diff options
author | Claudio Carvalho <cclaudio@linux.vnet.ibm.com> | 2017-12-09 02:52:16 -0200 |
---|---|---|
committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2017-12-18 21:30:57 -0600 |
commit | 594c7a6ae3cccd4a7eeb5ce2c31d2f958672325c (patch) | |
tree | f710a3d8ac4bef339eb8cc23734a92f1a162a1ed /libstb/trustedboot.c | |
parent | 4fb528b394115ff8dd832b980032d7656aece099 (diff) | |
download | talos-skiboot-594c7a6ae3cccd4a7eeb5ce2c31d2f958672325c.tar.gz talos-skiboot-594c7a6ae3cccd4a7eeb5ce2c31d2f958672325c.zip |
libstb: import stb_init() breaking it into multiple files
This imports stb_init() from stb.c, but breaking it into multiple files
in order to make the code easier to read and to maintain. New files
created: secureboot.c, trustedboot.c and cvc.c.
The secureboot_init() in secureboot.c also initializes the hardware key
hash and the hardware key hash size, which are used to call the CVC
verify wrapper. These variables were initialized in the romcode_probe()
function, libstb/drivers/romcode.c.
The cvc_init() in cvc.c is slightly modified from what exists in
stb_init(). Now it calls cvc_register() and cvc_service_register().
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Diffstat (limited to 'libstb/trustedboot.c')
-rw-r--r-- | libstb/trustedboot.c | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c new file mode 100644 index 00000000..9644d1ab --- /dev/null +++ b/libstb/trustedboot.c @@ -0,0 +1,66 @@ +/* Copyright 2013-2017 IBM Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef pr_fmt +#define pr_fmt(fmt) "STB: " fmt +#endif + +#include <skiboot.h> +#include <device.h> +#include <nvram.h> +#include "secureboot.h" +#include "trustedboot.h" +#include "tpm_chip.h" + +static bool trusted_mode = false; + +void trustedboot_init(void) +{ + struct dt_node *node; + + node = dt_find_by_path(dt_root, "/ibm,secureboot"); + if (!node) { + prlog(PR_NOTICE, "trusted boot not supported\n"); + return; + } + + if (!secureboot_is_compatible(node, NULL, NULL)) { + /** + * @fwts-label TrustedBootNotCompatible + * @fwts-advice Compatible trustedboot driver not found. Probably, + * hostboot/mambo/skiboot has updated the + * /ibm,secureboot/compatible without adding a driver that + * supports it. + */ + prlog(PR_ERR, "trustedboot init FAILED, '%s' node not " + "compatible.\n", node->name); + return; + } + + if (nvram_query_eq("force-trusted-mode", "true")) { + trusted_mode = true; + prlog(PR_NOTICE, "trusted mode on (FORCED by nvram)\n"); + } else { + trusted_mode = dt_has_node_property(node, "trusted-enabled", NULL); + prlog(PR_NOTICE, "trusted mode %s\n", + trusted_mode ? "on" : "off"); + } + + if (!trusted_mode) + return; + cvc_init(); + tpm_init(); +} |