diff options
Diffstat (limited to 'src/usr/runtime')
-rw-r--r-- | src/usr/runtime/common/runtime_utils.C | 4 | ||||
-rw-r--r-- | src/usr/runtime/populate_hbruntime.C | 13 | ||||
-rw-r--r-- | src/usr/runtime/test/testpreverifiedlidmgr.H | 11 |
3 files changed, 18 insertions, 10 deletions
diff --git a/src/usr/runtime/common/runtime_utils.C b/src/usr/runtime/common/runtime_utils.C index 7b900389f..d87847f85 100644 --- a/src/usr/runtime/common/runtime_utils.C +++ b/src/usr/runtime/common/runtime_utils.C @@ -27,11 +27,11 @@ namespace RUNTIME { -// -- Verified Images +// -- Images expected to have secure headers // -- OCC // -- WOFDATA // -- HCODE -// -- Non-verified Images +// -- Images that never have secure headers /// -- RINGOVD const PreVerifyVector preVerifiedPnorSections { {PNOR::OCC, true}, diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C index eb7a5a7b5..2c97ac2f7 100644 --- a/src/usr/runtime/populate_hbruntime.C +++ b/src/usr/runtime/populate_hbruntime.C @@ -557,7 +557,7 @@ errlHndl_t fill_RsvMem_hbData(uint64_t & io_start_address, } errlHndl_t hbResvLoadSecureSection (const PNOR::SectionId i_sec, - bool i_verified) + const bool i_secHdrExpected) { TRACFCOMP( g_trac_runtime,ENTER_MRK"hbResvloadSecureSection() sec %s", PNOR::SectionIdToString(i_sec)); @@ -603,16 +603,21 @@ errlHndl_t hbResvLoadSecureSection (const PNOR::SectionId i_sec, auto l_pnorVaddr = l_info.vaddr; auto l_imgSize = l_info.size; - // If section is signed, only the protected size was loaded into memory - if (i_verified) + // Check if the section is expected to have a secure header regardless + // of compile options + if (i_secHdrExpected) { #ifdef CONFIG_SECUREBOOT + // If section is signed, only the protected size was loaded into memory l_imgSize = l_info.secureProtectedPayloadSize; // Include secure header + // NOTE: we do not preserve the header in virtual memory when SB + // is compiled out. So "-PAGESIZE" only works when SB is compiled in l_pnorVaddr -= PAGESIZE; #endif // Add size for secure header. - // NOTE: if SB compiled out, a header will be injected later + // NOTE: if SB compiled out, a header will be injected later so + // preserve space for the header. l_imgSize += PAGESIZE; } diff --git a/src/usr/runtime/test/testpreverifiedlidmgr.H b/src/usr/runtime/test/testpreverifiedlidmgr.H index 26879574e..47ba6c61b 100644 --- a/src/usr/runtime/test/testpreverifiedlidmgr.H +++ b/src/usr/runtime/test/testpreverifiedlidmgr.H @@ -98,14 +98,17 @@ class PreVerifiedLidMgrTest : public CxxTest::TestSuite break; } - // Each section has 2 lids each (Header, Content) except the RINGOVD - // section. It only has 1 or is inhibited in secure mode + // Each section has 2 lids each (Header, Content) + // Note: even the RINGOVD section adds a Header element, although it is + // INVALID_LID + // See runtime_utils.C for full list of PNOR sections and utillidpnor.C + // for the mappings (PnorToLidsMap) size_t l_numSections = RUNTIME::preVerifiedPnorSections.size(); - // See utillidpnor.C for more info on num of lids size_t l_expectedLids = (2 * l_numSections); if (SECUREBOOT::enabled()) { - // RINGOVD not permitted in secure mode + // RINGOVD not permitted in secure mode. Meaning the Header and + // Content lid will be missing. l_expectedLids -= 2; } |