Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/808098/?format=api
{ "id": 808098, "url": "http://patchwork.ozlabs.org/api/patches/808098/?format=api", "web_url": "http://patchwork.ozlabs.org/project/skiboot/patch/1504164285-15095-13-git-send-email-cclaudio@linux.vnet.ibm.com/", "project": { "id": 44, "url": "http://patchwork.ozlabs.org/api/projects/44/?format=api", "name": "skiboot firmware development", "link_name": "skiboot", "list_id": "skiboot.lists.ozlabs.org", "list_email": "skiboot@lists.ozlabs.org", "web_url": "http://github.com/open-power/skiboot", "scm_url": "http://github.com/open-power/skiboot", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<1504164285-15095-13-git-send-email-cclaudio@linux.vnet.ibm.com>", "list_archive_url": null, "date": "2017-08-31T07:24:43", "name": "[v2,12/14] libstb: check container version before using it", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": false, "hash": "142959c7b8928b214a7683387e87f9d878600505", "submitter": { "id": 69305, "url": "http://patchwork.ozlabs.org/api/people/69305/?format=api", "name": "Claudio Carvalho", "email": "cclaudio@linux.vnet.ibm.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/skiboot/patch/1504164285-15095-13-git-send-email-cclaudio@linux.vnet.ibm.com/mbox/", "series": [ { "id": 760, "url": "http://patchwork.ozlabs.org/api/series/760/?format=api", "web_url": "http://patchwork.ozlabs.org/project/skiboot/list/?series=760", "date": "2017-08-31T07:24:31", "name": "libstb: simplify the initialization of cvc drivers", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/760/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/808098/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/808098/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "skiboot@lists.ozlabs.org" ], "Delivered-To": [ "patchwork-incoming@bilbo.ozlabs.org", "skiboot@lists.ozlabs.org" ], "Received": [ "from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])\n\t(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xjYqT3dG9z9sNc\n\tfor <incoming@patchwork.ozlabs.org>;\n\tThu, 31 Aug 2017 17:27:33 +1000 (AEST)", "from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 3xjYqT2g1VzDqXn\n\tfor <incoming@patchwork.ozlabs.org>;\n\tThu, 31 Aug 2017 17:27:33 +1000 (AEST)", "from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com\n\t[148.163.156.1])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 3xjYn11KQFzDqTy\n\tfor <skiboot@lists.ozlabs.org>; Thu, 31 Aug 2017 17:25:25 +1000 (AEST)", "from pps.filterd (m0098396.ppops.net [127.0.0.1])\n\tby mx0a-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id\n\tv7V7ONDe086390\n\tfor <skiboot@lists.ozlabs.org>; Thu, 31 Aug 2017 03:25:23 -0400", "from e15.ny.us.ibm.com (e15.ny.us.ibm.com [129.33.205.205])\n\tby mx0a-001b2d01.pphosted.com with ESMTP id 2cpc4g7fbj-1\n\t(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)\n\tfor <skiboot@lists.ozlabs.org>; Thu, 31 Aug 2017 03:25:23 -0400", "from localhost\n\tby e15.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use\n\tOnly! Violators will be prosecuted\n\tfor <skiboot@lists.ozlabs.org> from <cclaudio@linux.vnet.ibm.com>;\n\tThu, 31 Aug 2017 03:25:21 -0400", "from b01cxnp22036.gho.pok.ibm.com (9.57.198.26)\n\tby e15.ny.us.ibm.com (146.89.104.202) with IBM ESMTP SMTP Gateway:\n\tAuthorized Use Only! Violators will be prosecuted; \n\tThu, 31 Aug 2017 03:25:21 -0400", "from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com\n\t[9.57.199.109])\n\tby b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP\n\tid v7V7PKKq30933048\n\tfor <skiboot@lists.ozlabs.org>; Thu, 31 Aug 2017 07:25:20 GMT", "from localhost (unknown [127.0.0.1])\n\tby IMSVA (Postfix) with SMTP id 53A5F112040\n\tfor <skiboot@lists.ozlabs.org>; Thu, 31 Aug 2017 03:25:06 -0400 (EDT)", "from legolas.ibm.com (unknown [9.85.193.48])\n\tby b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id F3EA1112040;\n\tThu, 31 Aug 2017 03:25:00 -0400 (EDT)" ], "X-IMSS-HAND-OFF-DIRECTIVE": "127.0.0.1:10026", "From": "Claudio