From patchwork Thu Aug 31 07:53:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Claudio Carvalho X-Patchwork-Id: 808112 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xjZQX6mGDz9sQl for ; Thu, 31 Aug 2017 17:54:28 +1000 (AEST) Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 3xjZQX5lhSzDqSb for ; Thu, 31 Aug 2017 17:54:28 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 3xjZQH3NnLzDq5k for ; Thu, 31 Aug 2017 17:54:15 +1000 (AEST) Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id v7V7pEwm061056 for ; Thu, 31 Aug 2017 03:54:13 -0400 Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154]) by mx0a-001b2d01.pphosted.com with ESMTP id 2cp99y2xts-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Thu, 31 Aug 2017 03:54:13 -0400 Received: from localhost by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 31 Aug 2017 01:54:12 -0600 Received: from b03cxnp08028.gho.boulder.ibm.com (9.17.130.20) by e36.co.us.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 31 Aug 2017 01:54:09 -0600 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v7V7s9ln30146710 for ; Thu, 31 Aug 2017 00:54:09 -0700 Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 78C20C603C for ; Thu, 31 Aug 2017 01:54:09 -0600 (MDT) Received: from legolas.ibm.com (unknown [9.85.193.48]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP id C73F6C6037 for ; Thu, 31 Aug 2017 01:54:08 -0600 (MDT) From: Claudio Carvalho To: skiboot@lists.ozlabs.org Date: Thu, 31 Aug 2017 04:53:58 -0300 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1504166040-16531-1-git-send-email-cclaudio@linux.vnet.ibm.com> References: <1504166040-16531-1-git-send-email-cclaudio@linux.vnet.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 17083107-0020-0000-0000-00000CA42155 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00007640; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000226; SDB=6.00910107; UDB=6.00456516; IPR=6.00690387; BA=6.00005562; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00016939; XFM=3.00000015; UTC=2017-08-31 07:54:11 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17083107-0021-0000-0000-00005DF0C3CA Message-Id: <1504166040-16531-2-git-send-email-cclaudio@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-08-31_02:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1708310120 Subject: [Skiboot] [PATCH 1/3] libstb/stb.c: add ibm,secureboot-v2 support X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" This extends libstb to add support to 'ibm,secureboot-v2' and also updates the device tree documentation accordingly. Signed-off-by: Claudio Carvalho --- .../ibm,container-verification-code.rst | 57 ++++++++++++ doc/device-tree/ibm,secureboot.rst | 83 +++++++++++------ libstb/stb.c | 101 +++++++++++++++++++++ 3 files changed, 211 insertions(+), 30 deletions(-) create mode 100644 doc/device-tree/ibm,container-verification-code.rst diff --git a/doc/device-tree/ibm,container-verification-code.rst b/doc/device-tree/ibm,container-verification-code.rst new file mode 100644 index 0000000..9d92e7c --- /dev/null +++ b/doc/device-tree/ibm,container-verification-code.rst @@ -0,0 +1,57 @@ +.. _device-tree/ibm,container-verification-code: + +ibm,container-verification-code +=============================== + +This describes the container-verification-code from ``ibm,secureboot-v2`` +onwards. Each ``ibm,code-offset`` child node defines an offset of the +container-verification-code. + +Required properties +------------------- + +.. code-block:: none + + compatible: Either one of the following values: + + ibm,cvc-container-v1 : container-verification-code used + to verify containers version 1. + + memory-region: this points to the hostboot reserved memory where the + container-verification-code is stored. + +Example +------- + +.. code-block:: dts + + ibm,secureboot { + phandle = <0x5b>; + compatible = "ibm,secureboot-v2"; + trusted-enabled; + hw-key-hash-size = <0x40>; + hw-key-hash = <0x40d487ff 0x7380ed6a 0xd54775d5 0x795fea0d + 0xe2f541fe 