diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/include/usr/util/utilmclmgr.H | 25 | ||||
-rw-r--r-- | src/usr/isteps/istep21/call_host_runtime_setup.C | 57 | ||||
-rw-r--r-- | src/usr/secureboot/base/securerommgr.C | 2 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/tpmLogMgr.C | 3 | ||||
-rw-r--r-- | src/usr/util/utilmclmgr.C | 49 |
5 files changed, 94 insertions, 42 deletions
diff --git a/src/include/usr/util/utilmclmgr.H b/src/include/usr/util/utilmclmgr.H index 1d47523b4..82ef6f2ed 100644 --- a/src/include/usr/util/utilmclmgr.H +++ b/src/include/usr/util/utilmclmgr.H @@ -48,6 +48,7 @@ typedef char CompIdString[17]; // Constants to simplify checking for the MCL and POWERVM comp ids extern const ComponentID g_MclCompId; extern const ComponentID g_PowervmCompId; +extern const ComponentID g_OpalCompId; // @enum Permission Types for MCL Component enum class CompFlags : uint16_t @@ -255,6 +256,17 @@ class MasterContainerLidMgr */ errlHndl_t processComponents(); + /** + * @brief TPM extend information for secure components + * + * @param[in] i_compId - Component Id + * @param[in] i_conHdr - Container header with information to extend + * + * @return Error handle if error + */ + static errlHndl_t tpmExtend(const ComponentID& i_compId, + const SECUREBOOT::ContainerHeader& i_conHdr); + protected: /** @@ -358,17 +370,6 @@ class MasterContainerLidMgr errlHndl_t verifyExtend(const ComponentID& i_compId, CompInfo& io_compInfo); - /** - * @brief TPM extend information for secure components - * - * @param[in] i_compId - Component Id - * @param[in] i_conHdr - Container header with information to extend - * - * @return Error handle if error - */ - errlHndl_t tpmExtend(const ComponentID& i_compId, - const SECUREBOOT::ContainerHeader& i_conHdr) const; - // Physical addresses reserved for the MCL itself uint64_t iv_mclAddr; @@ -408,4 +409,4 @@ class MasterContainerLidMgr } // end namespace MCL -#endif
\ No newline at end of file +#endif diff --git a/src/usr/isteps/istep21/call_host_runtime_setup.C b/src/usr/isteps/istep21/call_host_runtime_setup.C index 73bf8cd26..b91e83fd3 100644 --- a/src/usr/isteps/istep21/call_host_runtime_setup.C +++ b/src/usr/isteps/istep21/call_host_runtime_setup.C @@ -38,9 +38,11 @@ #include <targeting/common/util.H> #include <vpd/vpd_if.H> #include <util/utiltce.H> +#include <util/utilmclmgr.H> #include <map> #include <secureboot/service.H> +#include <secureboot/containerheader.H> #include <sys/mm.h> //SBE interfacing #include <sbeio/sbeioif.H> @@ -115,6 +117,12 @@ errlHndl_t verifyAndMovePayload(void) break; } + // Setup componend IDs and strings + const MCL::ComponentID l_compId = is_phyp ? MCL::g_PowervmCompId + : MCL::g_OpalCompId; + MCL::CompIdString l_IdStr = {}; + MCL::compIdToString(l_compId, l_IdStr); + // Get Temporary Virtual Address To Payload uint64_t payload_tmp_phys_addr = MCL_TMP_ADDR; uint64_t payload_size = MCL_TMP_SIZE; @@ -136,9 +144,23 @@ errlHndl_t verifyAndMovePayload(void) } TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace,"verifyAndMovePayload() " - "Processing PAYLOAD_KIND = %d (is_phyp=%d): " + "Processing PAYLOAD_KIND = %d (Id='%s') (is_phyp=%d): " "physAddr=0x%.16llX, virtAddr=0x%.16llX", - payload_kind, is_phyp, payload_tmp_phys_addr, payload_tmp_virt_addr ); + payload_kind, l_IdStr, is_phyp, payload_tmp_phys_addr, + payload_tmp_virt_addr ); + + + // Parse