Carvalho <cclaudio@linux.vnet.ibm.com>", "To": "skiboot@lists.ozlabs.org", "Date": "Thu, 31 Aug 2017 04:24:43 -0300", "X-Mailer": "git-send-email 2.7.4", "In-Reply-To": "<1504164285-15095-1-git-send-email-cclaudio@linux.vnet.ibm.com>", "References": "<1504164285-15095-1-git-send-email-cclaudio@linux.vnet.ibm.com>", "X-TM-AS-GCONF": "00", "x-cbid": "17083107-0036-0000-0000-00000261AE06", "X-IBM-SpamModules-Scores": "", "X-IBM-SpamModules-Versions": "BY=3.00007640; HX=3.00000241; KW=3.00000007;\n\tPH=3.00000004; SC=3.00000226; SDB=6.00910097; UDB=6.00456510;\n\tIPR=6.00690378; \n\tBA=6.00005562; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009;\n\tZB=6.00000000; \n\tZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00016938;\n\tXFM=3.00000015; UTC=2017-08-31 07:25:21", "X-IBM-AV-DETECTION": "SAVI=unused REMOTE=unused XFE=unused", "x-cbparentid": "17083107-0037-0000-0000-0000419CB183", "Message-Id": "<1504164285-15095-13-git-send-email-cclaudio@linux.vnet.ibm.com>", "X-Proofpoint-Virus-Version": "vendor=fsecure engine=2.50.10432:, ,\n\tdefinitions=2017-08-31_02:, , signatures=0", "X-Proofpoint-Spam-Details": "rule=outbound_notspam policy=outbound score=0\n\tspamscore=0 suspectscore=1\n\tmalwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam\n\tadjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000\n\tdefinitions=main-1708310114", "Subject": "[Skiboot] [PATCH v2 12/14] libstb: check container version before\n\tusing it", "X-BeenThere": "skiboot@lists.ozlabs.org", "X-Mailman-Version": "2.1.23", "Precedence": "list", "List-Id": "Mailing list for skiboot development <skiboot.lists.ozlabs.org>", "List-Unsubscribe": "<https://lists.ozlabs.org/options/skiboot>,\n\t<mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>", "List-Archive": "<http://lists.ozlabs.org/pipermail/skiboot/>", "List-Post": "<mailto:skiboot@lists.ozlabs.org>", "List-Help": "<mailto:skiboot-request@lists.ozlabs.org?subject=help>", "List-Subscribe": "<https://lists.ozlabs.org/listinfo/skiboot>,\n\t<mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "base64", "Errors-To": "skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org", "Sender": "\"Skiboot\"\n\t<skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>" }, "content": "Secureboot containers can be built for any cvc version, including one\nthat is not supported by skiboot. The version is stored in the\ncontainer.\n\nThis checks the container version before using it.\n\nSigned-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>\n---\n libstb/container.c | 47 +++++++++++++++++++++++++++++++++++++----------\n libstb/container.h | 9 +++++++--\n libstb/stb.c | 32 +++++++++++++++++++++++---------\n 3 files changed, 67 insertions(+), 21 deletions(-)", "diff": "diff --git a/libstb/container.c b/libstb/container.c\nindex a720fbb..d421bd7 100644\n--- a/libstb/container.c\n+++ b/libstb/container.c\n@@ -17,6 +17,17 @@\n #include <skiboot.h>\n #include \"container.h\"\n \n+uint16_t stb_container_version(const void *buf, size_t size)\n+{\n+\tROM_container_raw *c;\n+\n+\tif (!stb_is_container(buf, size))\n+\t\treturn 0;\n+\tc = (ROM_container_raw*) buf;\n+\n+\treturn be16_to_cpu(c->version);\n+}\n+\n bool stb_is_container(const void *buf, size_t size)\n {\n \tROM_container_raw *c;\n@@ -29,6 +40,15 @@ bool stb_is_container(const void *buf, size_t size)\n \treturn true;\n }\n \n+uint32_t stb_container_magic(const void *buf, size_t size)\n+{\n+\tROM_container_raw *c;\n+\tif (!stb_is_container(buf, size))\n+\t\treturn 0;\n+\tc = (ROM_container_raw*) buf;\n+\treturn be32_to_cpu(c->magic_number);\n+}\n+\n uint32_t stb_payload_magic(const void *buf, size_t size)\n {\n \tuint8_t *p;\n@@ -40,15 +60,19 @@ uint32_t stb_payload_magic(const void *buf, size_t size)\n \n uint64_t stb_sw_payload_size(const void *buf, size_t size)\n {\n-\tstruct parsed_stb_container c;\n+\tstruct parsed_stb_container_v1 c;\n \tif (!stb_is_container(buf, size))\n \t\treturn 0;\n-\tif (parse_stb_container(buf, size, &c) != 0)\n-\t\treturn 