diff options
| author | Claudio Carvalho <cclaudio@linux.vnet.ibm.com> | 2017-12-09 02:52:20 -0200 |
|---|---|---|
| committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2017-12-18 21:30:57 -0600 |
| commit | 3281d5a41a825fce5b935e8929971a8847611fc8 (patch) | |
| tree | 893cae01d52a909e18a8911c375b562f7acdc2c4 /libstb/cvc.c | |
| parent | 3ab91fbec937830f184108a244795a2e05cb275c (diff) | |
| download | talos-skiboot-3281d5a41a825fce5b935e8929971a8847611fc8.tar.gz talos-skiboot-3281d5a41a825fce5b935e8929971a8847611fc8.zip | |
libstb/trustedboot.c: import tb_measure() from stb.c
This imports tb_measure() from stb.c, but now it calls the CVC sha512
wrapper to calculate the sha512 hash of the firmware image provided.
In trustedboot.c, the tb_measure() is renamed to trustedboot_measure().
The new function, trustedboot_measure(), no longer checks if the
container payload hash calculated at boot time matches with the hash
found in the container header. A few reasons:
- If the system admin wants the container header to be
checked/validated, the secure boot jumper must be set. Otherwise,
the container header information may not be reliable.
- The container layout is expected to change over time. Skiboot
would need to maintain a parser for each container layout
change.
- Skiboot could be checking the hash against a container version that
is not supported by the Container-Verification-Code (CVC).
The tb_measure() calls are updated to trustedboot_measure() in a
subsequent patch.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Diffstat (limited to 'libstb/cvc.c')
| -rw-r--r-- | libstb/cvc.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/libstb/cvc.c b/libstb/cvc.c index 96c48f4a..b0f5cd30 100644 --- a/libstb/cvc.c +++ b/libstb/cvc.c @@ -33,6 +33,8 @@ */ ROM_response __cvc_verify_v1(void *func_ptr, ROM_container_raw *container, ROM_hw_params *params); +void __cvc_sha512_v1(void *func_ptr, const uint8_t *data, size_t len, + uint8_t *digest); struct container_verification_code { uint64_t start_addr; @@ -200,6 +202,32 @@ int cvc_init(void) return rc; } +int call_cvc_sha512(const uint8_t *data, size_t data_len, uint8_t *digest, + size_t digest_size) +{ + struct cvc_service *service; + + if (!data || !digest || digest_size < SHA512_DIGEST_LENGTH) + return OPAL_PARAMETER; + + if (data_len <= 0) + return OPAL_SUCCESS; + + memset(digest, 0, SHA512_DIGEST_LENGTH); + + service = cvc_find_service(CVC_SHA512_SERVICE); + + if (!service) + return OPAL_UNSUPPORTED; + + if (service->version == 1) + __cvc_sha512_v1((void*) service->addr, data, data_len, digest); + else + return OPAL_UNSUPPORTED; + + return OPAL_SUCCESS; +} + int call_cvc_verify(void *container, size_t len, const void *hw_key_hash, size_t hw_key_hash_size, uint64_t *log) { |
