summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/usr/util/utilmclmgr.H25
-rw-r--r--src/usr/isteps/istep21/call_host_runtime_setup.C57
-rw-r--r--src/usr/secureboot/base/securerommgr.C2
-rw-r--r--src/usr/secureboot/trusted/tpmLogMgr.C3
-rw-r--r--src/usr/util/utilmclmgr.C49
5 files changed, 94 insertions, 42 deletions
diff --git a/src/include/usr/util/utilmclmgr.H b/src/include/usr/util/utilmclmgr.H
index 1d47523b4..82ef6f2ed 100644
--- a/src/include/usr/util/utilmclmgr.H
+++ b/src/include/usr/util/utilmclmgr.H
@@ -48,6 +48,7 @@ typedef char CompIdString[17];
// Constants to simplify checking for the MCL and POWERVM comp ids
extern const ComponentID g_MclCompId;
extern const ComponentID g_PowervmCompId;
+extern const ComponentID g_OpalCompId;
// @enum Permission Types for MCL Component
enum class CompFlags : uint16_t
@@ -255,6 +256,17 @@ class MasterContainerLidMgr
*/
errlHndl_t processComponents();
+ /**
+ * @brief TPM extend information for secure components
+ *
+ * @param[in] i_compId - Component Id
+ * @param[in] i_conHdr - Container header with information to extend
+ *
+ * @return Error handle if error
+ */
+ static errlHndl_t tpmExtend(const ComponentID& i_compId,
+ const SECUREBOOT::ContainerHeader& i_conHdr);
+
protected:
/**
@@ -358,17 +370,6 @@ class MasterContainerLidMgr
errlHndl_t verifyExtend(const ComponentID& i_compId,
CompInfo& io_compInfo);
- /**
- * @brief TPM extend information for secure components
- *
- * @param[in] i_compId - Component Id
- * @param[in] i_conHdr - Container header with information to extend
- *
- * @return Error handle if error
- */
- errlHndl_t tpmExtend(const ComponentID& i_compId,
- const SECUREBOOT::ContainerHeader& i_conHdr) const;
-
// Physical addresses reserved for the MCL itself
uint64_t iv_mclAddr;
@@ -408,4 +409,4 @@ class MasterContainerLidMgr
} // end namespace MCL
-#endif \ No newline at end of file
+#endif
diff --git a/src/usr/isteps/istep21/call_host_runtime_setup.C b/src/usr/isteps/istep21/call_host_runtime_setup.C
index 73bf8cd26..b91e83fd3 100644
--- a/src/usr/isteps/istep21/call_host_runtime_setup.C
+++ b/src/usr/isteps/istep21/call_host_runtime_setup.C
@@ -38,9 +38,11 @@
#include <targeting/common/util.H>
#include <vpd/vpd_if.H>
#include <util/utiltce.H>
+#include <util/utilmclmgr.H>
#include <map>
#include <secureboot/service.H>
+#include <secureboot/containerheader.H>
#include <sys/mm.h>
//SBE interfacing
#include <sbeio/sbeioif.H>
@@ -115,6 +117,12 @@ errlHndl_t verifyAndMovePayload(void)
break;
}
+ // Setup componend IDs and strings
+ const MCL::ComponentID l_compId = is_phyp ? MCL::g_PowervmCompId
+ : MCL::g_OpalCompId;
+ MCL::CompIdString l_IdStr = {};
+ MCL::compIdToString(l_compId, l_IdStr);
+
// Get Temporary Virtual Address To Payload
uint64_t payload_tmp_phys_addr = MCL_TMP_ADDR;
uint64_t payload_size = MCL_TMP_SIZE;
@@ -136,9 +144,23 @@ errlHndl_t verifyAndMovePayload(void)
}
TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace,"verifyAndMovePayload() "
- "Processing PAYLOAD_KIND = %d (is_phyp=%d): "
+ "Processing PAYLOAD_KIND = %d (Id='%s') (is_phyp=%d): "
"physAddr=0x%.16llX, virtAddr=0x%.16llX",
- payload_kind, is_phyp, payload_tmp_phys_addr, payload_tmp_virt_addr );
+ payload_kind, l_IdStr, is_phyp, payload_tmp_phys_addr,
+ payload_tmp_virt_addr );
+
+
+ // Parse Container Header
+ SECUREBOOT::ContainerHeader l_conHdr;
