Message ID | 20180710062532.15854-1-sam@mendozajonas.com |
---|---|
State | Accepted |
Headers | show |
Series | [v2] Recognise signed VERSION partition | expand |
Samuel Mendoza-Jonas <sam@mendozajonas.com> writes: > A few things need to change to support a signed VERSION partition: > > - A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE (4K). > - The VERSION partition needs to be loaded after secure/trusted boot is > set up, and therefore after nvram_init(). > - Added to the trustedboot resources array. > > This also moves the ipmi_dt_add_bmc_info() call to after > flash_dt_add_fw_version() since it adds info to ibm,firmware-versions. > > Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> > --- > v2: rebase on master to work alongside the flash_dt_add_fw_version() > changes, move modifying the DT to later in the boot process and let > VERSION load in the background. looks good to me, merged to master as of 3cd749c99791d43ee929b9401fb14fc6739ce360
On 2018-07-17 13:36, Stewart Smith wrote: > Samuel Mendoza-Jonas <sam@mendozajonas.com> writes: >> A few things need to change to support a signed VERSION partition: >> >> - A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE >> (4K). >> - The VERSION partition needs to be loaded after secure/trusted boot >> is >> set up, and therefore after nvram_init(). >> - Added to the trustedboot resources array. >> >> This also moves the ipmi_dt_add_bmc_info() call to after >> flash_dt_add_fw_version() since it adds info to ibm,firmware-versions. >> >> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> >> --- >> v2: rebase on master to work alongside the flash_dt_add_fw_version() >> changes, move modifying the DT to later in the boot process and let >> VERSION load in the background. > > looks good to me, merged to master as of > 3cd749c99791d43ee929b9401fb14fc6739ce360 On secureboot enabled platforms we are getting a boot enforce with this patch as VERSION partition is still not signed. [ 74.044712556,7] LPC: Routing irq 4, policy: 0 (r=1) [ 74.044713816,7] LPC: SerIRQ 4 using route 2 targetted at OPAL [ 74.049822308,5] OCC: All Chip Rdy after 0 ms [ 74.252505689,0] STB: VERSION verification FAILED. log=0xffffffffffff8120 [ 74.255402552,0] STB: secure mode enforced, aborting. [ 74.258240099,0] Aborting! CPU 0018 Backtrace: S: 0000000031cc3a60 R: 000000003001ae60 ._abort+0x4c S: 0000000031cc3ae0 R: 00000000300a8a40 .secureboot_enforce+0x3c S: 0000000031cc3b50 R: 00000000300a8f50 .secureboot_verify+0x15c S: 0000000031cc3c00 R: 0000000030030a9c .flash_load_resources+0x5fc S: 0000000031cc3d40 R: 0000000030018d5c .cpu_process_jobs+0xdc S: 0000000031cc3e00 R: 0000000030014ec8 .__secondary_cpu_entry+0x44 S: 0000000031cc3e80 R: 0000000030014f1c .secondary_cpu_entry+0x34 S: 0000000031cc3f00 R: 0000000030002790 secondary_wait+0x8c --- OPAL boot --- We need corresponding changes in op-build as well to make it signed. Thanks Pridhiviraj
ppaidipe <ppaidipe@linux.vnet.ibm.com> writes: > On 2018-07-17 13:36, Stewart Smith wrote: >> Samuel Mendoza-Jonas <sam@mendozajonas.com> writes: >>> A few things need to change to support a signed VERSION partition: >>> >>> - A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE >>> (4K). >>> - The VERSION partition needs to be loaded after secure/trusted boot >>> is >>> set up, and therefore after nvram_init(). >>> - Added to the trustedboot resources array. >>> >>> This also moves the ipmi_dt_add_bmc_info() call to after >>> flash_dt_add_fw_version() since it adds info to ibm,firmware-versions. >>> >>> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> >>> --- >>> v2: rebase on master to work alongside the flash_dt_add_fw_version() >>> changes, move modifying the DT to later in the boot process and let >>> VERSION