Talos™ II skiboot sources https://git.raptorcs.com/git/talos-skiboot/atom?h=master 2018-03-01T02:28:39+00:00 2018-03-01T02:28:39+00:00 Nicholas Piggin npiggin@gmail.com 2018-02-10T08:42:49+00:00 urn:sha1:f6159cff5d91e5c0810d0c9285a1d2370a38e2b7 This changes to build system to use thin archives rather than incremental linking for built-in.o, similar to recent change to Linux. built-in.o is renamed to built-in.a, and is created as a thin archive with no index, for speed and size. All built-in.a are aggregated into a skiboot.tmp.a which is a thin archive built with an index, making it suitable or linking. This is input into the final link. The advantags of build size and linker code placement flexibility are not as great with skiboot as a bigger project like Linux, but it's a conceptually better way to build, and is more compatible with link time optimisation in toolchains which might be interesting for skiboot particularly for size reductions. Size of build tree before this patch is 34.4MB, afterwards 23.1MB. Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com> 2017-12-19T03:30:57+00:00 Claudio Carvalho cclaudio@linux.vnet.ibm.com 2017-12-09T04:52:28+00:00 urn:sha1:ccdbfdac637c2ddabfcc36371344cd5c6c648e1b This removes all the files that were replaced by secureboot.c, trustedboot.c and cvc.c. Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com> Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com> 2017-12-19T03:30:57+00:00 Claudio Carvalho cclaudio@linux.vnet.ibm.com 2017-12-09T04:52:23+00:00 urn:sha1:024bf3248101b91ddb43ae4e709625ebf45fb9a6 The linux kernel doesn't have a driver compatible with "nuvoton,npct650", but it does have for "nuvoton,npct601", which should also be compatible with npct650. This adds "nuvoton,npct601" to the compatible devtree property. Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com> Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com> 2017-12-19T03:30:57+00:00 Claudio Carvalho cclaudio@linux.vnet.ibm.com 2017-12-09T04:52:20+00:00 urn:sha1:3281d5a41a825fce5b935e8929971a8847611fc8 This imports tb_measure() from stb.c, but now it calls the CVC sha512 wrapper to calculate the sha512 hash of the firmware image provided. In trustedboot.c, the tb_measure() is renamed to trustedboot_measure(). The new function, trustedboot_measure(), no longer checks if the container payload hash calculated at boot time matches with the hash found in the container header. A few reasons: - If the system admin wants the container header to be checked/validated, the secure boot jumper must be set. Otherwise, the container header information may not be reliable. - The container layout is expected to change over time. Skiboot would need to maintain a parser for each container layout change. - Skiboot could be checking the hash against a container version that is not supported by the Container-Verification-Code (CVC). The tb_measure() calls are updated to trustedboot_measure() in a subsequent patch. Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com> Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com> 2017-12-19T03:30:57+00:00 Claudio Carvalho cclaudio@linux.vnet.ibm.com 2017-12-09T04:52:19+00:00 urn:sha1:3ab91fbec937830f184108a244795a2e05cb275c This imports the sb_verify() function from stb.c, but now it calls the CVC verify wrapper in order to verify signed firmware images. The hw-key-hash and hw-key-hash-size initialized in secureboot.c are passed to the CVC verify function wrapper. In secureboot.c, the sb_verify() is renamed to secureboot_verify(). The sb_verify() calls are updated in a subsequent patch. Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com> Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com> 2017-12-19T03:30:57+00:00 Claudio Carvalho cclaudio@linux.vnet.ibm.com 2017-12-09T04:52:15+00:00 urn:sha1:4fb528b394115ff8dd832b980032d7656aece099 The drivers/sha512.c file is a SHA512 hash implementation imported from the mbed TLS project. As a matter of semantics, this moves drivers/sha512.* to the mbedtls directory. Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com> Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com> 2017-10-03T02:59:33+00:00 Andrew Donnellan andrew.donnellan@au1.ibm.com 2017-09-06T07:34:35+00:00 urn:sha1:6c22ac75211b140e56f28825fb3518f5b07aa305 The TPM code has a wrapper around the main i2c API to allow synchronous use. Move it into core/i2c.c so it can be used by other possible users. In particular, a future patch will use this to drive OpenCAPI device resets during boot time. Cc: Claudio Carvalho <cclaudio@linux.vnet.ibm.com> Cc: Frederic Barrat <fbarrat@linux.vnet.ibm.com> Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com> Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com> 2017-05-12T06:18:45+00:00 Stewart Smith stewart@linux.vnet.ibm.com 2017-05-10T04:47:27+00:00 urn:sha1:4450142f6682835394adc2f5422d3003581b5135 Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com> 2016-12-02T03:25:25+00:00 Stewart Smith stewart@linux.vnet.ibm.com 2016-12-02T02:20:18+00:00 urn:sha1:157468aeb16e9f50551ac9bc7d46887cba0e011f In TPM 2.0 Firmware 1.3.0.1 and 1.3.1.0 (at least) there exists a bug where if you send the wrong thing to the TPM it may lock the bus, with no way of recovery except powering the TPM off/on. On our current systems, the only way to power the TPM off/on is to pull the power on the system (*NOT* just power off/on to host from BMC). So, this patch adds the ability to do things to the i2c request really early on, well before it hits any hardware, such as quickly drop it. Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com> 2016-11-29T07:17:03+00:00 Claudio Carvalho cclaudio@linux.vnet.ibm.com 2016-11-28T03:08:14+00:00 urn:sha1:5f0dfda6e5316aaf28fe1487cd5325806f060afa Currently, the polling time is calculated by adding the sleep time to it. This calculates the polling time by taking timestamps with mftb() before calling the i2c-interface to send an i2c request to the tpm. Thus having a much more accurate polling time. Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com> Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>