+ l_err = l_conHdr.setHeader(payload_tmp_virt_addr);
+ if (l_err)
+ {
+ TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace,
+ ERR_MRK"verifyAndMovePayload(): Fail to parse container "
+ "header at payload_tmp_virt_addr = 0x%.16llX",
+ payload_tmp_virt_addr);
+ break;
+ }
// If in Secure Mode Verify PHYP at Temporary TCE-related Memory Location
if (SECUREBOOT::enabled() && is_phyp)
@@ -147,6 +169,7 @@ errlHndl_t verifyAndMovePayload(void)
"Verifying PAYLOAD: physAddr=0x%.16llX, virtAddr=0x%.16llX",
payload_tmp_phys_addr, payload_tmp_virt_addr );
+ // Verify Container
l_err = SECUREBOOT::verifyContainer(payload_tmp_virt_addr);
if (l_err)
{
@@ -156,12 +179,35 @@ errlHndl_t verifyAndMovePayload(void)
SECUREBOOT::handleSecurebootFailure(l_err);
assert(false,"Bug! handleSecurebootFailure shouldn't return!");
}
+
+ // Get PAYLOAD size from verified Header
+ payload_size = l_conHdr.payloadTextSize() + PAGESIZE;
+ assert(payload_size <= MCL_TMP_SIZE, "verifyAndMovePayload payload_size 0x%X must be <= MCL_TMP_SIZE (0x%X)", payload_size, MCL_TMP_SIZE );
+
+ // Verify ASCII Component Id in the Secure Header matches expected value
+ l_err = SECUREBOOT::verifyComponentId(l_conHdr, l_IdStr);
+ if (l_err)
+ {
+ TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace,
+ ERR_MRK"verifyAndMovePayload(): Fail to verify component"
+ "Id %s in header at payload_tmp_virt_addr = 0x%.16llX",
+ l_IdStr, payload_tmp_virt_addr);
+ break;
+ }
}
- // @TODO RTC 168745 - Verify Component ID with ASCII
- // @TODO RTC 168745 - Extend PAYLOAD
+ // Extend PAYLOAD
+ l_err = MCL::MasterContainerLidMgr::tpmExtend(l_compId, l_conHdr);
+ if (l_err)
+ {
+ TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace,
+ ERR_MRK"verifyAndMovePayload(): Fail to tpmExend "
+ "Id %s in header at payload_tmp_virt_addr = 0x%.16llX",
+ l_IdStr, payload_tmp_virt_addr);
+ break;
+ }
- // Move PHYP to Final Location
+ // Move PAYLOAD to Final Location
// Get Target Service, and the system target.
TargetService& tS = targetService();
TARGETING::Target* sys = nullptr;
@@ -186,7 +232,6 @@ errlHndl_t verifyAndMovePayload(void)
payload_size -= PAGESIZE;
}
- // @TODO RTC 168745 - Use ContainerHeader to get accurate payload size
payloadBase_virt_addr = mm_block_map(
reinterpret_cast<void*>(payloadBase),
payload_size);
diff --git a/src/usr/secureboot/base/securerommgr.C b/src/usr/secureboot/base/securerommgr.C
index 02eca6293..17becb6b6 100644
--- a/src/usr/secureboot/base/securerommgr.C
+++ b/src/usr/secureboot/base/securerommgr.C
@@ -104,7 +104,7 @@ errlHndl_t verifyComponentId(
TRACFCOMP(g_trac_secure,ERR_MRK"SECUREROM::verifyComponentId: "
"Secure Boot verification failure; container's component ID of "
"[%s] does not match expected component ID of [%s] (truncated "
- "from [%s]",
+ "from [%s])",
i_containerHeader.componentId(),
pTruncatedComponentId,
i_pComponentId);
diff --git a/src/usr/secureboot/trusted/tpmLogMgr.C b/src/usr/secureboot/trusted/tpmLogMgr.C
index 625c6261a..855d02b5a 100644
--- a/src/usr/secureboot/trusted/tpmLogMgr.C
+++ b/src/usr/secureboot/trusted/tpmLogMgr.C
@@ -5,7 +5,7 @@
/* */
/* OpenPOWER HostBoot Project */
/* */
-/* Contributors Listed Below - COPYRIGHT 2015,2017 */
+/* Contributors Listed Below - COPYRIGHT 2015,2018 */
/* [+] International Business Machines Corp. */
/* */
/* */
@@ -595,6 +595,7 @@ namespace TRUSTEDBOOT
memset(i_val->eventLogInMem, 0, i_maxSize);