Container Header + SECUREBOOT::ContainerHeader l_conHdr; + l_err = l_conHdr.setHeader(payload_tmp_virt_addr); + if (l_err) + { + TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace, + ERR_MRK"verifyAndMovePayload(): Fail to parse container " + "header at payload_tmp_virt_addr = 0x%.16llX", + payload_tmp_virt_addr); + break; + } // If in Secure Mode Verify PHYP at Temporary TCE-related Memory Location if (SECUREBOOT::enabled() && is_phyp) @@ -147,6 +169,7 @@ errlHndl_t verifyAndMovePayload(void) "Verifying PAYLOAD: physAddr=0x%.16llX, virtAddr=0x%.16llX", payload_tmp_phys_addr, payload_tmp_virt_addr ); + // Verify Container l_err = SECUREBOOT::verifyContainer(payload_tmp_virt_addr); if (l_err) { @@ -156,12 +179,35 @@ errlHndl_t verifyAndMovePayload(void) SECUREBOOT::handleSecurebootFailure(l_err); assert(false,"Bug! handleSecurebootFailure shouldn't return!"); } + + // Get PAYLOAD size from verified Header + payload_size = l_conHdr.payloadTextSize() + PAGESIZE; + assert(payload_size <= MCL_TMP_SIZE, "verifyAndMovePayload payload_size 0x%X must be <= MCL_TMP_SIZE (0x%X)", payload_size, MCL_TMP_SIZE ); + + // Verify ASCII Component Id in the Secure Header matches expected value + l_err = SECUREBOOT::verifyComponentId(l_conHdr, l_IdStr); + if (l_err) + { + TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace, + ERR_MRK"verifyAndMovePayload(): Fail to verify component" + "Id %s in header at payload_tmp_virt_addr = 0x%.16llX", + l_IdStr, payload_tmp_virt_addr); + break; + } } - // @TODO RTC 168745 - Verify Component ID with ASCII - // @TODO RTC 168745 - Extend PAYLOAD + // Extend PAYLOAD + l_err = MCL::MasterContainerLidMgr::tpmExtend(l_compId, l_conHdr); + if (l_err) + { + TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace, + ERR_MRK"verifyAndMovePayload(): Fail to tpmExend " + "Id %s in header at payload_tmp_virt_addr = 0x%.16llX", + l_IdStr, payload_tmp_virt_addr); + break; + } - // Move PHYP to Final Location + // Move PAYLOAD to Final Location // Get Target Service, and the system target. TargetService& tS = targetService(); TARGETING::Target* sys = nullptr; @@ -186,7 +232,6 @@ errlHndl_t verifyAndMovePayload(void) payload_size -= PAGESIZE; } - // @TODO RTC 168745 - Use ContainerHeader to get accurate payload size payloadBase_virt_addr = mm_block_map( reinterpret_cast<void*>(payloadBase), payload_size); diff --git a/src/usr/secureboot/base/securerommgr.C b/src/usr/secureboot/base/securerommgr.C index 02eca6293..17becb6b6 100644 --- a/src/usr/secureboot/base/securerommgr.C +++ b/src/usr/secureboot/base/securerommgr.C @@ -104,7 +104,7 @@ errlHndl_t verifyComponentId( TRACFCOMP(g_trac_secure,ERR_MRK"SECUREROM::verifyComponentId: " "Secure Boot verification failure; container's component ID of " "[%s] does not match expected component ID of [%s] (truncated " - "from [%s]", + "from [%s])", i_containerHeader.componentId(), pTruncatedComponentId, i_pComponentId); diff --git a/src/usr/secureboot/trusted/tpmLogMgr.C b/src/usr/secureboot/trusted/tpmLogMgr.C index 625c6261a..855d02b5a 100644 --- a/src/usr/secureboot/trusted/tpmLogMgr.C +++ b/src/usr/secureboot/trusted/tpmLogMgr.C @@ -5,7 +5,7 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2015,2017 */ +/* Contributors Listed Below - COPYRIGHT 2015,2018 */ /* [+] International Business Machines Corp. */ /* */ /* */ @@ -595,6 +595,7 @@ namespace TRUSTEDBOOT