0xa9db06b8 0x466a42a3 0x20e65f75 + 0xb4866546 0x17d907 0x515dc2a5 0xf9fc5095 + 0x4d6ee0c9 0xb67d219d 0xfb708535 0x1d01d6d1>; + + ibm,container-verification-code { + phandle = <0xd9>; + #address-cells = <0x1>; + #size-cells = <0x0>; + compatible = "ibm,cvc-container-v1"; + memory-region = <0x81>; + + ibm,code-offset@40 { + phandle = <0xda>; + compatible = "ibm,sha512-hash"; + reg = <0x40>; + }; + + ibm,code-offset@50 { + phandle = <0xdb>; + compatible = "ibm,container-verify"; + reg = <0x50>; + }; + }; + }; diff --git a/doc/device-tree/ibm,secureboot.rst b/doc/device-tree/ibm,secureboot.rst index 948c7e0..9681199 100644 --- a/doc/device-tree/ibm,secureboot.rst +++ b/doc/device-tree/ibm,secureboot.rst @@ -3,54 +3,77 @@ ibm,secureboot ============== -Secure boot and trusted boot relies on a code stored in the secure ROM at -manufacture time to verify and measure other codes before they are executed. -This ROM code is also referred to as ROM verification code. - -On POWER8, the presence of the ROM code is announced to skiboot (by Hostboot) -by the ``ibm,secureboot`` device tree node. - -If the system is booting up in secure mode, the ROM code is called for secure -boot to verify the integrity and authenticity of an image before it is executed. - -If the system is booting up in trusted mode, the ROM code is called for trusted -boot to calculate the SHA512 hash of an image only if the image is not a secure boot -container or the system is not booting up in secure mode. - -For further information about secure boot and trusted boot please refer to -:ref:`stb-overview`. +The ``ìbm,secureboot`` node provides secure boot and trusted boot information +up to the target OS. +Further secure and trusted boot information can be found in :ref:`stb-overview`. Required properties ------------------- .. code-block:: none - compatible: ibm,secureboot version. It is related to the ROM code version. - - hash-algo: hash algorithm used for the hw-key-hash. Aspects such as the size - of the hw-key-hash can be infered from this property. - - secure-enabled: this property exists if the system is booting in secure mode. + compatible: Either one of the following values: + + ibm,secureboot-v1 : The container-verification-code + is stored in a secure ROM memory. + + ibm,secureboot-v2 : The container-verification-code + is described by the + ibm,container-verification-code + child node, which points to the + hostboot reserved memory where + the container-verification-code + is stored. + + secure-enabled: this property exists if the firmware stack is booting + in secure mode (hardware secure boot jumper asserted). + In this mode, the authenticity and integrity of every + firmware image is verified before it is executed using + the container-verification-code. If the verification + fails, the boot is halted. + + trusted-enabled: this property exists if the firmware stack is booting + in trusted mode. In this mode, every firmware image is + measured before it is executed using the + container-verification-code to calculate the SHA512 + hash of the image. Interested parties can subsequently + assess the measurements to check whether or not only + trusted events happened during the boot. + + hw-key-hash: hash of the tree hardware public keys trusted by + firmware. The three hardware keys used to sign the + firmware image are stored in the secure boot headers + prepended to the image. At runtime, the + container-verification-code compares the hash of these + three public keys against the hw-key-hash to check if + the image was signed using the hardware keys trusted by + firmware. + + hw-key-hash-size: size of hw-key-hash. Added on 'ibm,secureboot-v2'. The + container-verification-code used to verify containers + version 1, expect this to be equal to the SHA512 hash + size. + + +Obsolete properties +------------------- - trusted-enabled: this property exists if the system is booting in trusted mode. +.. code-block:: none - hw-key-hash: hash of three concatenated hardware public