Use hash of HBB sw signatures as SALT entry for HBI hash page table

Stephen Cprek · wghoffa · commit 6ed0e0f8820a · 2016-08-30T10:16:25.000-04:00
Change-Id: Iaa583cf12a5bdafc7f51d374a992b175c0a36663 RTC: 157314 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/28362 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
diff --git a/src/build/buildpnor/PnorUtils.pm b/src/build/buildpnor/PnorUtils.pm
@@ -28,7 +28,8 @@ package PnorUtils;
 
 use Exporter 'import';
 @EXPORT_OK = qw(loadPnorLayout getNumber traceErr trace run_command PAGE_SIZE
-                loadBinFiles findLayoutKeyByEyeCatch checkSpaceConstraints);
+                loadBinFiles findLayoutKeyByEyeCatch checkSpaceConstraints
+                getSwSignatures getBinDataFromFile);
 use strict;
 
 my $TRAC_ERR = 0;
@@ -397,4 +398,84 @@ sub adjustHbiPhysSize
     }
 }
 
+###############################################################################
+# getSwSignatures -   Extracts concatenation of sw signatures from secure
+#                     container header. Simplified to skip around to the data
+#                     needed.
+################################################################################
+sub getSwSignatures
+{
+    my ($i_file) = @_;
+
+    # Constants defined in ROM code.
+    use constant ecid_size => 16; #bytes
+    use constant sw_key_size => 132; #bytes
+
+    # Offsets defined in secure boot PLDD.
+    # Relative offset are based on the previous constant
+    use constant sw_key_count_offset => 450; #bytes
+    use constant relative_offset_to_hw_ecid_count => 73; #bytes
+    # Offset assuming Default of ECID count = 0 and SW count = 1
+    use constant relative_offset_to_sw_ecid_count => 626; #bytes
+    # Offset assuming Default of ECID count = 0
+    use constant relative_offset_to_sw_signatures => 1; #bytes
+
+    # Header info
+    my $sw_key_count = 0;
+    my $hw_ecid_count = 0;
+    my $sw_ecid_count = 0;
+    my $sw_signatures = 0;
+
+    # Get header data from file
+    my $header_data = getBinDataFromFile($i_file);
+
+    # get sw key count
+    my $cur_offset = sw_key_count_offset;
+    $sw_key_count  = unpack("x$cur_offset C", $header_data);
+
+    # get hw ecid counts
+    $cur_offset += relative_offset_to_hw_ecid_count;
+    $hw_ecid_count = unpack("x$cur_offset C", $header_data);
+
+    # Variable size elements of a secure header
+    # Note 1 sw_key is already considered in above constants
+    my $num_optional_keys = ($sw_key_count > 1) ?
+                             ($sw_key_count - 1) : 0;
+    my $variable_size_offset = ($num_optional_keys * sw_key_size)
+                                + ($hw_ecid_count * ecid_size);
+
+    # get sw ecid count
+    $cur_offset +=  relative_offset_to_sw_ecid_count + $variable_size_offset;
+    $sw_ecid_count = unpack("x$cur_offset C", $header_data);
+
+    # Variable size elements of a secure header
+    $variable_size_offset = ($sw_ecid_count * ecid_size);
+
+    # get sw signatures
+    $cur_offset +=  relative_offset_to_sw_signatures + $variable_size_offset;
+    # Get concatenation of all possible sw signatures
+    $sw_signatures = substr($header_data, $cur_offset,
+                            $sw_key_count*sw_key_size);
+
+    return $sw_signatures;
+}
+
+###############################################################################
+# getBinDataFromFile -   Extracts binary data from a given file into a variable
+################################################################################
+sub getBinDataFromFile
+{
+    my ($i_file) = @_;
+
+    my $data = 0;
+    open (BINFILE, "<", $i_file) or die "Error opening file $i_file: $!\n";
+    binmode BINFILE;
+    read(BINFILE,$data,PAGE_SIZE);
+    die "Error reading of $i_file failed" if $!;
+    close(BINFILE);
+    die "Error closing $i_file failed" if $!;
+
+    return $data;
+}
+
 1;
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl
@@ -30,7 +30,8 @@
 use Cwd qw(abs_path cwd);
 use lib dirname abs_path($0);
 use PnorUtils qw(loadPnorLayout getNumber traceErr trace run_command PAGE_SIZE
-                 loadBinFiles findLayoutKeyByEyeCatch checkSpaceConstraints);
+                 loadBinFiles findLayoutKeyByEyeCatch checkSpaceConstraints
+                 getSwSignatures getBinDataFromFile);
 use Getopt::Long qw(:config pass_through);
 
