libstb/trustedboot: Enable trusted_measure in fast-reboot path

Message ID 1521092605-8926-1-git-send-email-ppaidipe@linux.vnet.ibm.com
State New
Headers show
Series
  • libstb/trustedboot: Enable trusted_measure in fast-reboot path
Related show

Commit Message

Pridhiviraj Paidipeddi March 15, 2018, 5:43 a.m.
Currently in fast-reboot path trusted measure is not functioning
due to the tpm_cleanup happening in full IPL which un-registers
all the tpms.

It fails with below messages
[xxx,3] STB: BOOTKERNEL NOT MEASURED. Already exited from boot services
[xxx,3] STB: EV_SEPARATOR (pcr0) NOT MEASURED. No TPM registered/enabled

This patch enables it by enabling the boot_services_exited flag and
doing the tpm_cleanup only when trusted boot mode is OFF.

Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
---
 core/fast-reboot.c   | 6 ++++++
 libstb/trustedboot.c | 7 ++-----
 libstb/trustedboot.h | 2 ++
 3 files changed, 10 insertions(+), 5 deletions(-)

Comments

Pridhiviraj Paidipeddi March 15, 2018, 6:04 a.m. | #1
On 2018-03-15 11:13, Pridhiviraj Paidipeddi wrote:
> Currently in fast-reboot path trusted measure is not functioning
> due to the tpm_cleanup happening in full IPL which un-registers
> all the tpms.
> 
> It fails with below messages
> [xxx,3] STB: BOOTKERNEL NOT MEASURED. Already exited from boot services
> [xxx,3] STB: EV_SEPARATOR (pcr0) NOT MEASURED. No TPM 
> registered/enabled
> 
> This patch enables it by enabling the boot_services_exited flag and
> doing the tpm_cleanup only when trusted boot mode is OFF.
> 

Stewart hold on this patch, will send a V2 with some minor cleanups.

Thanks
Pridhiviraj

Patch

diff --git a/core/fast-reboot.c b/core/fast-reboot.c
index 0fe16cc..c7853d2 100644
--- a/core/fast-reboot.c
+++ b/core/fast-reboot.c
@@ -30,6 +30,7 @@ 
 #include <ipmi.h>
 #include <direct-controls.h>
 #include <nvram.h>
+#include "libstb/trustedboot.h"
 
 /* Flag tested by the OPAL entry code */
 static volatile bool fast_boot_release;
@@ -330,6 +331,11 @@  void __noreturn fast_reboot_entry(void)
 	cpu_set_sreset_enable(true);
 	cpu_set_ipi_enable(true);
 
+	/* We are loading the BOOTKERNEL from PNOR, in order to function
+	 * trusted_measure, enable boot services flag
+	 */
+	boot_services_exited = false;
+
 	/* Start preloading kernel and ramdisk */
 	start_preload_kernel();
 
diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c
index 151e4e1..9c0defc 100644
--- a/libstb/trustedboot.c
+++ b/libstb/trustedboot.c
@@ -31,7 +31,7 @@ 
 
 static bool trusted_mode = false;
 static bool trusted_init = false;
-static bool boot_services_exited = false;
+bool boot_services_exited;
 
 /*
  * This maps a PCR for each resource we can measure. The PCR number is
@@ -128,7 +128,7 @@  int trustedboot_exit_boot_services(void)
 	boot_services_exited = true;
 
 	if (!trusted_mode)
-		goto out_free;
+		tpm_cleanup();
 
 #ifdef STB_DEBUG
 	prlog(PR_NOTICE, "ev_separator.event: %s\n", ev_separator.event);
@@ -155,9 +155,6 @@  int trustedboot_exit_boot_services(void)
 	}
 	tpm_add_status_property();
 
-out_free:
-	tpm_cleanup();
-
 	return (failed) ? -1 : 0;
 }
 
diff --git a/libstb/trustedboot.h b/libstb/trustedboot.h
index 3003c80..bb4fcb6 100644
--- a/libstb/trustedboot.h
+++ b/libstb/trustedboot.h
@@ -19,6 +19,8 @@ 
 
 #include <platform.h>
 
+extern bool boot_services_exited;
+
 void trustedboot_init(void);
 
 /**