diff options
Diffstat (limited to 'src/usr/secureboot')
-rw-r--r-- | src/usr/secureboot/base/securerommgr.C | 103 | ||||
-rw-r--r-- | src/usr/secureboot/base/securerommgr.H | 45 |
2 files changed, 138 insertions, 10 deletions
diff --git a/src/usr/secureboot/base/securerommgr.C b/src/usr/secureboot/base/securerommgr.C index 28d254d2c..3c9e28db6 100644 --- a/src/usr/secureboot/base/securerommgr.C +++ b/src/usr/secureboot/base/securerommgr.C @@ -39,11 +39,19 @@ #include <secureboot/settings.H> #include <config.h> #include <console/consoleif.H> +#include <array> // Quick change for unit testing //#define TRACUCOMP(args...) TRACFCOMP(args) #define TRACUCOMP(args...) +// Definition in ROM.H +const std::array<sbFuncType_t, SB_FUNC_TYPES::MAX_TYPES> SecRomFuncTypes = +{ + SB_FUNC_TYPES::SHA512, + SB_FUNC_TYPES::ECDSA521 +}; + namespace SECUREBOOT { @@ -113,6 +121,18 @@ void getHwKeyHash(sha2_hash_t o_hash) } } +sbFuncVer_t getSecRomFuncVersion(const sbFuncType_t i_funcType) +{ + return Singleton<SecureRomManager>::instance(). + getSecRomFuncVersion(i_funcType); +} + +uint64_t getSecRomFuncOffset(const sbFuncType_t i_funcType) +{ + return Singleton<SecureRomManager>::instance(). + getSecRomFuncOffset(i_funcType); +} + }; //end SECUREBOOT namespace /******************** @@ -218,8 +238,24 @@ errlHndl_t SecureRomManager::initialize() /***************************************************************/ SecureRomManager::getHwKeyHash(); + TRACDCOMP(g_trac_secure,INFO_MRK"SecureRomManager::initialize(): SUCCESSFUL:" - " iv_securerom=%p", iv_securerom); + " iv_securerom=%p", iv_securerom); + +#ifdef HOSTBOOT_DEBUG + TRACFCOMP(g_trac_secure,">> iv_SecRomFuncTypeOffset Map"); + for (auto const &funcType : iv_SecRomFuncTypeOffset) + { + TRACFCOMP(g_trac_secure,">>>> Func Type = 0x%X", + funcType.first); + for (auto const &version : funcType.second) + { + TRACFCOMP(g_trac_secure,">>>>>> Version = 0x%X, Offset = 0x%X", + version.first, version.second); + } + } + TRACFCOMP(g_trac_secure,"<<<< iv_SecRomFuncTypeOffset map"); +#endif }while(0); @@ -282,9 +318,8 @@ errlHndl_t SecureRomManager::verifyContainer(void * i_container, // Set startAddr to ROM_verify() function at an offset of Secure ROM uint64_t l_rom_verify_startAddr = - reinterpret_cast<uint64_t>(iv_securerom) - + g_BlToHbDataManager.getBranchtableOffset() - + ROM_VERIFY_FUNCTION_OFFSET; + reinterpret_cast<uint64_t>(iv_securerom) + + getSecRomFuncOffset(SB_FUNC_TYPES::ECDSA521); TRACUCOMP(g_trac_secure,"SecureRomManager::verifyContainer(): " " Calling ROM_verify() via call_rom_verify: l_rc=0x%x, " @@ -292,7 +327,8 @@ errlHndl_t SecureRomManager::verifyContainer(void * i_container, l_rc, l_hw_parms.log, &l_hw_parms, l_rom_verify_startAddr, iv_securerom); - ROM_container_raw* l_container = reinterpret_cast<ROM_container_raw*>(i_container); + ROM_container_raw* l_container = reinterpret_cast<ROM_container_raw*>( + i_container); l_rc = call_rom_verify(reinterpret_cast<void*> (l_rom_verify_startAddr), l_container, @@ -366,9 +402,8 @@ void SecureRomManager::hashBlob(const void * i_blob, size_t i_size, SHA512_t o_b // Set startAddr to ROM_SHA512() function at an offset of Secure ROM uint64_t l_rom_SHA512_startAddr = - reinterpret_cast<uint64_t>(iv_securerom) - + g_BlToHbDataManager.getBranchtableOffset() - + SHA512_HASH_FUNCTION_OFFSET; + reinterpret_cast<uint64_t>(iv_securerom) + + getSecRomFuncOffset(SB_FUNC_TYPES::SHA512); call_rom_SHA512(reinterpret_cast<void*>(l_rom_SHA512_startAddr), reinterpret_cast<const