0;\n-\treturn be64_to_cpu(c.sh->payload_size);\n+\t/* Container v1 */\n+\tif (stb_container_version(buf, size) == 1) {\n+\t\tif (parse_stb_container_v1(buf, size, &c) != 0)\n+\t\t\treturn 0;\n+\t\treturn be64_to_cpu(c.sh->payload_size);\n+\t}\n+\treturn 0;\n }\n \n-int parse_stb_container(const void* data, size_t len, struct parsed_stb_container *c)\n+int parse_stb_container_v1(const void* data, size_t len, struct parsed_stb_container_v1 *c)\n {\n \tconst size_t prefix_data_min_size = 3 * (EC_COORDBYTES * 2);\n \tc->buf = data;\n@@ -65,14 +89,17 @@ int parse_stb_container(const void* data, size_t len, struct parsed_stb_containe\n \n const uint8_t* stb_sw_payload_hash(const void *buf, size_t size)\n {\n-\tstruct parsed_stb_container c;\n+\tstruct parsed_stb_container_v1 c;\n \n \tif (!stb_is_container(buf, size))\n \t\treturn NULL;\n-\tif (parse_stb_container(buf, size, &c) != 0)\n-\t\treturn NULL;\n-\n-\treturn c.sh->payload_hash;\n+\t/* Container v1 */\n+\tif (stb_container_version(buf, size) == 1) {\n+\t\tif (parse_stb_container_v1(buf, size, &c) != 0)\n+\t\t\treturn NULL;\n+\t\treturn c.sh->payload_hash;\n+\t}\n+\treturn NULL;\n }\n \n \ndiff --git a/libstb/container.h b/libstb/container.h\nindex 1233e7e..b55508e 100644\n--- a/libstb/container.h\n+++ b/libstb/container.h\n@@ -123,7 +123,7 @@ typedef struct {\n \tbe64 log;\n }__attribute__((packed)) ROM_hw_params;\n \n-struct parsed_stb_container {\n+struct parsed_stb_container_v1 {\n \tconst void *buf;\n \tsize_t bufsz;\n \tconst ROM_container_raw *c;\n@@ -147,7 +147,12 @@ bool stb_is_container(const void* buf, size_t size);\n const uint8_t* stb_sw_payload_hash(const void* buf, size_t size);\n uint64_t stb_sw_payload_size(const void *buf, size_t size);\n \n-int parse_stb_container(const void* data, size_t len, struct parsed_stb_container *c);\n+int parse_stb_container_v1(const void* data, size_t len,\n+\t\t\t struct parsed_stb_container_v1 *c);\n+\n+uint16_t stb_container_version(const void* buf, size_t size);\n+\n+uint32_t stb_container_magic(const void* buf, size_t size);\n \n void stb_print_data(const void *data, size_t len);\n \ndiff --git a/libstb/stb.c b/libstb/stb.c\nindex 3bc41c6..f0eb108 100644\n--- a/libstb/stb.c\n+++ b/libstb/stb.c\n@@ -405,6 +405,7 @@ int tb_measure(enum resource_id id, void *buf, size_t len)\n int sb_verify(enum resource_id id, void *buf, size_t len)\n {\n \tconst char *name;\n+\tint rc = -1;\n \n \tif (!secure_mode) {\n \t\tprlog(PR_INFO, \"STB: %s skipped resource %d, \"\n@@ -418,22 +419,35 @@ int sb_verify(enum resource_id id, void *buf, size_t len)\n \t\t \"resource_id=%d unknown\\n\", id);\n \t\tsb_enforce();\n \t}\n-\tif (!c1vc || !c1vc->verify) {\n-\t\tprlog(PR_EMERG, \"STB: secure boot not initialized\\n\");\n-\t\tsb_enforce();\n-\t}\n \tif (!buf || len < SECURE_BOOT_HEADERS_SIZE) {\n \t\tprlog(PR_EMERG, \"STB: %s arg error: id %d, buf %p, len %zd\\n\",\n \t\t __func__, id, buf, len);\n \t\tsb_enforce();\n \t}\n-\tif (c1vc->verify((void*) c1vc->verify_addr, name, buf,\n-\t\t\t hw_key_hash, hw_key_hash_size)) {\n-\t\tprlog(PR_EMERG, \"STB: %s failed: resource %s, \"\n-\t\t \"eyecatcher 0x%016llx\\n\", __func__, name,\n-\t\t *((uint64_t*)buf));\n+\tif (!stb_is_container(buf, len)) {\n+\t\tprlog(PR_EMERG, \"STB: %s NOT VERIFIED, magic_number=%x \"\n+\t\t \"not supported\\n\", name, stb_container_magic(buf, len));\n \t\tsb_enforce();\n \t}\n+\n+\t/* Handle container version 1 */\n+\tif (stb_container_version(buf, len) == 1) {\n+\n+\t\tif (c1vc && c1vc->verify)\n+\t\t\trc = c1vc->verify((void*) c1vc->verify_addr, name, buf,\n+\t\t\t\t\t hw_key_hash, hw_key_hash_size);\n+\t\telse\n+\t\t\tprlog(PR_EMERG, \"STB: %s NOT VERIFIED, secureboot not \"\n+\t\t\t \"initialized\\n\", name);\n+\n+\t} else {\n+\t\tprlog(PR_EMERG, \"STB: %s NOT VERIFIED, version=%d not supported\\n\",\n+\t\t name, stb_container_version(buf, len));\n+\t}\n+\n+\tif (rc)\n+\t\tsb_enforce();\n+\n \tprlog(PR_NOTICE, \"STB: %s verified\\n\", name);\n \treturn 0;\n }\n", "prefixes": [ "v2", "12/14" ] }