Skip to content

Commit

Permalink
Remove Secure Boot workarounds
Browse files Browse the repository at this point in the history 
- Removing the magic number checks that would block sb functionality
  if things didn't appear secure
- Remove Best Effort Policy and all of its related code
- Remove the legacy PCR extension
- Remove the non-secure header preservation path.
- Always load HB base image header from the bl to hb data path
  vs settings unsecurely out of pnor

Change-Id: Ie638384ac50ed47850985c959ea7a32e5757d64e
RTC: 178520
RTC: 155374
RTC: 173489
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49925
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
  • Loading branch information
@dcrowell77
Stephen Cprek authored and dcrowell77 committed Dec 18, 2017
1 parent 8392e4f commit 9ae6e95
Show file tree
Hide file tree
Showing 22 changed files with 121 additions and 720 deletions.
11 changes: 0 additions & 11 deletions src/bootloader/bootloader.C
View file
Expand Up @@ -284,9 +284,6 @@ namespace Bootloader{
// Terminate if a valid securerom is not present
else if ( !g_blData->secureRomValid )
{
#ifdef CONFIG_SECUREBOOT_BEST_EFFORT
BOOTLOADER_TRACE(BTLDR_TRC_MAIN_VERIFY_NO_EYECATCH);
#else
BOOTLOADER_TRACE(BTLDR_TRC_MAIN_VERIFY_INVALID_SECROM);
/*@
* @errortype
Expand All @@ -301,15 +298,7 @@ namespace Bootloader{
*/
bl_terminate(Bootloader::MOD_BOOTLOADER_VERIFY,
SECUREBOOT::RC_SECROM_INVALID);
#endif
}
#ifdef CONFIG_SECUREBOOT_BEST_EFFORT
else if ( !PNOR::cmpSecurebootMagicNumber(
reinterpret_cast<const uint8_t*>(i_pContainer)))
{
BOOTLOADER_TRACE(BTLDR_TRC_MAIN_VERIFY_NO_MAGIC_NUM);
}
#endif
else
{
// Set startAddr to ROM_verify() function at an offset of Secure ROM
Expand Down
14 changes: 7 additions & 7 deletions src/build/buildpnor/genPnorImages.pl
View file
Expand Up @@ -234,7 +234,6 @@
}
}

# @TODO RTC: 155374 add official signing support including up to 3 sw keys
# Signing and Dev key directory location set via env vars
my $SIGNING_DIR = $ENV{'SIGNING_DIR'};
my $DEV_KEY_DIR = $ENV{'DEV_KEY_DIR'};
Expand Down Expand Up @@ -672,7 +671,6 @@ sub manipulateImages
{
$eccless_prefix.=".header";
# Add secure container header
# @TODO RTC:155374 Remove when official signing supported
if ($secureboot && $isSpecialSecure)
{
$callerHwHdrFields{configure} = 1;
Expand Down Expand Up @@ -727,7 +725,7 @@ sub manipulateImages
}
else
{
# @TODO RTC:155374 Remove when official signing
# @TODO RTC:183183 Remove when official signing
# supported
run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PROTECTED_PAYLOAD} -bin $tempImages{PAYLOAD_TEXT} $SIGN_BUILD_PARAMS");
}
Expand All @@ -745,7 +743,7 @@ sub manipulateImages
}
else
{
# @TODO RTC:155374 Remove when official signing
# @TODO RTC:183183 Remove when official signing
# supported
run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PROTECTED_PAYLOAD} -bin $bin_file.protected $SIGN_BUILD_PARAMS");
}
Expand All @@ -765,7 +763,7 @@ sub manipulateImages
}
else
{
# @TODO RTC:155374 Remove when official signing
# @TODO RTC:183183 Remove when official signing
# supported
run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{HDR_PHASE} -bin $bin_file $SIGN_BUILD_PARAMS");
}
Expand Down Expand Up @@ -804,7 +802,7 @@ sub manipulateImages
}
else
{
# @TODO RTC:155374 Remove when official signing
# @TODO RTC:183183 Remove when official signing
# supported
run_command("$SIGNING_DIR/build -good -if "
. "$secureboot_hdr -of $tempImages{HDR_PHASE} -bin "
Expand All @@ -821,6 +819,7 @@ sub manipulateImages
. "--protectedPayload $bin_file "
. "--out $tempImages{HDR_PHASE}");
}
# @TODO RTC:183183 Remove when official signing supported
else # attach the legacy header
{
run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}");
Expand Down Expand Up @@ -924,7 +923,7 @@ sub manipulateImages
}
else
{
# @TODO RTC:155374 Remove when official signing
# @TODO RTC:183183 Remove when official signing
# supported
run_command("$SIGNING_DIR/build -good -if $secureboot_hdr -of $tempImages{PAD_PHASE} -bin $tempImages{TEMP_BIN} $SIGN_BUILD_PARAMS");
}
Expand All @@ -941,6 +940,7 @@ sub manipulateImages
. "--protectedPayload $tempImages{TEMP_BIN} "
. "--out $tempImages{PAD_PHASE}");
}
# @TODO RTC:183183 Remove when official signing supported
else # Attach legacy header
{
run_command("env echo -en VERSION\\\\0 > $tempImages{TEMP_SHA_IMG}");
Expand Down
6 changes: 1 addition & 5 deletions src/include/bootloader/bootloader_trace.H
View file
Expand Up @@ -68,11 +68,7 @@ enum BootloaderTraces
/** Bootloader main copy HBB to running location done */
BTLDR_TRC_MAIN_COPY_HBB_DONE = 0x16,

