diff mbox series

opal/init: Fix VERSION verification failure by Re-ordering inits

Message ID 1518180073-14529-1-git-send-email-ppaidipe@linux.vnet.ibm.com
State Superseded
Headers show
Series opal/init: Fix VERSION verification failure by Re-ordering inits | expand

Commit Message

ppaidipe Feb. 9, 2018, 12:41 p.m. UTC 
We have currently VERSION parition loads early in the boot stage
for BMC platforms, which is not verified by STB. Currnetly STB init
depends on nvram settings, which need nvram init, nvram init depends
on pnor init. So we cannot move stb init before platform init.

So this patch fixes this issue by following below init order for BMC
platforms to have a proper verification for all the flash resources.

pnor_init --> nvram_init --> stb_init --> preload_flash_resources

In FSP platforms init remains unchanged.

With patch:
diff mbox series

Patch

===========
[   72.323520334,5] STB: Found ibm,secureboot-v2
[   72.325527132,5] STB: secure mode on (FORCED by nvram)
[   72.327668635,5] STB: trusted mode on (FORCED by nvram)
[   72.435155881,0] STB: VERSION verification FAILED. log=0xffffffffffff8120
[   72.438182717,0] STB: secure mode enforced, aborting.
[   72.441019191,0] Aborting!
CPU 0000 Backtrace:
S: 0000000031c039d0 R: 000000003001367c   .backtrace+0x48
S: 0000000031c03a60 R: 000000003001a03c   ._abort+0x4c
S: 0000000031c03ae0 R: 000000003009fd50   .secureboot_enforce+0x3c
S: 0000000031c03b50 R: 00000000300a0218   .secureboot_verify+0x148
S: 0000000031c03c00 R: 000000003002f6c4   .flash_load_resources+0x644
S: 0000000031c03d40 R: 000000003001814c   .cpu_process_jobs+0xdc
S: 0000000031c03e00 R: 0000000030014cd0   .__secondary_cpu_entry+0x44
S: 0000000031c03e80 R: 0000000030014d24   .secondary_cpu_entry+0x34
S: 0000000031c03f00 R: 0000000030002748   secondary_wait+0x8c
[   73.229430090,4] IPMI: Dropped eSEL: BMC code is buggy/missing

This verification failure is a known one which occurs due to VERSION parition
is not signed under op-build.
https://github.com/open-power/op-build/issues/1849

Signed-off-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
---
 core/init.c               |  4 ++--
 libstb/secureboot.c       |  3 +++
 libstb/trustedboot.c      |  3 +++
 platforms/astbmc/common.c | 12 ++++++++++++
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/core/init.c b/core/init.c
index 5736d33..4c95f87 100644
--- a/core/init.c
+++ b/core/init.c
@@ -1010,8 +1010,8 @@  void __noreturn __nomcount main_cpu_entry(const void *fdt)
 	if (platform.init)
 		platform.init();
 
-	/* Read in NVRAM and set it up */
-	nvram_init();
+	/* Read in NVRAM and set it up, if not already done */
+	nvram_reinit();
 
 	/* Set the console level */
 	console_log_level();
diff --git a/libstb/secureboot.c b/libstb/secureboot.c
index 921aba7..36e5f5d 100644
--- a/libstb/secureboot.c
+++ b/libstb/secureboot.c
@@ -82,6 +82,9 @@  void secureboot_init(void)
 	int version;
 	size_t size;
 
+	if (secure_init)
+		return;
+
 	node = dt_find_by_path(dt_root, "/ibm,secureboot");
 	if (!node) {
 		prlog(PR_NOTICE, "secure boot not supported\n");
diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c
index 151e4e1..e36a86a 100644
--- a/libstb/trustedboot.c
+++ b/libstb/trustedboot.c
@@ -82,6 +82,9 @@  void trustedboot_init(void)
 {
 	struct dt_node *node;
 
+	if (trusted_init)
+		return;
+
 	node = dt_find_by_path(dt_root, "/ibm,secureboot");
 	if (!node) {
 		prlog(PR_NOTICE, "trusted boot not supported\n");
diff --git a/platforms/astbmc/common.c b/platforms/astbmc/common.c
index 243ad94..ed57ad9 100644
--- a/platforms/astbmc/common.c
+++ b/platforms/astbmc/common.c
@@ -26,6 +26,8 @@ 
 #include <bt.h>
 #include <errorlog.h>
 #include <lpc.h>
+#include <libstb/secureboot.h>
+#include <libstb/trustedboot.h>
 
 #include "astbmc.h"
 
@@ -134,6 +136,16 @@  void astbmc_init(void)
 	astbmc_fru_init();
 	ipmi_sensor_init();
 
+	/* PNOR is initialized, we can init NVRAM */
+	nvram_init();
+
+	/*
+	 *  As PNOR flash drivers are ready we can init STB now,
+	 *  so that it can call verify and measure functions
+	 */
+        secureboot_init();
+        trustedboot_init();
+
 	/* Preload PNOR VERSION section */
 	flash_fw_version_preload();