| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Just pass the container structure rather than bus_id and xscom_base to
tpm_i2c_request_send(). Rename xscom_base to i2c_addr while we're here
since that's just plain wrong.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
| |
We have observed some TPMs clock streching the I2C bus for signifigant
amounts of time when processing commands. The same TPMs also have
errata that can result in permernantly locking up a bus in response to
an I2C transaction they don't understand. Using an excessively long
timeout to prevent this in the field.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This changes to build system to use thin archives rather than
incremental linking for built-in.o, similar to recent change to Linux.
built-in.o is renamed to built-in.a, and is created as a thin archive
with no index, for speed and size. All built-in.a are aggregated into
a skiboot.tmp.a which is a thin archive built with an index, making it
suitable or linking. This is input into the final link.
The advantags of build size and linker code placement flexibility are
not as great with skiboot as a bigger project like Linux, but it's a
conceptually better way to build, and is more compatible with link
time optimisation in toolchains which might be interesting for skiboot
particularly for size reductions.
Size of build tree before this patch is 34.4MB, afterwards 23.1MB.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
| |
This removes all the files that were replaced by secureboot.c,
trustedboot.c and cvc.c.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The linux kernel doesn't have a driver compatible with
"nuvoton,npct650", but it does have for "nuvoton,npct601", which should
also be compatible with npct650.
This adds "nuvoton,npct601" to the compatible devtree property.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This imports tb_measure() from stb.c, but now it calls the CVC sha512
wrapper to calculate the sha512 hash of the firmware image provided.
In trustedboot.c, the tb_measure() is renamed to trustedboot_measure().
The new function, trustedboot_measure(), no longer checks if the
container payload hash calculated at boot time matches with the hash
found in the container header. A few reasons:
- If the system admin wants the container header to be
checked/validated, the secure boot jumper must be set. Otherwise,
the container header information may not be reliable.
- The container layout is expected to change over time. Skiboot
would need to maintain a parser for each container layout
change.
- Skiboot could be checking the hash against a container version that
is not supported by the Container-Verification-Code (CVC).
The tb_measure() calls are updated to trustedboot_measure() in a
subsequent patch.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This imports the sb_verify() function from stb.c, but now it calls the
CVC verify wrapper in order to verify signed firmware images. The
hw-key-hash and hw-key-hash-size initialized in secureboot.c are passed
to the CVC verify function wrapper.
In secureboot.c, the sb_verify() is renamed to secureboot_verify(). The
sb_verify() calls are updated in a subsequent patch.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The drivers/sha512.c file is a SHA512 hash implementation imported from
the mbed TLS project.
As a matter of semantics, this moves drivers/sha512.* to the mbedtls
directory.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPM code has a wrapper around the main i2c API to allow synchronous use.
Move it into core/i2c.c so it can be used by other possible users. In
particular, a future patch will use this to drive OpenCAPI device resets
during boot time.
Cc: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Cc: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
| |
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In TPM 2.0 Firmware 1.3.0.1 and 1.3.1.0 (at least) there exists
a bug where if you send the wrong thing to the TPM it may lock the
bus, with no way of recovery except powering the TPM off/on.
On our current systems, the only way to power the TPM off/on is to pull
the power on the system (*NOT* just power off/on to host from BMC).
So, this patch adds the ability to do things to the i2c request really
early on, well before it hits any hardware, such as quickly drop it.
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the polling time is calculated by adding the sleep time to it.
This calculates the polling time by taking timestamps with mftb() before
calling the i2c-interface to send an i2c request to the tpm. Thus having
a much more accurate polling time.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
| |
This adds code to handle errors after reading the tpm fifo in
tpm_read_fifo().
Fixes: 56ad053c3e8bf0764ad5878cb018f00a389d30cf
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
| |
The tpm_read_fifo() has unnecessary and not so intuitive variables.
This cleans up these variables.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
| |
This adds code to handle errors after writting the tpm fifo in
tpm_write_fifo().
Fixes: 56ad053c3e8bf0764ad5878cb018f00a389d30cf
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
| |
The tpm_write_fifo() has unnecessary and not so intuitive variables.
This cleans up these variables.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
| |
This adds code to handle errors after writting the sts.commandReady to
release the tpm.
Fixes: 56ad053c3e8bf0764ad5878cb018f00a389d30cf
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
| |
This handles errors returned by the tpm-i2c interface after writing
sts.go in tpm_transmit().