 ################################################################################
@@ -88,6 +89,35 @@
     exit 0;
 }
 
+# Hardcoded defined order that binfiles should be handled.
+my %partitionDeps = ( HBB => 0,
+                      HBI => 1);
+
+# Custom sort to ensure images are handled in the correct dependency order.
+# If a dependency is not specified in the hash used, use default behavior.
+sub partitionDepSort
+{
+    # If $a exists but $b does not, set $a < $b
+    if (exists $partitionDeps{$a} && !exists $partitionDeps{$b})
+    {
+        -1
+    }
+    # If $a does not exists but $b does, set $a > $b
+    elsif (!exists $partitionDeps{$a} && exists $partitionDeps{$b})
+    {
+        1
+    }
+    # If both $a and $b exist, actually compare values.
+    elsif (exists $partitionDeps{$a} && exists $partitionDeps{$b})
+    {
+        if ($partitionDeps{$a} < $partitionDeps{$b}) {-1}
+        elsif ($partitionDeps{$a} > $partitionDeps{$b}) {1}
+        else {0}
+    }
+    # If neither $a or $b have a dependency, order doesn't matter
+    else {0}
+}
+
 ################################################################################
 # main
 ################################################################################
@@ -173,14 +203,15 @@ sub manipulateImages
         VFS_MODULE_TABLE => => "$bin_dir/$parallelPrefix.vfs_module_table.bin",
         TEMP_BIN => "$bin_dir/$parallelPrefix.temp.bin",
         PAYLOAD_TEXT => "$bin_dir/$parallelPrefix.payload_text.bin",
-        PROTECTED_PAYLOAD => "$bin_dir/$parallelPrefix.protected_payload.bin"
+        PROTECTED_PAYLOAD => "$bin_dir/$parallelPrefix.protected_payload.bin",
+        HBB_SW_SIG_FILE =>  "$bin_dir/$parallelPrefix.hbb_sw_sig.bin"
     );
 
     # Partitions that have a hash page table at the beginning of the section
     # for secureboot purposes.
     my %hashPageTablePartitions = (HBI => 1);
 
-    foreach my $key ( keys %{$i_binFilesRef})
+    foreach my $key (sort partitionDepSort  keys %{$i_binFilesRef})
     {
         my $layoutKey = findLayoutKeyByEyeCatch($key, \%$i_pnorLayoutRef);
         my $eyeCatch = $sectionHash{$layoutKey}{eyeCatch};
@@ -213,7 +244,16 @@ sub manipulateImages
                 {
                     if (exists $hashPageTablePartitions{$eyeCatch})
                     {
-                        $tempImages{hashPageTable} = genHashPageTable($bin_file, $eyeCatch);
+                        if ($eyeCatch eq "HBI")
+                        {
+                            # Pass HBB sw signatures as the salt entry.
+                            $tempImages{hashPageTable} = genHashPageTable($bin_file, $eyeCatch,
+                                                                    getBinDataFromFile($tempImages{HBB_SW_SIG_FILE}));
+                        }
+                        else
+                        {
+                            $tempImages{hashPageTable} = genHashPageTable($bin_file, $eyeCatch);
+                        }
                     }
                     # Add hash page table
                     if ($tempImages{hashPageTable} ne "" && -e $tempImages{hashPageTable})
@@ -231,7 +271,6 @@ sub manipulateImages
                             my $padSize = PAGE_SIZE - (($hashPageTableSize + VFS_MODULE_TABLE_MAX_SIZE) % PAGE_SIZE);
                             run_command("dd if=/dev/zero bs=$padSize count=1 | tr \"\\000\" \"\\377\" >> $tempImages{hashPageTable} ");
 
