[openfirmware] [commit] r2529 - cpu/x86/pc/olpc

repository service svn at openfirmware.info
Fri Sep 23 07:01:38 CEST 2011 

Author: wmb
Date: Fri Sep 23 07:01:37 2011
New Revision: 2529
URL: http://tracker.coreboot.org/trac/openfirmware/changeset/2529

Log:
OLPC security - added require-signatures? value for unsigned booting.

Modified:
   cpu/x86/pc/olpc/security.fth

Modified: cpu/x86/pc/olpc/security.fth
==============================================================================
--- cpu/x86/pc/olpc/security.fth	Fri Sep 23 07:00:36 2011	(r2528)
+++ cpu/x86/pc/olpc/security.fth	Fri Sep 23 07:01:37 2011	(r2529)
@@ -603,8 +603,11 @@
    2drop  false                      ( good? )
 ;
 
+true value require-signatures?
+
 \ Find a sig0N: line and check its sha256/rsa signature
 : sha-valid?  ( data$ sig$ -- okay? )
+   require-signatures? 0=  if  4drop true exit  then   ( data$ sig$ )
    next-sig-in-list$  if  2drop false exit  then  ( data$ rem$ sig$ )
    2nip  " sha256" signature-good?
 ;
@@ -612,6 +615,7 @@
 \ Find two sig0N: lines, the first with sha256 and the second with rmd160,
 \ and check their signatures
 : fw-valid?  ( data$ sig$ -- okay? )
+   require-signatures? 0=  if  4drop true exit  then   ( data$ sig$ )
    2swap 2>r                                    ( sig$ r: data$ )
    next-sig-in-list$  if  2r> 2drop false exit  then  ( rem$ sig$ )
    2r@ 2swap sha-valid?  0=  if                 ( rem$ r: data$ )
@@ -737,17 +741,22 @@
 \ like "runos.zip" (the normal OS, used when an valid lease is
 \ present) or "actos.zip" (the activation version of the OS).
 
+: use-run  ( -- )  " run" cn-buf place  ;
+: use-act  ( -- )  " act" cn-buf place  ;
 : ?leased  ( -- )
-   " ak" find-tag  if
-      2drop  " run"
-   else
-      rtc-rollback?  if
-	 " act"
+   require-signatures?  if
+      " ak" find-tag  if
+         2drop  use-run
       else
-	 lease-valid?  if  " run"  else  " act"  then
+         rtc-rollback?  if
+            use-act
+         else
+            lease-valid?  if  use-run  else  use-act  then
+         then
       then
+   else
+      use-run
    then
-   cn-buf place
 ;
 
 : set-alternate  ( -- )
@@ -1208,11 +1217,13 @@
       filesystem-present?  if               ( list$ )
 
          show-dot                           ( list$ )
-         has-developer-key?  if             ( list$ )
-            2drop                           ( )
-            true to security-off?
-            show-unlock
-            true exit
+         require-signatures?  if            ( list$ )
+            has-developer-key?  if          ( list$ )
+               2drop                        ( )
+               true to security-off?
+               show-unlock
+               true exit
+            then                            ( list$ )
          then                               ( list$ )
 
          load-from-device  if               ( list$ )

More information about the openfirmware mailing list