diff options
author | Claudio Carvalho <cclaudio@linux.vnet.ibm.com> | 2017-12-09 02:52:21 -0200 |
---|---|---|
committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2017-12-18 21:30:57 -0600 |
commit | 5c2c24ba151121ebb627195322fab3498f834b14 (patch) | |
tree | 151c58fbe6e7bc54afb2690a6208ba13bb0b7101 /libstb/cvc.c | |
parent | 3281d5a41a825fce5b935e8929971a8847611fc8 (diff) | |
download | talos-skiboot-5c2c24ba151121ebb627195322fab3498f834b14.tar.gz talos-skiboot-5c2c24ba151121ebb627195322fab3498f834b14.zip |
libstb/cvc.c: import softrom behavior from drivers/sw_driver.c
Softrom is used only for testing with mambo. By setting
compatible="ibm,secureboot-v1-softrom" in the "ibm,secureboot" node,
firmware images can be properly measured even if the
Container-Verification-Code (CVC) is not available. In this case, the
mbedtls_sha512() function is used to calculate the sha512 hash of the
firmware images.
This imports the softrom behavior from libstb/drivers/sw_driver.c code
into cvc.c, but now softrom is implemented as a flag. When the flag is
set, the wrappers for the CVC services work the same way as in
sw_driver.c.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Diffstat (limited to 'libstb/cvc.c')
-rw-r--r-- | libstb/cvc.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/libstb/cvc.c b/libstb/cvc.c index b0f5cd30..fd1f6071 100644 --- a/libstb/cvc.c +++ b/libstb/cvc.c @@ -26,6 +26,7 @@ #include <inttypes.h> #include "secureboot.h" #include "cvc.h" +#include "mbedtls/sha512.h" /* * Assembly interfaces to call into the Container Verification Code. @@ -43,6 +44,7 @@ struct container_verification_code { }; static struct container_verification_code *cvc = NULL; +static bool softrom = false; static void *secure_rom_mem = NULL; struct cvc_service { @@ -194,6 +196,8 @@ int cvc_init(void) if (version == IBM_SECUREBOOT_V1 && proc_gen == proc_gen_p8) { rc = cvc_secure_rom_init(); + } else if (version == IBM_SECUREBOOT_SOFTROM) { + softrom = true; } else { prlog(PR_ERR, "%s FAILED. /ibm,secureboot not supported\n", __func__); @@ -214,6 +218,15 @@ int call_cvc_sha512(const uint8_t *data, size_t data_len, uint8_t *digest, return OPAL_SUCCESS; memset(digest, 0, SHA512_DIGEST_LENGTH); + if (softrom) { + mbedtls_sha512_context ctx; + mbedtls_sha512_init(&ctx); + mbedtls_sha512_starts(&ctx, 0); // SHA512 = 0 + mbedtls_sha512_update(&ctx, data, data_len); + mbedtls_sha512_finish(&ctx, digest); + mbedtls_sha512_free(&ctx); + return OPAL_SUCCESS; + } service = cvc_find_service(CVC_SHA512_SERVICE); @@ -239,6 +252,9 @@ int call_cvc_verify(void *container, size_t len, const void *hw_key_hash, !hw_key_hash || hw_key_hash_size <= 0) return OPAL_PARAMETER; + if (softrom) + return OPAL_UNSUPPORTED; + service = cvc_find_service(CVC_VERIFY_SERVICE); if (!service) |