-
                             # Payload text section
                             run_command("cat $tempImages{hashPageTable} $tempImages{VFS_MODULE_TABLE} > $tempImages{PAYLOAD_TEXT} ");
                         }
@@ -260,6 +299,13 @@ sub manipulateImages
                     if($eyeCatch eq "HBB")
                     {
                         run_command("echo \"000000000007EF8000000000080000000000000008280000\" | xxd -r -ps -seek 6 - $tempImages{HDR_PHASE}");
+                        # Save off HBB sw signatures for use by HBI
+                        open (HBB_SW_SIG_FILE, ">", $tempImages{HBB_SW_SIG_FILE}) or die "Error opening file $tempImages{HBB_SW_SIG_FILE}: $!\n";
+                        binmode HBB_SW_SIG_FILE;
+                        print HBB_SW_SIG_FILE getSwSignatures($tempImages{HDR_PHASE});
+                        die "Error reading of $tempImages{HBB_SW_SIG_FILE} failed" if $!;
+                        close HBB_SW_SIG_FILE;
+                        die "Error closing of $tempImages{HBB_SW_SIG_FILE} failed" if $!;
                     }
                 }
                 # Add simiple version header
@@ -425,7 +471,7 @@ sub truncate_sha
 ################################################################################
 sub genHashPageTable
 {
-    my ($bin_file, $eyeCatch) = @_;
+    my ($bin_file, $eyeCatch, $saltData) = @_;
 
     # Open the file
     my $hashPageTableFile = "$bin_dir/$eyeCatch.page_hash_table";
@@ -437,11 +483,20 @@ sub genHashPageTable
 
     # Enter Salt as first entry
     my $salt_entry = 0;
-    for (my $i = 0; $i < SHA_TRUNCATE_SIZE; $i++)
+    if (defined $saltData)
+    {
+        # Use input salt data
+        $salt_entry = truncate_sha(sha512($saltData));
+    }
+    else
     {
-        $salt_entry .= sha512(rand(0x7FFFFFFFFFFFFFFF));
+        # Generate random salt data
+        for (my $i = 0; $i < SHA_TRUNCATE_SIZE; $i++)
+        {
+            $salt_entry .= sha512(rand(0x7FFFFFFFFFFFFFFF));
+        }
+        $salt_entry = truncate_sha(sha512($salt_entry));
     }
-    $salt_entry = truncate_sha(sha512($salt_entry));
     my @hashes = ($salt_entry);
     print OUTBINFILE $salt_entry;
 
diff --git a/src/build/mkrules/hbfw/img/makefile b/src/build/mkrules/hbfw/img/makefile
@@ -88,6 +88,8 @@ GEN_PNOR_IMAGE_SCRIPT = ${genPnorImages.pl:P}
 # Paramemter passed into GEN_PNOR_IMAGE_SCRIPT. Note zero filled images pass
 # EMPTY as their file name. This is so the script knows it needs to generate
 # them, rather than use an input.
+# Note: HBI depends on HBB for sw signatures. Ensure that both are passed into
+#       the same --systemBinFiles parameter for genPnorImages
 GEN_DEFAULT_BIN_FILES = HBB=${BASE_IMAGE},HBI=${EXT_IMAGE},TEST=EMPTY,TESTRO=EMPTY,HBEL=EMPTY,GUARD=EMPTY,GLOBAL=EMPTY,PAYLOAD=EMPTY,CVPD=EMPTY,MVPD=EMPTY,DJVPD=EMPTY
 DEFAULT_PNOR_LAYOUT = ${defaultPnorLayout.xml:P}
 
