Attention is currently required from: Jason Glenesk, Raul Rangel, Marshall Dawson, Felix Held. Kangheui Won has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/60289 )

Change subject: soc/amd/cezanne: add svc_set_fw_hash_table ......................................................................

soc/amd/cezanne: add svc_set_fw_hash_table

Add new PSP svc call to pass psp firmware hash table to the PSP. psp_verstage will verify hash table and then pass them to the PSP. The PSP will check if signed firmware contents match these hashes. This will prevent anyone replacing signed firmware in the RW region.

BUG=b:203597980 TEST=build guybrush

Signed-off-by: Kangheui Won khwon@chromium.org Change-Id: I14a93917250d41c43d23d30839e4e2bc5ea2fc43 --- M src/soc/amd/cezanne/psp_verstage/svc.c M src/vendorcode/amd/fsp/cezanne/include/bl_uapp/bl_syscall_public.h 2 files changed, 39 insertions(+), 0 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/89/60289/1

diff --git a/src/soc/amd/cezanne/psp_verstage/svc.c b/src/soc/amd/cezanne/psp_verstage/svc.c index e04c702..552c718 100644 --- a/src/soc/amd/cezanne/psp_verstage/svc.c +++ b/src/soc/amd/cezanne/psp_verstage/svc.c @@ -133,3 +133,10 @@ SVC_CALL3(SVC_CCP_DMA, spi_rom_offset, dest, size, retval); return retval; } + +uint32_t svc_set_fw_hash_table(struct psp_fw_hash_table *hash_table) +{ + uint32_t retval = 0; + SVC_CALL1(SVC_SET_FIRMWARE_HASH_TABLE, hash_table, retval); + return retval; +} diff --git a/src/vendorcode/amd/fsp/cezanne/include/bl_uapp/bl_syscall_public.h b/src/vendorcode/amd/fsp/cezanne/include/bl_uapp/bl_syscall_public.h index 06e9def..6a5dca5 100644 --- a/src/vendorcode/amd/fsp/cezanne/include/bl_uapp/bl_syscall_public.h +++ b/src/vendorcode/amd/fsp/cezanne/include/bl_uapp/bl_syscall_public.h @@ -50,6 +50,7 @@ #define SVC_READ_TIMER_VAL 0x68 #define SVC_SHA 0x69 #define SVC_CCP_DMA 0x6A +#define SVC_SET_FIRMWARE_HASH_TABLE 0x6B

struct mod_exp_params { char *pExponent; // Exponent address @@ -135,6 +136,26 @@ uint32_t Eom; };

+struct psp_fw_entry_hash_256 { + uint16_t fw_type; /* Offset 0x7c of fw_header & Offset 0x24 for key tokens */ + uint16_t sub_type; /* Offset 0x7d of fw_header; not populated for key tokens */ + uint8_t sha[32]; +} __attribute__((packed)); + +struct psp_fw_entry_hash_384 { + uint16_t fw_type; /* Offset 0x7c of fw_header & Offset 0x24 for key tokens */ + uint16_t sub_type; /* Offset 0x7d of fw_header; not populated for key tokens */ + uint8_t sha[48]; +} __attribute__((packed)); + +struct psp_fw_hash_table { + uint16_t version; /* Version of psp_fw_hash_table, Start with 0 */ + uint16_t no_of_entries_256; + uint16_t no_of_entries_384; + struct psp_fw_entry_hash_256 *fw_hash_256; + struct psp_fw_entry_hash_384 *fw_hash_384; +} __attribute__((packed)); + /* * Exit to the main Boot Loader. This does not return back to user application. * @@ -313,6 +334,17 @@ */ uint32_t svc_ccp_dma(uint32_t spi_rom_offset, void *dest, uint32_t size);

+ +/* + * Get the FW hash values (table) from verstage + * + * Parameters: + * hash_table - pointer to hash table + * + * Return value: BL_OK or error code + */ +uint32_t svc_set_fw_hash_table(struct psp_fw_hash_table *hash_table); + /* C entry point for the Bootloader Userspace Application */ void Main(void);