From cefc4c2c1bf3a43a993f2091813ee181779ddee4 Mon Sep 17 00:00:00 2001 From: Stephen Cprek Date: Wed, 26 Jul 2017 10:33:24 -0500 Subject: Refactor SecureBoot Workarounds to better control leniency At this time we are trying to secure OpenPOWER in secure mode, but allow best effort policies in other scenarios Change-Id: I9ec2b5be49dbfcff678c4d30bb85f8762e448cb6 RTC: 170136 RTC: 155374 RTC: 168021 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/43640 Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Reviewed-by: Nicholas E. Bofferding Reviewed-by: Michael Baiocchi Tested-by: FSP CI Jenkins Reviewed-by: Daniel M. Crowell --- src/usr/pnor/pnor_common.C | 135 +++++++++++++++++++++++---------------------- 1 file changed, 68 insertions(+), 67 deletions(-) (limited to 'src/usr/pnor/pnor_common.C') diff --git a/src/usr/pnor/pnor_common.C b/src/usr/pnor/pnor_common.C index addf0e491..20d6bd760 100644 --- a/src/usr/pnor/pnor_common.C +++ b/src/usr/pnor/pnor_common.C @@ -304,31 +304,31 @@ errlHndl_t PNOR::parseTOC( uint8_t* i_tocBuffer,SectionData_t * o_TOC) } - // @TODO RTC 168021 Remove legacy extensions when all - // secure sections are supported +#ifndef __HOSTBOOT_RUNTIME if (PNOR::hasNonSecureHeader(o_TOC[l_secId])) { // Never extend the base image through this path, it will be // handled elsewhere if(l_secId != PNOR::HB_BASE_CODE) { - // For non-secure sections with a SHA512 header, the - // flash address has incremented past the header, so - // back up by the header size (accounting for ECC) in order - // to extend the header - auto addr = o_TOC[l_secId].flashAddr; - size_t headerSize = + // For non-secure sections with a SHA512 header, the + // flash address has incremented past the header, so + // back up by the header size (accounting for ECC) in order + // to extend the header + auto addr = o_TOC[l_secId].flashAddr; + size_t headerSize = (o_TOC[l_secId].integrity == FFS_INTEG_ECC_PROTECT) ? PAGESIZE_PLUS_ECC : PAGESIZE; - addr -= headerSize; + addr -= headerSize; - l_errhdl = PNOR::extendHash(addr, headerSize, l_secId); - if (l_errhdl) - { - break; - } + l_errhdl = PNOR::extendHash(addr, headerSize, l_secId); + if (l_errhdl) + { + break; + } } } +#endif } for(int tmpId = 0; @@ -346,50 +346,49 @@ errlHndl_t PNOR::parseTOC( uint8_t* i_tocBuffer,SectionData_t * o_TOC) return l_errhdl; } -// @TODO RTC 168021 Remove legacy extensions when all secure sections are -// supported -errlHndl_t PNOR::extendHash(uint64_t i_addr, - size_t i_size, - const PNOR::SectionId i_sectionId) +#ifndef __HOSTBOOT_RUNTIME +errlHndl_t PNOR::extendHash(uint64_t i_addr, size_t i_size, + const PNOR::SectionId i_sectionId) { errlHndl_t l_errhdl = NULL; do { - #ifndef __HOSTBOOT_RUNTIME - const char* l_name = PNOR::SectionIdToString(i_sectionId); - - // Read data from the PNOR DD - uint8_t* l_buf = new uint8_t[i_size](); - TARGETING::Target* l_target = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL; - l_errhdl = DeviceFW::deviceRead(l_target, l_buf, i_size, - DEVICE_PNOR_ADDRESS(0,i_addr)); - if (l_errhdl) - { - break; - } - SHA512_t l_hash = {0}; - SECUREBOOT::hashBlob(l_buf, i_size, l_hash); - l_errhdl = TRUSTEDBOOT::pcrExtend(TRUSTEDBOOT::PCR_0, - PNOR::PAYLOAD == i_sectionId? - TRUSTEDBOOT::EV_COMPACT_HASH: - (PNOR::isCoreRootOfTrustSection(i_sectionId)? - TRUSTEDBOOT::EV_S_CRTM_CONTENTS: - TRUSTEDBOOT::EV_POST_CODE), - l_hash, - sizeof(SHA512_t), - l_name); - delete[] l_buf; + const char* l_name = PNOR::SectionIdToString(i_sectionId); + + // Read data from the PNOR DD + uint8_t* l_buf = new uint8_t[i_size](); + TARGETING::Target* l_target = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL; + l_errhdl = DeviceFW::deviceRead(l_target, l_buf, i_size, + DEVICE_PNOR_ADDRESS(0,i_addr)); + if (l_errhdl) + { + break; + } + + SHA512_t l_hash = {0}; + SECUREBOOT::hashBlob(l_buf, i_size, l_hash); + l_errhdl = TRUSTEDBOOT::pcrExtend(TRUSTEDBOOT::PCR_0, + PNOR::PAYLOAD == i_sectionId? + TRUSTEDBOOT::EV_COMPACT_HASH: + (PNOR::isCoreRootOfTrustSection(i_sectionId)? + TRUSTEDBOOT::EV_S_CRTM_CONTENTS: + TRUSTEDBOOT::EV_POST_CODE), + l_hash, + sizeof(SHA512_t), + l_name); + delete[] l_buf; + + if (l_errhdl) + { + break; + } - if (l_errhdl) - { - break; - } - #endif } while(0); return l_errhdl; } +#endif bool PNOR::isInhibitedSection(const uint32_t i_section) { @@ -445,7 +444,7 @@ bool PNOR::isInhibitedSection(const uint32_t i_section) #endif } -// @TODO RTC:155374 Remove this in the future + errlHndl_t PNOR::setSecure(const uint32_t i_secId, PNOR::SectionData_t* io_TOC) { @@ -458,29 +457,31 @@ errlHndl_t PNOR::setSecure(const uint32_t i_secId, // Set secure field based on enforced policy io_TOC[i_secId].secure = PNOR::isEnforcedSecureSection(i_secId); + // HBRT does not support best effort policy. Use enforced secure policy only. #ifndef __HOSTBOOT_RUNTIME -#ifdef CONFIG_SECUREBOOT_BEST_EFFORT - if (io_TOC[i_secId].secure) + if(SECUREBOOT::bestEffortPolicy()) { - // Apply best effort policy by checking if the section appears to have a - // secure header - size_t l_size = sizeof(ROM_MAGIC_NUMBER); - uint8_t l_buf[l_size] = {0}; - auto l_target = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL; - // Read first 4 bytes of section data from the PNOR DD - // Note: Do not need to worry about ECC as the 9th byte is the first - // ECC byte. - l_errhdl = DeviceFW::deviceRead(l_target, l_buf, l_size, - DEVICE_PNOR_ADDRESS(0,io_TOC[i_secId].flashAddr)); - if (l_errhdl) + if (io_TOC[i_secId].secure) { - break; - } + // Apply best effort policy by checking if the section appears to have a + // secure header + size_t l_size = sizeof(ROM_MAGIC_NUMBER); + uint8_t l_buf[l_size] = {0}; + auto l_target = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL; + // Read first 4 bytes of section data from the PNOR DD + // Note: Do not need to worry about ECC as the 9th byte is the first + // ECC byte. + l_errhdl = DeviceFW::deviceRead(l_target, l_buf, l_size, + DEVICE_PNOR_ADDRESS(0,io_TOC[i_secId].flashAddr)); + if (l_errhdl) + { + break; + } - // Check if first 4 bytes match the Secureboot Magic Number - io_TOC[i_secId].secure &= PNOR::cmpSecurebootMagicNumber(l_buf); + // Check if first 4 bytes match the Secureboot Magic Number + io_TOC[i_secId].secure &= PNOR::cmpSecurebootMagicNumber(l_buf); + } } -#endif #endif } while (0); -- cgit v1.2.1