| Stewart Smith | b7b9e55 | 2018-03-15 03:59:39 -0500 | [diff] [blame] | 1 | From 7a948065fdb903e280757eb92c70b5594298ce56 Mon Sep 17 00:00:00 2001 |
| 2 | From: Stewart Smith <stewart@linux.vnet.ibm.com> |
| 3 | Date: Thu, 15 Mar 2018 18:45:54 +1100 |
| 4 | Subject: [PATCH] Revert "Check the Section Headers in Non-Secure Mode" |
| 5 | |
| 6 | This reverts commit c82b626e6ea1d56c0d25cbd5954064e256135002. |
| 7 | |
| 8 | It breaks flashing custom skiboot (PAYLOAD) as the code checking |
| 9 | headers checks the name of the partition against the secureboot |
| 10 | header magic number, and this obviously does not work at all. |
| 11 | |
| 12 | This ends up being the case as I *believe* that older pflash |
| 13 | may clear FFS_VERS_SHA512 flag that causes hostboot to go down |
| 14 | code paths it doesn't expect. |
| 15 | |
| 16 | As always, FFS structures are full of lies :) |
| 17 | |
| 18 | Change-Id: I6f3994cd1ceb67a17b53487a45b26a9e4c10270e |
| 19 | Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com> |
| 20 | --- |
| 21 | src/include/usr/pnor/pnor_reasoncodes.H | 4 +- |
| 22 | src/include/usr/pnor/pnorif.H | 12 +----- |
| 23 | src/usr/pnor/pnor_common.C | 19 +-------- |
| 24 | src/usr/pnor/pnor_utils.C | 24 ++++++++++- |
| 25 | src/usr/pnor/pnorrp.C | 73 ++++++--------------------------- |
| 26 | src/usr/pnor/runtime/rt_pnor.C | 7 ---- |
| 27 | 6 files changed, 39 insertions(+), 100 deletions(-) |
| 28 | |
| 29 | diff --git a/src/include/usr/pnor/pnor_reasoncodes.H b/src/include/usr/pnor/pnor_reasoncodes.H |
| 30 | index e0c156e746de..589337a3be47 100644 |
| 31 | --- a/src/include/usr/pnor/pnor_reasoncodes.H |
| 32 | +++ b/src/include/usr/pnor/pnor_reasoncodes.H |
| 33 | @@ -5,7 +5,7 @@ |
| 34 | /* */ |
| 35 | /* OpenPOWER HostBoot Project */ |
| 36 | /* */ |
| 37 | -/* Contributors Listed Below - COPYRIGHT 2011,2018 */ |
| 38 | +/* Contributors Listed Below - COPYRIGHT 2011,2017 */ |
| 39 | /* [+] Google Inc. */ |
| 40 | /* [+] International Business Machines Corp. */ |
| 41 | /* */ |
| 42 | @@ -96,7 +96,6 @@ namespace PNOR |
| 43 | |
| 44 | // pnor_common.C |
| 45 | MOD_PNORCOMMON_PARSETOC = 0xC0, /**< PNOR::parseTOC */ |
| 46 | - MOD_PNORCOMMON_GETSECTIONINFO = 0xC1, /**< PNOR::getSectionInfo */ |
| 47 | |
| 48 | // spnorrp.C |
| 49 | // Note: 0xD0 is available, so should be the next one used for spnorrp. |
| 50 | @@ -188,7 +187,6 @@ namespace PNOR |
| 51 | RC_SECURE_SIZE_MISMATCH = PNOR_COMP_ID | 0x3A, |
| 52 | RC_NOT_PAGE_ALIGNED = PNOR_COMP_ID | 0x3B, |
| 53 | RC_SECURE_PRO_SIZE_MISMATCH = PNOR_COMP_ID | 0x3C, |
| 54 | - RC_BAD_HEADER_FORMAT = PNOR_COMP_ID | 0x3D, |
| 55 | |
| 56 | //@fixme-RTC:131607-Temporary value to allow HWSV compile |
| 57 | //termination_rc |
| 58 | diff --git a/src/include/usr/pnor/pnorif.H b/src/include/usr/pnor/pnorif.H |
| 59 | index b4d1a668fe8b..cef8617fdcb1 100644 |
| 60 | --- a/src/include/usr/pnor/pnorif.H |
| 61 | +++ b/src/include/usr/pnor/pnorif.H |
| 62 | @@ -5,7 +5,7 @@ |
| 63 | /* */ |
| 64 | /* OpenPOWER HostBoot Project */ |
| 65 | /* */ |
| 66 | -/* Contributors Listed Below - COPYRIGHT 2011,2018 */ |
| 67 | +/* Contributors Listed Below - COPYRIGHT 2011,2017 */ |
| 68 | /* [+] Google Inc. */ |
| 69 | /* [+] International Business Machines Corp. */ |
| 70 | /* */ |
| 71 | @@ -225,16 +225,6 @@ const char * SectionIdToString( uint32_t i_secIdIndex ); |
| 72 | */ |
| 73 | bool cmpSecurebootMagicNumber(const uint8_t* i_vaddr); |