/** Bootloader main verifyContainer skip verification - no eyecatch */
BTLDR_TRC_MAIN_VERIFY_NO_EYECATCH = 0x17,

/** Bootloader main verifyContainer skip verification - no magic number */
BTLDR_TRC_MAIN_VERIFY_NO_MAGIC_NUM = 0x18,
/** Unused hole from previously used traces */

/** Bootloader main verifyContainer skip verification - SAB unset */
BTLDR_TRC_MAIN_VERIFY_SAB_UNSET = 0x19,
Expand Down
45 changes: 0 additions & 45 deletions src/include/usr/pnor/pnorif.H
View file
Expand Up @@ -36,9 +36,6 @@
namespace PNOR
{

// @TODO RTC:155374 Remove this in the future
extern const size_t BEST_EFFORT_NUM_BYTES;

/**
* Information about a side of PNOR
*/
Expand Down Expand Up @@ -228,48 +225,6 @@ const char * SectionIdToString( uint32_t i_secIdIndex );
*/
bool cmpSecurebootMagicNumber(const uint8_t* i_vaddr);

// @TODO RTC 173489
// Remove API once FSP fully supports signing of PNOR sections that did not
// previously have a sha512 header
/**
* @brief Determines whether requested PNOR section has a recognized header
*
* @param[in] i_secId ID of requested section
* @param[in] i_TOC TOC entry for requested section
* @param[out] o_knownHeader Whether header was recognized or not
*
* @return errlHndl_t Error log handle
* @retval nullptr Success! Output parameter valid
* @retval !nullptr Error log pointer; output parameter invalid
*/
errlHndl_t hasKnownHeader(
PNOR::SectionId i_secId,
const PNOR::SectionData_t& i_TOC,
bool& o_knownHeader);

// @TODO RTC 173489
// Remove API once FSP fully supports signing of PNOR sections that did not
// previously have a sha512 header
/**
* @brief Read first few bytes of requested section's "potential" header
*
* @param[in] i_secId ID of requested section
* @param[in] i_TOC TOC entry for requested section
* @param[in] i_size Number of bytes to read from the beginning of the
* requested section
* @param[in] o_pData Pointer to a buffer of at least "i_size" bytes to
* hold the returned data. Asserts if nullptr
*
* @return errlHndl_t Error log handle
* @retval nullptr Success! Requested bytes read to output buffer
* @retval !nullptr Error log pointer; output buffer invalid
*/
errlHndl_t readHeaderMagic(
PNOR::SectionId i_secId,
const PNOR::SectionData_t& i_TOC,
size_t i_size,
void* o_pData);

/**
* @brief Determine if a PNOR section is empty by checking if first PAGE
* is all 0xFF's or 0x00's depending on ECC or not.
Expand Down
26 changes: 3 additions & 23 deletions src/include/usr/secureboot/header.H
View file
Expand Up @@ -59,34 +59,14 @@ namespace SECUREBOOT
iv_data=NULL;
}

// @TODO RTC 178520 Converge to single method of reading
// secure header

/**
* @brief Extracts base image (HBB) header (ECC removed) from
* security area preserved across the bootloader to HBB
* handoff to support extending HBB measurements to TPM in
* secure mode.
* area preserved across the bootloader to HBB handoff to
* support extending HBB measurements to TPM
*
* @warning Asserts if header is already cached (code bug)
*/
void loadSecurely();

// @TODO RTC 178520 Converge to single method of reading
// secure header

/**
* @brief Caches non-secure PNOR copy of the base image (HBB)
* header (ECC removed) to support extending HBB measurements
* to TPM in non-secure mode.
*
* @param[in] i_pHeader Pointer to non-secure 4k HBB header
* extracted from PNOR.
*
* @warning Carries all the same warnings as _set
*/
void setNonSecurely(
const void* i_pHeader);
void loadHeader();

/**
* @brief Return pointer to base image (HBB) header.
Expand Down
6 changes: 0 additions & 6 deletions src/include/usr/secureboot/service.H
View file
Expand Up @@ -330,12 +330,6 @@ namespace SECUREBOOT
*/
bool allowAttrOverrides();

/* Definition in settings.H */
bool bestEffortPolicy();

/* Definition in securerommgr.H */
bool secureRomValidPolicy();

/*
* @brief Gets the current SBE security mode value from the secureboot
* subsystem
Expand Down
11 changes: 1 addition & 10 deletions src/include/usr/secureboot/settings.H
View file
Expand Up @@ -90,8 +90,7 @@ namespace SECUREBOOT
class Settings
{
public:
Settings() : iv_enabled(false),
iv_bestEffortPolicy(false) { _init(); };
Settings() : iv_enabled(false) { _init(); };
~Settings() {};

/** @brief Determine if Secureboot is enabled. */
Expand Down Expand Up @@ -136,13 +135,6 @@ namespace SECUREBOOT
TARGETING::Target* i_pProc
= TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL) const;

/** @brief Determines if the Secureboot best effort policy is
* enabled. Uses knowledge of compile config options and
* secure mode enabled
* @return bool - True if enabled, false otherwise
*/
bool getBestEffortPolicy() const;

private:
void _init();

Expand Down Expand Up @@ -192,7 +184,6 @@ namespace SECUREBOOT

/** Cached secure boot enabled value */
bool iv_enabled;
bool iv_bestEffortPolicy;
};
}

Expand Down

0 comments on commit 9ae6e95

Please sign in to comment.