Fixes: 56ad053c3e8bf0764ad5878cb018f00a389d30cf
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The functions tpm_is_expecting() and tpm_is_data_avail() ignore the
errors returned by the tpm-i2c interface.
This adds code to handle erros after checking the tpm fifo status. The
tpm_is_expecting() and tpm_is_data_avail() functions are replaced by
tpm_wait_for_fifo_status().
Fixes: 56ad053c3e8bf0764ad5878cb018f00a389d30cf
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
| |
This returns burst_count as opposed to pass it as a parameter.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
| |
TPM_TIMEOUT_D timeout is only related to burst_count polling.
This moves the burstCount polling code to tpm_read_burst_count() in
order to isolate the code that is related to TPM_TIMEOUT_D.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
| |
This adds code to handle errors after reading sts.commandReady. The
nested loop in tpm_poll_for_command_ready() is splitted in two
functions.
Fixes: 56ad053c3e8bf0764ad5878cb018f00a389d30cf
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The tpm status register is read from multiple places by calling the
tpm-i2c-interface.
This adds the tpm_status_read_byte() to be the only function that
directly calls the tpm-i2c interface to read the tpm status register
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
| |
This adds the tpm_check_status(), which makes the code more easy to read
and also allows the use of a mask to check status.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
| |
This shorten some defines to better fit in 80 columms.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
| |
This ensures the i2c subsystem is done with the i2c request before
we continue. Since it handles timeouts, we don't have to here.
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Tested-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
| |
The i2c code manipulates req->timeout, so it has to be reset before
re-sending.
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Tested-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Doing everything asynchronously is brilliant, it's exactly what we
want to do.
Except... the tpm driver wants to do things synchronously, which isn't
so cool.
For reasons that are not yet completely known, we spend an awful lot of
time in the main thread *not* running pollers (potentially seconds), which
doesn't bode well for I2C timeouts.
Since the TPM measure is done in a secondary thread, we do *not* run pollers
there either (as of 323c8aeb54bd4e0b9004091fcbb4a9daeda2f576 - which is
roughly as of skiboot 2.1.1).
But we still need to crank the i2c state machine, so we introduce a call
to do just that. It will return how long the poll interval should be, so
that we can time_wait() for a more appropriate time for whatever i2c
implementation is sitting behind things.
Without this, it was "easy" to get to a situation where the i2c state machine
wasn't cranked at all, and you'd hit the i2c timeout (for the issued operation)
before the poller to crank i2c was ever called.
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Tested-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
| |
This bumps up the byte timeout for tpm i2c requests from 10ms to 30ms.
Some p8dtu systems are getting i2c request timeout.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
| |
Pass SKIBOOT_ENABLE_MAMBO_STB=1 as environment variable to skiboot.tcl
and the tcl will enable the /ibm,secureboot node, enabling hash and
signature "verification" for that mambo session.
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the 1/5 step performed by the TPM I2C Nuvoton driver to
transmit a command to the TPM device. In this step the driver
checks if the TPM device is ready to receive a new command.
This adds the 2/5 step performed by the TPM I2C Nuvoton driver to
transmit a command to the TPM device. In this step the driver
writes a given command to master I2C FIFO.
This adds the 3/5 step performed by the TPM I2C Nuvoton driver to
transmit a command to the TPM device. In this step the driver
sets the TPMGO bit in the I2C master status register to indicate that
the command stored in the FIFO can be sent to the TPM device.
This adds the 4/5 step performed by the TPM I2C Nuvoton driver to
transmit a command to the TPM device. In this step the driver
reads from the I2C master FIFO the result that the TPM device returned
for the last command sent.
This adds the 5/5 step performed by the TPM I2C Nuvoton driver to
transmit a command to the TPM device. In this step the driver
sets the COMMAND_READY bit in the status register to indicate that the
TPM device is ready to receive a new command.
This adds the probe function to the TPM Nuvoton driver and also updates
the tpm_init() in tpm_chip.c to call the probe function.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
[stewart@linux.vnet.ibm.com: squash commits into one]
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
| |
This adds the functions that TPM I2C drivers can use to send
requests to I2C master.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This adds a driver for the ROM verification code. The driver is compatible
with 'ibm,secureboot-v1'.
The presense of a verification code in the platform is indicated by the
presence of the ibm,secureboot node in the device tree.
The ibm,secureboot node is documented in 'doc/device-tree/ibm,secureboot.rst'
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|