diff mbox series

Recognise signed VERSION partition

Message ID 20180517042659.31143-1-sam@mendozajonas.com
State Superseded
Headers show
Series Recognise signed VERSION partition | expand

Commit Message

Sam Mendoza-Jonas May 17, 2018, 4:26 a.m. UTC 
A few things need to change to support a signed VERSION partition:

- A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE (4K).
- The VERSION partition needs to be loaded after secure/trusted boot is
  set up, and therefore after nvram_init().
- Added to the trustedboot resources array.

Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
---
Aside from the partition size changes this is an alternative take to
this earlier patch, trying to move less things around:
http://patchwork.ozlabs.org/patch/897865/
Take your pick!

 core/flash.c              | 4 +++-
 core/init.c               | 9 +++++++++
 libstb/trustedboot.c      | 1 +
 platforms/astbmc/common.c | 6 ------
 4 files changed, 13 insertions(+), 7 deletions(-)

Comments

Vasant Hegde May 21, 2018, 8:05 a.m. UTC | #1 
On 05/17/2018 09:56 AM, Samuel Mendoza-Jonas wrote:
> A few things need to change to support a signed VERSION partition:
> 
> - A signed VERSION partition will be 4K + SECURE_BOOT_HEADERS_SIZE (4K).
> - The VERSION partition needs to be loaded after secure/trusted boot is
>    set up, and therefore after nvram_init().
> - Added to the trustedboot resources array.
> 
> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>

This may increase boot time slightly as it will wait for BMC to load VERSION 
partition.
Otherwise patch looks good to me.

Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>

-Vasant
diff mbox series

Patch

diff --git a/core/flash.c b/core/flash.c
index 4031e7b3..161b5c90 100644
--- a/core/flash.c
+++ b/core/flash.c
@@ -51,7 +51,7 @@  static u32 nvram_offset, nvram_size;
 
 /* ibm,firmware-versions support */
 static char *version_buf;
-static size_t version_buf_size = 0x1000;
+static size_t version_buf_size = 0x2000;
 
 bool flash_reserve(void)
 {
@@ -235,6 +235,8 @@  void flash_dt_add_fw_version(void)
 	fw_version = dt_new(dt_root, "ibm,firmware-versions");
 	assert(fw_version);
 
+	if (stb_is_container(version_buf, version_buf_size))
+		numbytes += SECURE_BOOT_HEADERS_SIZE;
 	for ( ; (numbytes < version_buf_size) && version_buf[numbytes]; numbytes++) {
 		if (version_buf[numbytes] == '\n') {
 			version_data[i] = '\0';
diff --git a/core/init.c b/core/init.c
index 3b887a24..a02304e6 100644
--- a/core/init.c
+++ b/core/init.c
@@ -1067,6 +1067,15 @@  void __noreturn __nomcount main_cpu_entry(const void *fdt)
 	secureboot_init();
 	trustedboot_init();
 
+	/*
+	 * BMC platforms load version information from flash after
+	 * secure/trustedboot init.
+	 */
+	if (platform.bmc) {
+		flash_fw_version_preload();
+		flash_dt_add_fw_version();
+	}
+
         /* preload the IMC catalog dtb */
         imc_catalog_preload();
 
diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c
index 151e4e16..35b26240 100644
--- a/libstb/trustedboot.c
+++ b/libstb/trustedboot.c
@@ -46,6 +46,7 @@  static struct {
 	{ RESOURCE_ID_IMA_CATALOG, PCR_2 },
 	{ RESOURCE_ID_KERNEL, PCR_4 },
 	{ RESOURCE_ID_CAPP,   PCR_2 },
+	{ RESOURCE_ID_VERSION, PCR_3 },
 };
 
 /*
diff --git a/platforms/astbmc/common.c b/platforms/astbmc/common.c
index 243ad946..3c59f82a 100644
--- a/platforms/astbmc/common.c
+++ b/platforms/astbmc/common.c
@@ -134,9 +134,6 @@  void astbmc_init(void)
 	astbmc_fru_init();
 	ipmi_sensor_init();
 
-	/* Preload PNOR VERSION section */
-	flash_fw_version_preload();
-
 	/* As soon as IPMI is up, inform BMC we are in "S0" */
 	ipmi_set_power_state(IPMI_PWR_SYS_S0_WORKING, IPMI_PWR_NOCHANGE);
 
@@ -147,9 +144,6 @@  void astbmc_init(void)
 
 	/* Setup UART console for use by Linux via OPAL API */
 	set_opal_console(&uart_opal_con);
-
-	/* Add ibm,firmware-versions node */
-	flash_dt_add_fw_version();
 }
 
 int64_t astbmc_ipmi_power_down(uint64_t request)