load in the background. >> >> looks good to me, merged to master as of >> 3cd749c99791d43ee929b9401fb14fc6739ce360 > > > On secureboot enabled platforms we are getting a boot enforce with this > patch > as VERSION partition is still not signed. > > [ 74.044712556,7] LPC: Routing irq 4, policy: 0 (r=1) > [ 74.044713816,7] LPC: SerIRQ 4 using route 2 targetted at OPAL > [ 74.049822308,5] OCC: All Chip Rdy after 0 ms > [ 74.252505689,0] STB: VERSION verification FAILED. > log=0xffffffffffff8120 > [ 74.255402552,0] STB: secure mode enforced, aborting. > [ 74.258240099,0] Aborting! > CPU 0018 Backtrace: > S: 0000000031cc3a60 R: 000000003001ae60 ._abort+0x4c > S: 0000000031cc3ae0 R: 00000000300a8a40 .secureboot_enforce+0x3c > S: 0000000031cc3b50 R: 00000000300a8f50 .secureboot_verify+0x15c > S: 0000000031cc3c00 R: 0000000030030a9c .flash_load_resources+0x5fc > S: 0000000031cc3d40 R: 0000000030018d5c .cpu_process_jobs+0xdc > S: 0000000031cc3e00 R: 0000000030014ec8 .__secondary_cpu_entry+0x44 > S: 0000000031cc3e80 R: 0000000030014f1c .secondary_cpu_entry+0x34 > S: 0000000031cc3f00 R: 0000000030002790 secondary_wait+0x8c > --- OPAL boot --- > > We need corresponding changes in op-build as well to make it signed. Agreed. Hopefully Sam has them up shortly.
On Tue, 2018-07-17 at 20:15 +1000, Stewart Smith wrote: > ppaidipe <ppaidipe@linux.vnet.ibm.com> writes: > > On 2018-07-17 13:36, Stewart Smith wrote: > > > Samuel Mendoza-Jonas <sam@mendozajonas.com> writes: > > > > A few things need to change to support a signed VERSION partition: > > > > > > > > - A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE > > > > (4K). > > > > - The VERSION partition needs to be loaded after secure/trusted boot > > > > is > > > > set up, and therefore after nvram_init(). > > > > - Added to the trustedboot resources array. > > > > > > > > This also moves the ipmi_dt_add_bmc_info() call to after > > > > flash_dt_add_fw_version() since it adds info to ibm,firmware-versions. > > > > > > > > Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> > > > > --- > > > > v2: rebase on master to work alongside the flash_dt_add_fw_version() > > > > changes, move modifying the DT to later in the boot process and let > > > > VERSION load in the background. > > > > > > looks good to me, merged to master as of > > > 3cd749c99791d43ee929b9401fb14fc6739ce360 > > > > > > On secureboot enabled platforms we are getting a boot enforce with this > > patch > > as VERSION partition is still not signed. > > > > [ 74.044712556,7] LPC: Routing irq 4, policy: 0 (r=1) > > [ 74.044713816,7] LPC: SerIRQ 4 using route 2 targetted at OPAL > > [ 74.049822308,5] OCC: All Chip Rdy after 0 ms > > [ 74.252505689,0] STB: VERSION verification FAILED. > > log=0xffffffffffff8120 > > [ 74.255402552,0] STB: secure mode enforced, aborting. > > [ 74.258240099,0] Aborting! > > CPU 0018 Backtrace: > > S: 0000000031cc3a60 R: 000000003001ae60 ._abort+0x4c > > S: 0000000031cc3ae0 R: 00000000300a8a40 .secureboot_enforce+0x3c > > S: 0000000031cc3b50 R: 00000000300a8f50 .secureboot_verify+0x15c > > S: 0000000031cc3c00 R: 0000000030030a9c .flash_load_resources+0x5fc > > S: 0000000031cc3d40 R: 0000000030018d5c .cpu_process_jobs+0xdc > > S: 0000000031cc3e00 R: 0000000030014ec8 .__secondary_cpu_entry+0x44 > > S: 0000000031cc3e80 R: 0000000030014f1c .secondary_cpu_entry+0x34 > > S: 0000000031cc3f00 R: 0000000030002790 secondary_wait+0x8c > > --- OPAL boot --- > > > > We need corresponding changes in op-build as well to make it signed. > > Agreed. Hopefully Sam has them up shortly. > Yep the pieces are slowly coming together. Right now we're waiting on https://github.com/open-power/pnor/pull/97 which in turn is waiting on a Hostboot patch which I'm sending a V2 for soon.
