mambo: enable use of real Container Verification Code

Make skiboot.tcl able to load and use a CVC blob from a real system. This code comes from the src/securerom/ code in Hostboot. we now use this in the sreset_world and hello_world test cases when we do a secure boot run of them Signed-off-by: Stewart Smith <stewart@linux.ibm.com> [oliver: folded cvc.bin into this patch, misc fixes] Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
open-power · Nov 27, 2019 · 7004766 · 7004766
1 parent 12610da
commit 7004766
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 1 deletion.
diff --git a/external/mambo/README.md b/external/mambo/README.md
@@ -53,6 +53,17 @@ export SKIBOOT=$HOME/src/skiboot/skiboot.lid
 export SKIBOOT_AUTORUN=1
 ```
 
+### Using Real Container Verification Code for Secure Boot
+
+The CVC code dump is from a real machine, and the code is from the Hostboot
+project (see src/securerom). We just include the dump here for testing
+purposes.
+
+```
+export SKIBOOT_CVC_CODE=$HOME/src/skiboot/external/mambo/cvc.bin
+export SKIBOOT_ENABLE_MAMBO_STB=1
+```
+
 ### Run the simulator
 ```
 /opt/ibm/systemsim-p8/run/pegasus/power8 -f $HOME/src/skiboot/external/mambo/skiboot.tcl

diff --git a/external/mambo/cvc.bin b/external/mambo/cvc.bin
diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl
@@ -336,6 +336,34 @@ mysim of addprop $reserved_memory int "#size-cells" 2
 mysim of addprop $reserved_memory int "#address-cells" 2
 mysim of addprop $reserved_memory empty "ranges" ""
 
+set cvc_code_start [expr $fake_nvram_start + $fake_nvram_size]
+set cvc_code_end $cvc_code_start
+set cvc_code_size 0
+
+if { [info exists env(SKIBOOT_CVC_CODE)] } {
+    set cvc_file $env(SKIBOOT_CVC_CODE)
+
+    set cvc_code_size [file size $cvc_file]
+    mysim mcm 0 memory fread $cvc_code_start $cvc_code_size $cvc_file
+    set cvc_code_end [expr $cvc_code_start + $cvc_code_size]
+
+    # Set up Device Tree for Container Verification Code
+    set hb [mysim of addchild $root_node "ibm,hostboot" ""]
+    set hb_reserved_memory [mysim of addchild $hb "reserved-memory" ""]
+    mysim of addprop $hb_reserved_memory int "#address-cells" 2
+    mysim of addprop $hb_reserved_memory int "#size-cells" 2
+
+    set hb_cvc_code_node [mysim of addchild $hb_reserved_memory "ibm,secure-crypt-algo-code" [format %x $cvc_code_start]]
+    set reg [list $cvc_code_start $cvc_code_size]
+    mysim of addprop $hb_cvc_code_node array64 "reg" reg
+    mysim of addprop $hb_cvc_code_node empty "name" "ibm,secure-crypt-algo-code"
+
+    set cvc_code_node [mysim of addchild $reserved_memory "ibm,secure-crypt-algo-code" [format %x $cvc_code_start]]
+    set reg [list $cvc_code_start $cvc_code_size]
+    mysim of addprop $cvc_code_node array64 "reg" reg
+    mysim of addprop $cvc_code_node empty "name" "ibm,secure-crypt-algo-code"
+}
+
 set initramfs_res [mysim of addchild $reserved_memory "initramfs" ""]
 set reg [list $cpio_start $cpio_size ]
 mysim of addprop $initramfs_res array64 "reg" reg
@@ -578,10 +606,18 @@ mconfig enable_stb SKIBOOT_ENABLE_MAMBO_STB 0
 
 if { [info exists env(SKIBOOT_ENABLE_MAMBO_STB)] } {
     set stb_node [ mysim of addchild $root_node "ibm,secureboot" "" ]
-    mysim of addprop $stb_node string "compatible" "ibm,secureboot-v1-softrom"
+
+    # For P8 we still use the softrom emulation
+    if { $default_config == "PEGASUS" || ! [info exists env(SKIBOOT_CVC_CODE)] } {
+	mysim of addprop $stb_node string "compatible" "ibm,secureboot-v1-softrom"
+    } else {
+	# on P9 we can use the real CVC
+	mysim of addprop $stb_node string "compatible" "ibm,secureboot-v2"
+    }
 #    mysim of addprop $stb_node string "secure-enabled" ""
     mysim of addprop $stb_node string "trusted-enabled" ""
     mysim of addprop $stb_node string "hash-algo" "sha512"
+    mysim of addprop $stb_node int "hw-key-hash-size" 64
     set hw_key_hash {}
     lappend hw_key_hash 0x40d487ff
     lappend hw_key_hash 0x7380ed6a
@@ -600,6 +636,25 @@ if { [info exists env(SKIBOOT_ENABLE_MAMBO_STB)] } {
     lappend hw_key_hash 0xfb708535
     lappend hw_key_hash 0x1d01d6d1
     mysim of addprop $stb_node array "hw-key-hash" hw_key_hash
+
+    if { $default_config != "PEGASUS" && [info exists env(SKIBOOT_CVC_CODE)] } {
+	set cvc_node [ mysim of addchild $stb_node "ibm,cvc" "" ]
+	mysim of addprop $cvc_node string "compatible" "ibm,container-verification-code"
+	mysim of addprop $cvc_node int "memory-region" $hb_cvc_code_node
+
+	# I'm sure hardcoding these addresses will *never* cause us a problem...
+	set sha_node [ mysim of addchild $cvc_node "ibm,cvc-service" [format %x 0x40]]
+	mysim of addprop $sha_node string "name" "ibm,cvc-service"
+	mysim of addprop $sha_node string "compatible" "ibm,cvc-sha512"
+	mysim of addprop $sha_node int "reg" 0x40
+	mysim of addprop $sha_node int "version" 1
+
+	set verify_node [ mysim of addchild $cvc_node "ibm,cvc-service" [format %x 0x50]]
+	mysim of addprop $verify_node string "name" "ibm,cvc-service"
+	mysim of addprop $verify_node string "compatible" "ibm,cvc-verify"
+	mysim of addprop $verify_node int "reg" 0x50
+	mysim of addprop $verify_node int "version" 1
+    }
 }
 
 # Kernel command line args, appended to any from the device tree

diff --git a/test/hello_world/run_mambo_p9_hello_world.sh b/test/hello_world/run_mambo_p9_hello_world.sh
@@ -25,6 +25,7 @@ fi
 
 if [ -n "$SKIBOOT_ENABLE_MAMBO_STB" ]; then
     export SKIBOOT_ZIMAGE=$(pwd)/test/hello_world/hello_kernel/hello_kernel.stb
+    export SKIBOOT_CVC_CODE=$(pwd)/external/mambo/cvc.bin
 else
     export SKIBOOT_ZIMAGE=$(pwd)/test/hello_world/hello_kernel/hello_kernel
 fi

diff --git a/test/sreset_world/run_mambo_p9_sreset.sh b/test/sreset_world/run_mambo_p9_sreset.sh
@@ -25,6 +25,7 @@ fi
 
 if [ -n "$SKIBOOT_ENABLE_MAMBO_STB" ]; then
     export SKIBOOT_ZIMAGE=$(pwd)/test/sreset_world/sreset_kernel/sreset_kernel.stb
+    export SKIBOOT_CVC_CODE=$(pwd)/external/mambo/cvc.bin
 else
     export SKIBOOT_ZIMAGE=$(pwd)/test/sreset_world/sreset_kernel/sreset_kernel
 fi