memset(i_val->eventLogInMem, 0, i_maxSize); memcpy(i_val->eventLogInMem, i_val->eventLog, i_val->logSize); i_val->newEventPtr = i_val->eventLogInMem + i_val->logSize; + i_val->logMaxSize = i_maxSize; mutex_unlock( &i_val->logMutex ); diff --git a/src/usr/util/utilmclmgr.C b/src/usr/util/utilmclmgr.C index bcf0432bb..a89c124b8 100644 --- a/src/usr/util/utilmclmgr.C +++ b/src/usr/util/utilmclmgr.C @@ -42,6 +42,7 @@ const size_t MclCompSectionPadSize = 16; const ComponentID g_MclCompId {"MSTCONT"}; const ComponentID g_PowervmCompId {"POWERVM"}; +const ComponentID g_OpalCompId {"OPAL"}; void compIdToString(const ComponentID i_compId, CompIdString o_compIdStr) { @@ -605,21 +606,6 @@ errlHndl_t MasterContainerLidMgr::verifyExtend(const ComponentID& i_compId, if( (io_compInfo.flags & CompFlags::SIGNED_PRE_VERIFY) == CompFlags::SIGNED_PRE_VERIFY) { - // Only verify the lids if in secure mode - if (SECUREBOOT::enabled()) - { - // Verify Container - some combination of Lids - - l_errl = SECUREBOOT::verifyContainer(iv_pVaddr, - extractLidIds(io_compInfo.lidIds)); - if (l_errl) - { - UTIL_FT(ERR_MRK"MasterContainerLidMgr::verifyExtend - failed verifyContainer"); - SECUREBOOT::handleSecurebootFailure(l_errl); - assert(false,"Bug! handleSecurebootFailure shouldn't return!"); - } - } - // Parse Container Header SECUREBOOT::ContainerHeader l_conHdr; l_errl = l_conHdr.setHeader(iv_pVaddr); @@ -635,15 +621,34 @@ errlHndl_t MasterContainerLidMgr::verifyExtend(const ComponentID& i_compId, io_compInfo.unprotectedSize = l_conHdr.totalContainerSize() - l_conHdr.payloadTextSize(); - // Verify the component in the Secure Header matches the MCL - l_errl = SECUREBOOT::verifyComponentId(l_conHdr, iv_curCompIdStr); + // Only verify the lids if in secure mode + if (SECUREBOOT::enabled()) + { + // Verify Container - some combination of Lids + l_errl = SECUREBOOT::verifyContainer(iv_pVaddr, + extractLidIds(io_compInfo.lidIds)); + if (l_errl) + { + UTIL_FT(ERR_MRK"MasterContainerLidMgr::verifyExtend - failed verifyContainer"); + SECUREBOOT::handleSecurebootFailure(l_errl); + assert(false,"Bug! handleSecurebootFailure shouldn't return!"); + } + + // Verify the component in the Secure Header matches the MCL + l_errl = SECUREBOOT::verifyComponentId(l_conHdr, iv_curCompIdStr); + if (l_errl) + { + l_errl->collectTrace(UTIL_COMP_NAME); + break; + } + } + + l_errl = tpmExtend(i_compId, l_conHdr); if (l_errl) { l_errl->collectTrace(UTIL_COMP_NAME); break; } - - tpmExtend(i_compId, l_conHdr); } } while(0); @@ -653,7 +658,7 @@ errlHndl_t MasterContainerLidMgr::verifyExtend(const ComponentID& i_compId, } errlHndl_t MasterContainerLidMgr::tpmExtend(const ComponentID& i_compId, - const SECUREBOOT::ContainerHeader& i_conHdr) const + const SECUREBOOT::ContainerHeader& i_conHdr) { UTIL_DT(ENTER_MRK"MasterContainerLidMgr::tpmExtend"); @@ -681,7 +686,7 @@ errlHndl_t MasterContainerLidMgr::tpmExtend(const ComponentID& i_compId, if (l_errl) { UTIL_FT(ERR_MRK "MasterContainerLidMgr::tpmExtend - pcrExtend() (payload text hash) failed for component %s", - iv_curCompIdStr); + i_conHdr.componentId()); break; } @@ -694,7 +699,7 @@ errlHndl_t MasterContainerLidMgr::tpmExtend(const ComponentID& i_compId, if (l_errl) { UTIL_FT(ERR_MRK "MasterContainerLidMgr::tpmExtend - pcrExtend() (FW key hash) failed for component %s", - iv_curCompIdStr); + i_conHdr.componentId()); break; } |