From patchwork Thu Mar 15 12:31:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ppaidipe X-Patchwork-Id: 886209 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [103.22.144.68]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4027JM548bz9sTd for ; Thu, 15 Mar 2018 23:32:03 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 4027JL6BLWzF12X for ; Thu, 15 Mar 2018 23:32:02 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (mailfrom) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=ppaidipe@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4027Hz1gPZzDqjS for ; Thu, 15 Mar 2018 23:31:42 +1100 (AEDT) Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2FCVOPx125761 for ; Thu, 15 Mar 2018 08:31:39 -0400 Received: from e06smtp15.uk.ibm.com (e06smtp15.uk.ibm.com [195.75.94.111]) by mx0a-001b2d01.pphosted.com with ESMTP id 2gqqjacnr0-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Thu, 15 Mar 2018 08:31:38 -0400 Received: from localhost by e06smtp15.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 15 Mar 2018 12:31:36 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp15.uk.ibm.com (192.168.101.145) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 15 Mar 2018 12:31:33 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w2FCVXCS34078904; Thu, 15 Mar 2018 12:31:33 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 778F1A4059; Thu, 15 Mar 2018 12:24:21 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C9E05A404D; Thu, 15 Mar 2018 12:24:20 +0000 (GMT) Received: from localhost.in.ibm.com (unknown [9.124.31.159]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 15 Mar 2018 12:24:20 +0000 (GMT) From: Pridhiviraj Paidipeddi To: skiboot@lists.ozlabs.org Date: Thu, 15 Mar 2018 18:01:29 +0530 X-Mailer: git-send-email 2.7.4 X-TM-AS-GCONF: 00 x-cbid: 18031512-0020-0000-0000-0000040526B2 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18031512-0021-0000-0000-000042992F33 Message-Id: <1521117089-27073-1-git-send-email-ppaidipe@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-15_07:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1803150141 Subject: [Skiboot] [PATCH v2] libstb/trustedboot: Enable trusted_measure in fast-reboot path X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" Currently in fast-reboot path trusted measure is not functioning due to the tpm_cleanup happening in full IPL which un-registers all the tpms. It fails with below messages [xxx,3] STB: BOOTKERNEL NOT MEASURED. Already exited from boot services [xxx,3] STB: EV_SEPARATOR (pcr0) NOT MEASURED. No TPM registered/enabled This patch enables it by enabling the boot_services_exited flag and doing the tpm_cleanup only when trusted boot mode is OFF. Signed-off-by: Pridhiviraj Paidipeddi --- core/fast-reboot.c | 6 ++++++ libstb/tpm_chip.c | 1 + libstb/trustedboot.c | 8 ++++---- libstb/trustedboot.h | 2 ++ 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/core/fast-reboot.c b/core/fast-reboot.c index 0fe16cc..c7853d2 100644 --- a/core/fast-reboot.c +++ b/core/fast-reboot.c @@ -30,6 +30,7 @@ #include #include #include +#include "libstb/trustedboot.h" /* Flag tested by the OPAL entry code */ static volatile bool fast_boot_release; @@ -330,6 +331,11 @@ void __noreturn fast_reboot_entry(void) cpu_set_sreset_enable(true); cpu_set_ipi_enable(true); + /* We are loading the BOOTKERNEL from PNOR, in order to function + * trusted_measure, enable boot services flag + */ + boot_services_exited = false; + /* Start preloading kernel and ramdisk */ start_preload_kernel(); diff --git a/libstb/tpm_chip.c b/libstb/tpm_chip.c index 2858caf..58e5f75 100644 --- a/libstb/tpm_chip.c +++ b/libstb/tpm_chip.c @@ -313,6 +313,7 @@ int tpm_extendl(TPM_Pcr pcr, void tpm_add_status_property(void) { struct tpm_chip *tpm; list_for_each(&tpm_list, tpm, link) { + dt_check_del_prop(tpm->node, "status"); dt_add_property_string(tpm->node, "status", tpm->enabled ? "okay" : "disabled"); } diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c index 151e4e1..0f1f50b 100644 --- a/libstb/trustedboot.c +++ b/libstb/trustedboot.c @@ -31,7 +31,7 @@ static bool trusted_mode = false; static bool trusted_init = false; -static bool boot_services_exited = false; +bool boot_services_exited; /* * This maps a PCR for each resource we can measure. The PCR number is @@ -127,8 +127,10 @@ int trustedboot_exit_boot_services(void) boot_services_exited = true; - if (!trusted_mode) + if (!trusted_mode) { + tpm_cleanup(); goto out_free; + } #ifdef STB_DEBUG prlog(PR_NOTICE, "ev_separator.event: %s\n", ev_separator.event); @@ -156,8 +158,6 @@ int trustedboot_exit_boot_services(void) tpm_add_status_property(); out_free: - tpm_cleanup(); - return (failed) ? -1 : 0; } diff --git a/libstb/trustedboot.h b/libstb/trustedboot.h index 3003c80..bb4fcb6 100644 --- a/libstb/trustedboot.h +++ b/libstb/trustedboot.h @@ -19,6 +19,8 @@ #include +extern bool boot_services_exited; + void trustedboot_init(void); /**