key. This is required - by the ROM code to verify images. + hash-algo: Superseeded by the hw-key-hash-size property in + 'ibm,secureboot-v2'. Example ------- -For the first version ``ibm,secureboot-v1``, the ROM code expects the *hw-key-hash* -to be a SHA512 hash. - .. code-block:: dts ibm,secureboot { - compatible = "ibm,secureboot-v1"; - hash-algo = "sha512"; + compatible = "ibm,secureboot-v2"; secure-enabled; trusted-enabled; + hw-key-hash-size = <0x40> hw-key-hash = <0x40d487ff 0x7380ed6a 0xd54775d5 0x795fea0d 0xe2f541fe 0xa9db06b8 0x466a42a3 0x20e65f75 0xb4866546 0x17d907 0x515dc2a5 0xf9fc5095 0x4d6ee0c9 0xb67d219d 0xfb708535 diff --git a/libstb/stb.c b/libstb/stb.c index da0c534..eab04eb 100644 --- a/libstb/stb.c +++ b/libstb/stb.c @@ -114,6 +114,105 @@ static void cvc_free(void) } } +static int c1vc_offsets(struct dt_node *parent) +{ + struct dt_node *mem_node, *node; + uint32_t mem_phandle, offset; + uint64_t mem_addr; + + c1vc = malloc(sizeof(struct container_verification_code)); + assert(c1vc); + + mem_phandle = dt_prop_get_u32(parent, "memory-region"); + mem_node = dt_find_by_phandle(dt_root, mem_phandle); + assert(mem_node); + + mem_addr = dt_get_address(mem_node, 0, NULL); + + dt_for_each_child(parent, node) { + + if (dt_node_is_compatible(node, "ibm,sha512-hash")) { + offset = dt_prop_get_u32(node, "reg"); + offset = be32_to_cpu(offset); + c1vc->sha512_addr = mem_addr + offset; + c1vc->sha512 = c1vc_sha512; + } + else if (dt_node_is_compatible(node, "ibm,container-verify")) { + offset = dt_prop_get_u32(node, "reg"); + offset = be32_to_cpu(offset); + c1vc->verify_addr = mem_addr + offset; + c1vc->verify = c1vc_verify; + } else { + prlog(PR_INFO, "unknown cvc offset %s\n", node->name); + } + } + + if (!c1vc->sha512 || !c1vc->verify) { + /** + * @fwts-label CVCV1OffsetsNotFound + * @fwts-advice This is a bug. The sha512 and verify offsets are + * required, but they were not found in the + * ibm,container-verification-code device tree node. + */ + prerror("STB: 'ibm,cvc-container-v1' init FAILED, offsets not found\n"); + goto out_error; + } + + prlog(PR_INFO, "STB: 'ibm,secureboot-v2' initialized\n"); + return 0; + +out_error: + free(c1vc); + c1vc = NULL; + return -1; +} + +static int cvc_reserved_mem_init(struct dt_node *parent) +{ + struct dt_node *node; + int rc = -1; + + hw_key_hash_size = dt_prop_get_u32(parent, "hw-key-hash-size"); + if (hw_key_hash_size != SHA512_DIGEST_LENGTH) { + /** + * @fwts-label CVCHashSizeInvalid + * @fwts-advice The hash algorithm used in secure boot container + * version 1 is sha512, which means that the hash size should be + * 64 bytes. Hostboot may not have indicated that correctly in + * the HDAT or skiboot may not have interpreted the HDAT + * correctly. + */ + prerror("STB: %s FAILED, hw-key-hash-size=%zd not supported\n", + __func__, hw_key_hash_size); + return -1; + } + hw_key_hash = dt_prop_get_def_size(parent, "hw-key-hash", NULL, + &hw_key_hash_size); + assert(hw_key_hash); + + dt_for_each_child(parent, node) { + if (dt_node_is_compatible(node, "ibm,container-v1-verification-code")) + rc = c1vc_offsets(node); + else + prlog(PR_INFO, "STB: %s unknown ibm,secureboot child\n", + node->name); + } + + if (rc) { + /** + * @fwts-label CompatibleCVCNotFound + * @fwts-advice Compatible Container-Verification-Code driver + * not found. If you're running the latest skiboot version, so + * probably there is a bug in either the HDAT received from + * hostboot or the HDAT parser in skiboot. + */ + prerror("STB: COULD NOT FIND a compatible " + "container-verification-code driver\n"); + return -1; + } + return 0; +} + static int c1vc_mbedtls_init(struct dt_node *node) { const char* hash_algo; @@ -237,6 +336,8 @@ void stb_init(void) rc = c1vc_rom_init(node); } else if (dt_node_is_compatible(node, "ibm,secureboot-v1-softrom")) { rc = c1vc_mbedtls_init(node); + } else if (dt_node_is_compatible(node, "ibm,secureboot-v2")) { + rc = cvc_reserved_mem_init(node); } else { /** * @fwts-label SecureBootNotCompatible