sha2_byte*>(i_blob), @@ -441,3 +476,55 @@ void SecureRomManager::getHwKeyHash(sha2_hash_t o_hash) memcpy(o_hash, iv_key_hash, sizeof(sha2_hash_t)); } } + +const SecureRomManager::SecRomFuncTypeOffsetMap_t + SecureRomManager::iv_SecRomFuncTypeOffset = +{ + // SHA512 Hash Function + { SB_FUNC_TYPES::SHA512, + { + { SB_FUNC_VERS::SHA512_INIT, + g_BlToHbDataManager.getBranchtableOffset() + + SHA512_HASH_FUNCTION_OFFSET + } + } + } , + // ECDSA521 Verify Function + { SB_FUNC_TYPES::ECDSA521, + { + { SB_FUNC_VERS::ECDSA521_INIT, + g_BlToHbDataManager.getBranchtableOffset() + + ROM_VERIFY_FUNCTION_OFFSET + } + } + } +}; + +sbFuncVer_t SecureRomManager::getSecRomFuncVersion(const sbFuncType_t + i_funcType) const +{ + sbFuncVer_t l_funcVer = SB_FUNC_TYPES::INVALID; + + switch (i_funcType) + { + case SB_FUNC_TYPES::SHA512: + l_funcVer = iv_curSHA512Ver; + break; + case SB_FUNC_TYPES::ECDSA521: + l_funcVer = iv_curECDSA521Ver; + break; + default: + assert(false, "getCurFuncVer:: Function type 0x%X not supported", i_funcType); + break; + } + + return l_funcVer; +} + +uint64_t SecureRomManager::getSecRomFuncOffset(const sbFuncType_t i_funcType) + const +{ + sbFuncVer_t l_funcVer = getSecRomFuncVersion(i_funcType); + + return iv_SecRomFuncTypeOffset.at(i_funcType).at(l_funcVer); +} diff --git a/src/usr/secureboot/base/securerommgr.H b/src/usr/secureboot/base/securerommgr.H index 3cbd0fc77..5b3d1ce50 100644 --- a/src/usr/secureboot/base/securerommgr.H +++ b/src/usr/secureboot/base/securerommgr.H @@ -29,6 +29,7 @@ #include <errl/errlentry.H> #include <securerom/ROM.H> #include <utility> +#include <map> typedef std::vector< std::pair<void*,size_t> > blobPair_t; @@ -47,7 +48,6 @@ class SecureRomManager */ errlHndl_t initialize(); - /** * @brief Verify Container against system hash keys * @@ -103,6 +103,26 @@ class SecureRomManager */ bool isValid(); + /* + * @brief Get offset of function from the start of the SecureROM + * + * @param[in] i_funcType Secure Boot function type to get version of + * + * @return uint64_t - offset of the function + */ + sbFuncVer_t getSecRomFuncVersion(const sbFuncType_t i_funcType) const; + + /* + * @brief Get offset of function from the start of the SecureROM + * + * + * @param[in] i_funcType Secure Boot function type to get offset of + * + * @return uint64_t - offset of the function + */ + uint64_t getSecRomFuncOffset(const sbFuncType_t i_funcType) const; + + protected: /** @@ -110,7 +130,9 @@ class SecureRomManager */ SecureRomManager():iv_securerom(nullptr), iv_secureromValid(false), - iv_key_hash(nullptr) {} + iv_key_hash(nullptr), + iv_curSHA512Ver(SB_FUNC_VERS::SHA512_INIT), + iv_curECDSA521Ver(SB_FUNC_VERS::ECDSA521_INIT) {} /** * @brief Destructor @@ -138,6 +160,25 @@ class SecureRomManager */ const sha2_hash_t* iv_key_hash; + /** + * @brief Map to find verify SecureROM function types and their + * respective versions and offsets. + * + * Description: Nested Map where key is the function type and the + * value is a map of versions to offsets + * + */ + // Type of nest map in SecRomFuncTypeOffset + typedef std::map<sbFuncVer_t, uint64_t> FuncVerToOffsetMap_t; + typedef std::map<sbFuncType_t, FuncVerToOffsetMap_t > SecRomFuncTypeOffsetMap_t; + static const SecRomFuncTypeOffsetMap_t iv_SecRomFuncTypeOffset; + + // SHA512 function version + sbFuncVer_t iv_curSHA512Ver; + + // ECDSA521 function version + sbFuncVer_t iv_curECDSA521Ver; + /******************************************** * Private Functions ********************************************/ |