On 2018-07-18 06:19, Samuel Mendoza-Jonas wrote: > On Tue, 2018-07-17 at 20:15 +1000, Stewart Smith wrote: >> ppaidipe <ppaidipe@linux.vnet.ibm.com> writes: >> > On 2018-07-17 13:36, Stewart Smith wrote: >> > > Samuel Mendoza-Jonas <sam@mendozajonas.com> writes: >> > > > A few things need to change to support a signed VERSION partition: >> > > > >> > > > - A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE >> > > > (4K). >> > > > - The VERSION partition needs to be loaded after secure/trusted boot >> > > > is >> > > > set up, and therefore after nvram_init(). >> > > > - Added to the trustedboot resources array. >> > > > >> > > > This also moves the ipmi_dt_add_bmc_info() call to after >> > > > flash_dt_add_fw_version() since it adds info to ibm,firmware-versions. >> > > > >> > > > Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> >> > > > --- >> > > > v2: rebase on master to work alongside the flash_dt_add_fw_version() >> > > > changes, move modifying the DT to later in the boot process and let >> > > > VERSION load in the background. >> > > >> > > looks good to me, merged to master as of >> > > 3cd749c99791d43ee929b9401fb14fc6739ce360 >> > >> > >> > On secureboot enabled platforms we are getting a boot enforce with this >> > patch >> > as VERSION partition is still not signed. >> > >> > [ 74.044712556,7] LPC: Routing irq 4, policy: 0 (r=1) >> > [ 74.044713816,7] LPC: SerIRQ 4 using route 2 targetted at OPAL >> > [ 74.049822308,5] OCC: All Chip Rdy after 0 ms >> > [ 74.252505689,0] STB: VERSION verification FAILED. >> > log=0xffffffffffff8120 >> > [ 74.255402552,0] STB: secure mode enforced, aborting. >> > [ 74.258240099,0] Aborting! >> > CPU 0018 Backtrace: >> > S: 0000000031cc3a60 R: 000000003001ae60 ._abort+0x4c >> > S: 0000000031cc3ae0 R: 00000000300a8a40 .secureboot_enforce+0x3c >> > S: 0000000031cc3b50 R: 00000000300a8f50 .secureboot_verify+0x15c >> > S: 0000000031cc3c00 R: 0000000030030a9c .flash_load_resources+0x5fc >> > S: 0000000031cc3d40 R: 0000000030018d5c .cpu_process_jobs+0xdc >> > S: 0000000031cc3e00 R: 0000000030014ec8 .__secondary_cpu_entry+0x44 >> > S: 0000000031cc3e80 R: 0000000030014f1c .secondary_cpu_entry+0x34 >> > S: 0000000031cc3f00 R: 0000000030002790 secondary_wait+0x8c >> > --- OPAL boot --- >> > >> > We need corresponding changes in op-build as well to make it signed. >> >> Agreed. Hopefully Sam has them up shortly. >> > > Yep the pieces are slowly coming together. Right now we're waiting on > https://github.com/open-power/pnor/pull/97 which in turn is waiting on > a > Hostboot patch which I'm sending a V2 for soon. Cool. Thanks Pridhiviraj
