes/Story_64764/ */
- /* Secure_ROM_Files/HB_SW_Files/hdwkeyHash */
-
- /* Dale's files' hw-hash-key */
- uint64_t l_hdwkeyHash[] = { 0x6c8206fa4f551088, 0xc8c23af693ed242d,
- 0x96824dac71bccf07, 0x73abb342d4bb932f,
- 0x9a9a8d72fbf28202, 0xd89fa8fad5658959,
- 0xc89ccf0d0205b8ca, 0x2071ba27e18ae0f8
- };
-
- // Copy l_hdwkeyHash into sha2_hash_t
- memcpy (o_sw_key_hash, &l_hdwkeyHash, sizeof(sha2_hash_t));
-
- return;
-}
-
-
#endif
OpenPOWER on IntegriCloud