memcpy(i_val->eventLogInMem, i_val->eventLog, i_val->logSize);
i_val->newEventPtr = i_val->eventLogInMem + i_val->logSize;
+ i_val->logMaxSize = i_maxSize;
mutex_unlock( &i_val->logMutex );
diff --git a/src/usr/util/utilmclmgr.C b/src/usr/util/utilmclmgr.C
index bcf0432bb..a89c124b8 100644
--- a/src/usr/util/utilmclmgr.C
+++ b/src/usr/util/utilmclmgr.C
@@ -42,6 +42,7 @@ const size_t MclCompSectionPadSize = 16;
const ComponentID g_MclCompId {"MSTCONT"};
const ComponentID g_PowervmCompId {"POWERVM"};
+const ComponentID g_OpalCompId {"OPAL"};
void compIdToString(const ComponentID i_compId, CompIdString o_compIdStr)
{
@@ -605,21 +606,6 @@ errlHndl_t MasterContainerLidMgr::verifyExtend(const ComponentID& i_compId,
if( (io_compInfo.flags & CompFlags::SIGNED_PRE_VERIFY) ==
CompFlags::SIGNED_PRE_VERIFY)
{
- // Only verify the lids if in secure mode
- if (SECUREBOOT::enabled())
- {
- // Verify Container - some combination of Lids
-
- l_errl = SECUREBOOT::verifyContainer(iv_pVaddr,
- extractLidIds(io_compInfo.lidIds));
- if (l_errl)
- {
- UTIL_FT(ERR_MRK"MasterContainerLidMgr::verifyExtend - failed verifyContainer");
- SECUREBOOT::handleSecurebootFailure(l_errl);
- assert(false,"Bug! handleSecurebootFailure shouldn't return!");
- }
- }
-
// Parse Container Header
SECUREBOOT::ContainerHeader l_conHdr;
l_errl = l_conHdr.setHeader(iv_pVaddr);
@@ -635,15 +621,34 @@ errlHndl_t MasterContainerLidMgr::verifyExtend(const ComponentID& i_compId,
io_compInfo.unprotectedSize = l_conHdr.totalContainerSize() -
l_conHdr.payloadTextSize();
- // Verify the component in the Secure Header matches the MCL
- l_errl = SECUREBOOT::verifyComponentId(l_conHdr, iv_curCompIdStr);
+ // Only verify the lids if in secure mode
+ if (SECUREBOOT::enabled())
+ {
+ // Verify Container - some combination of Lids
+ l_errl = SECUREBOOT::verifyContainer(iv_pVaddr,
+ extractLidIds(io_compInfo.lidIds));
+ if (l_errl)
+ {
+ UTIL_FT(ERR_MRK"MasterContainerLidMgr::verifyExtend - failed verifyContainer");
+ SECUREBOOT::handleSecurebootFailure(l_errl);
+ assert(false,"Bug! handleSecurebootFailure shouldn't return!");
+ }
+
+ // Verify the component in the Secure Header matches the MCL
+ l_errl = SECUREBOOT::verifyComponentId(l_conHdr, iv_curCompIdStr);
+ if (l_errl)
+ {
+ l_errl->collectTrace(UTIL_COMP_NAME);
+ break;
+ }
+ }
+
+ l_errl = tpmExtend(i_compId, l_conHdr);
if (l_errl)
{
l_errl->collectTrace(UTIL_COMP_NAME);
break;
}
-
- tpmExtend(i_compId, l_conHdr);
}
} while(0);
@@ -653,7 +658,7 @@ errlHndl_t MasterContainerLidMgr::verifyExtend(const ComponentID& i_compId,
}
errlHndl_t MasterContainerLidMgr::tpmExtend(const ComponentID& i_compId,
- const SECUREBOOT::ContainerHeader& i_conHdr) const
+ const SECUREBOOT::ContainerHeader& i_conHdr)
{
UTIL_DT(ENTER_MRK"MasterContainerLidMgr::tpmExtend");
@@ -681,7 +686,7 @@ errlHndl_t MasterContainerLidMgr::tpmExtend(const ComponentID& i_compId,
if (l_errl)
{
UTIL_FT(ERR_MRK "MasterContainerLidMgr::tpmExtend - pcrExtend() (payload text hash) failed for component %s",
- iv_curCompIdStr);
+ i_conHdr.componentId());
break;
}
@@ -694,7 +699,7 @@ errlHndl_t MasterContainerLidMgr::tpmExtend(const ComponentID& i_compId,
if (l_errl)
{
UTIL_FT(ERR_MRK "MasterContainerLidMgr::tpmExtend - pcrExtend() (FW key hash) failed for component %s",
- iv_curCompIdStr);
+ i_conHdr.componentId());
break;
}
OpenPOWER on IntegriCloud