diff --git a/core/flash.c b/core/flash.c index e3be5761..e258fe17 100644 --- a/core/flash.c +++ b/core/flash.c @@ -51,7 +51,7 @@ static u32 nvram_offset, nvram_size; /* ibm,firmware-versions support */ static char *version_buf; -static size_t version_buf_size = 0x1000; +static size_t version_buf_size = 0x2000; bool flash_reserve(void) { @@ -235,6 +235,8 @@ void flash_dt_add_fw_version(void) fw_version = dt_new(dt_root, "ibm,firmware-versions"); assert(fw_version); + if (stb_is_container(version_buf, version_buf_size)) + numbytes += SECURE_BOOT_HEADERS_SIZE; for ( ; (numbytes < version_buf_size) && version_buf[numbytes]; numbytes++) { if (version_buf[numbytes] == '\n') { version_data[i] = '\0'; diff --git a/core/init.c b/core/init.c index b660af2d..ca6c468c 100644 --- a/core/init.c +++ b/core/init.c @@ -1070,6 +1070,13 @@ void __noreturn __nomcount main_cpu_entry(const void *fdt) secureboot_init(); trustedboot_init(); + /* + * BMC platforms load version information from flash after + * secure/trustedboot init. + */ + if (platform.bmc) + flash_fw_version_preload(); + /* preload the IMC catalog dtb */ imc_catalog_preload(); @@ -1128,6 +1135,12 @@ void __noreturn __nomcount main_cpu_entry(const void *fdt) /* Add OPAL timer related properties */ late_init_timers(); + /* Setup ibm,firmware-versions if able */ + if (platform.bmc) { + flash_dt_add_fw_version(); + ipmi_dt_add_bmc_info(); + } + ipmi_set_fw_progress_sensor(IPMI_FW_PCI_INIT); /* diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c index 8fa11790..ae2cc556 100644 --- a/libstb/trustedboot.c +++ b/libstb/trustedboot.c @@ -46,6 +46,7 @@ static struct { { RESOURCE_ID_IMA_CATALOG, PCR_2 }, { RESOURCE_ID_KERNEL, PCR_4 }, { RESOURCE_ID_CAPP, PCR_2 }, + { RESOURCE_ID_VERSION, PCR_3 }, }; /* diff --git a/platforms/astbmc/common.c b/platforms/astbmc/common.c index aa278a03..6c90b7db 100644 --- a/platforms/astbmc/common.c +++ b/platforms/astbmc/common.c @@ -134,9 +134,6 @@ void astbmc_init(void) astbmc_fru_init(); ipmi_sensor_init(); - /* Preload PNOR VERSION section */ - flash_fw_version_preload(); - /* Request BMC information */ ipmi_get_bmc_info_request(); @@ -150,12 +147,6 @@ void astbmc_init(void) /* Setup UART console for use by Linux via OPAL API */ set_opal_console(&uart_opal_con); - - /* Add ibm,firmware-versions node */ - flash_dt_add_fw_version(); - - /* Add BMC firmware info to device tree */ - ipmi_dt_add_bmc_info(); } int64_t astbmc_ipmi_power_down(uint64_t request)
A few things need to change to support a signed VERSION partition: - A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE (4K). - The VERSION partition needs to be loaded after secure/trusted boot is set up, and therefore after nvram_init(). - Added to the trustedboot resources array. This also moves the ipmi_dt_add_bmc_info() call to after flash_dt_add_fw_version() since it adds info to ibm,firmware-versions. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> --- v2: rebase on master to work alongside the flash_dt_add_fw_version() changes, move modifying the DT to later in the boot process and let VERSION load in the background. core/flash.c | 4 +++- core/init.c | 13 +++++++++++++ libstb/trustedboot.c | 1 + platforms/astbmc/common.c | 9 --------- 4 files changed, 17 insertions(+), 10 deletions(-)