Amol N Sukerkar has uploaded this change for review.
src/security/vboot: Added logic to also verify FSP_S component
and syntax change for verify_stage_if_required.
When VBOOT Stage Verification is enabled, FSP_S component needs
to be verified. This logic has been added.
TEST=Create a coreboot.rom image by enabling CONFIG_VBOOT and
CONFIG_VBOOT_STAGE_VERIFICATION. Verify that the image boots
to authenticated payload and graphics is displayed via HDMI
and Display Port.
Change-Id: I7e2323086ecddc5195d8b55b47cc71f599b5a0b8
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
M src/security/vboot/Kconfig
M src/security/vboot/Makefile.inc
M src/security/vboot/vboot_logic_ex.c
3 files changed, 57 insertions(+), 19 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/32156/1
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index e7bd3f9..036c553 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -372,6 +372,11 @@
default "$(VBOOT_SOURCE)/tests/devkeys/rhash.vbprik2"
depends on VBOOT_STAGE_VERIFICATION
+config VBOOT_2_1_FSPS_HASH_KEY
+ string "Coreboot fsps.bin Stage Hashing Key(private)"
+ default "$(VBOOT_SOURCE)/tests/devkeys/fhash.vbprik2"
+ depends on VBOOT_STAGE_VERIFICATION
+
config VBOOT_2_1_PAYLOAD_HASH_KEY
string "Coreboot PAYLOAD Stage Hashing Key(private)"
default "$(VBOOT_SOURCE)/tests/devkeys/phash.vbprik2"
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index 1a6ca9f..1c03c78 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -338,9 +338,9 @@
rm -f $@.tmp $@.tmp.size
ifeq ($(CONFIG_VBOOT_STAGE_VERIFICATION), y)
-# Extract RAMStage and PAYLOAD and hash them
-# Since we are booting from FW_MAIN_A, RAMStage and payload are
-# extracted from FW_MAIN_A.
+# Extract RAMStage, fsps.bin and PAYLOAD and hash them
+# Since we are booting from FW_MAIN_A, RAMStage, fsps.bin
+# and payload are extracted from FW_MAIN_A.
$(obj)/ramstage.hash: $(obj)/coreboot.rom
@printf " CREATE RAMSTAGE HASH\n"
$(CBFSTOOL) $< print -r FW_MAIN_A > $<.tmp
@@ -351,6 +351,16 @@
$@.tmp $@
rm -f $<.tmp $@.tmp
+$(obj)/fsps.hash: $(obj)/coreboot.rom
+ @printf " CREATE FSPS.BIN HASH\n"
+ $(CBFSTOOL) $< extract -n $(call strip_quotes,$(CONFIG_FSP_S_CBFS)) \
+ -r FW_MAIN_A -f $@.tmp &> /dev/null
+ $(FUTILITY) --vb21 sign \
+ --type rwsig \
+ --prikey "$(CONFIG_VBOOT_2_1_FSPS_HASH_KEY)" \
+ $@.tmp $@
+ rm -f $<.tmp $@.tmp
+
$(obj)/payload.hash: $(obj)/coreboot.rom
@printf " CREATE PAYLOAD HASH\n"
$(CBFSTOOL) $< print -r FW_MAIN_A > $<.tmp
@@ -369,7 +379,8 @@
--flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS)
$(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY) \
- $(obj)/ramstage.hash $(obj)/payload.hash $(obj)/firmware.kb21
+ $(obj)/ramstage.hash $(obj)/fsps.hash $(obj)/payload.hash \
+ $(obj)/firmware.kb21
$(FUTILITY) vbutil_firmware \
--vblock21 $@ \
--keyblock "$(top)/$(obj)/firmware.kb21" \
diff --git a/src/security/vboot/vboot_logic_ex.c b/src/security/vboot/vboot_logic_ex.c
index 1b526c7..0a071f0 100644
--- a/src/security/vboot/vboot_logic_ex.c
+++ b/src/security/vboot/vboot_logic_ex.c
@@ -154,6 +154,32 @@
}
}
+/* get the hash id from component name */
+static void get_hash_id(struct vb2_id *id, const char *name)
+{
+ /* in POSTCAR stage, safely assume that we are
+ * in the process of verifying RAMSTAGE */
+ if (ENV_POSTCAR) {
+ const struct vb2_id tmp_id = VB2_ID_RAMSTAGE;
+ memcpy(id, &tmp_id, sizeof(*id));
+ } else if (ENV_RAMSTAGE) {
+ /* In RAMSTAGE, we verify FSPS and PAYLOAD,
+ * conditionally, so, get the appropriate ID */
+ if (!memcmp(name, CONFIG_CBFS_PREFIX"/payload",
+ sizeof(name))) {
+ const struct vb2_id tmp_id = VB2_ID_PAYLOAD;
+ memcpy(id, &tmp_id, sizeof(*id));
+ } else if (!memcmp(name, CONFIG_FSP_S_CBFS,
+ sizeof(name))) {
+ const struct vb2_id tmp_id = VB2_ID_FSPS;
+ memcpy(id, &tmp_id, sizeof(*id));
+ }
+ else
+ die("Invalid component");
+ } else
+ die("Invalid stage");
+}
+
/* VB2 context initialization helper function */
static void init_ctx(struct vb2_context *ctx)
{
@@ -197,11 +223,11 @@
int rv;
uint32_t size = 0;
- printk(BIOS_INFO, "Phase 4\n");
+ printk(BIOS_INFO, "Phase 4\n");
/* init hash */
rv = vb21api_init_hash(ctx, id, &size);
- if (rv)
+ if (rv)
return rv;
/* extend hash over the body */
@@ -237,28 +263,23 @@
vboot_set_selected_region(region_device_region(&fw_main));
}
-/* Veify the stage to be executed */
-static void verify_stage(const struct region_device *rdev)
+/* Verify the stage to be executed */
+static void verify_stage(const struct region_device *rdev,
+ const char *name)
{
struct vb2_context ctx;
struct region_device fw_main;
int rv;
size_t fsize = 0;
void *map = NULL;
- const struct vb2_id* id;
+ struct vb2_id id;
/* get region memory map */
fsize = region_device_sz(rdev);
map = rdev_mmap(rdev, 0, fsize);
if (!map) die("ERROR: Stage Mapping failed");
- /* get the hash id */
- if (ENV_POSTCAR)
- id = vb2_hash_id(VB2_HASH_SHA256);
- else if (ENV_RAMSTAGE)
- id = vb2_hash_id(VB2_HASH_SHA512);
- else
- die("Invalid hash id");
+ get_hash_id(&id, name);
/* initialize the vb context and read the NV data */
init_ctx(&ctx);
@@ -277,7 +298,7 @@
}
/* verify the hash */
- rv = verify_hash(&ctx, map, id);
+ rv = verify_hash(&ctx, map, &id);
if (rv) {
printk(BIOS_ERR, "ERROR:0x%x ", rv);
die("Stage Verification Failed");
@@ -289,13 +310,14 @@
}
/* stage verification if required */
-void verify_stage_if_required(const struct region_device *rdev)
+void verify_stage_if_required(const struct region_device *rdev,
+ const char *name)
{
if (!rdev) {
die("Invalid region device");
} else {
if (ENV_POSTCAR || ENV_RAMSTAGE)
- verify_stage(rdev);
+ verify_stage(rdev, name);
}
}
To view, visit change 32156. To unsubscribe, or for help writing mail filters, visit settings.