| 74 | |
| 75 | -/** |
| 76 | - * @brief Determines whether requested PNOR section has a recognized header |
| 77 | - * @param[in] i_vaddr: vaddr of the beginning of the secureboot header. |
| 78 | - * @param[in] o_magicNumber: the read value of the header's magic number. |
| 79 | - Used for error logging purposes. Always populated. |
| 80 | - * @return bool: True if the header was recognized, false otherwise. |
| 81 | - */ |
| 82 | -bool hasKnownHeader(const uint8_t* i_vaddr, |
| 83 | - uint64_t& o_magicNumber); |
| 84 | - |
| 85 | /** |
| 86 | * @brief Determine if a PNOR section is empty by checking if first PAGE |
| 87 | * is all 0xFF's or 0x00's depending on ECC or not. |
| 88 | diff --git a/src/usr/pnor/pnor_common.C b/src/usr/pnor/pnor_common.C |
| 89 | index ceb7709b8c54..d262ebe8238f 100644 |
| 90 | --- a/src/usr/pnor/pnor_common.C |
| 91 | +++ b/src/usr/pnor/pnor_common.C |
| 92 | @@ -5,7 +5,7 @@ |
| 93 | /* */ |
| 94 | /* OpenPOWER HostBoot Project */ |
| 95 | /* */ |
| 96 | -/* Contributors Listed Below - COPYRIGHT 2014,2018 */ |
| 97 | +/* Contributors Listed Below - COPYRIGHT 2014,2017 */ |
| 98 | /* [+] Google Inc. */ |
| 99 | /* [+] International Business Machines Corp. */ |
| 100 | /* */ |
| 101 | @@ -406,20 +406,3 @@ bool PNOR::isSectionEmpty(const PNOR::SectionId i_section) |
| 102 | |
| 103 | return l_result; |
| 104 | } |
| 105 | - |
| 106 | -bool PNOR::hasKnownHeader(const uint8_t* i_vaddr, |
| 107 | - uint64_t& o_magicNumber) |
| 108 | -{ |
| 109 | - // Left symbolic constant defined in the function so it's easier to strip |
| 110 | - // out later and nothing becomes dependent on it |
| 111 | - const char VERSION_MAGIC[] = "VERSION"; |
| 112 | - const auto versionMagicSize = sizeof(VERSION_MAGIC); |
| 113 | - |
| 114 | - bool secureHeader = PNOR::cmpSecurebootMagicNumber(i_vaddr); |
| 115 | - bool versionHeader = (memcmp(i_vaddr,VERSION_MAGIC,versionMagicSize) == 0); |
| 116 | - |
| 117 | - memcpy(&o_magicNumber, i_vaddr, sizeof(o_magicNumber)); |
| 118 | - |
| 119 | - return (versionHeader || secureHeader); |
| 120 | -} |
| 121 | - |
| 122 | diff --git a/src/usr/pnor/pnor_utils.C b/src/usr/pnor/pnor_utils.C |
| 123 | index 4fcad21c635f..9e0753066a92 100644 |
| 124 | --- a/src/usr/pnor/pnor_utils.C |
| 125 | +++ b/src/usr/pnor/pnor_utils.C |
| 126 | @@ -5,7 +5,7 @@ |
| 127 | /* */ |
| 128 | /* OpenPOWER HostBoot Project */ |
| 129 | /* */ |
| 130 | -/* Contributors Listed Below - COPYRIGHT 2011,2018 */ |
| 131 | +/* Contributors Listed Below - COPYRIGHT 2011,2017 */ |
| 132 | /* [+] International Business Machines Corp. */ |
| 133 | /* */ |
| 134 | /* */ |
| 135 | @@ -328,6 +328,28 @@ PNOR::parseEntries (ffs_hdr* i_ffs_hdr, |
| 136 | #else |
| 137 | io_TOC[secId].secure = false; |
| 138 | #endif |
| 139 | + |
| 140 | + // If secureboot is compiled in, skip header if not a secure section |
| 141 | + // Otherwise always skip header as the secure flag is always false and |
| 142 | + // SpnorRp will not handle skipping the header if one is indicated in PNOR |
| 143 | + if ( (io_TOC[secId].version & FFS_VERS_SHA512) |
| 144 | + && !io_TOC[secId].secure) |
| 145 | + { |
| 146 | + //increment flash addr for sha header |
| 147 | + if (io_TOC[secId].integrity == FFS_INTEG_ECC_PROTECT) |
| 148 | + { |
| 149 | + io_TOC[secId].flashAddr += PAGESIZE_PLUS_ECC ; |
| 150 | + } |
| 151 | + else |
| 152 | + { |
| 153 | + io_TOC[secId].flashAddr += PAGESIZE ; |
| 154 | + } |
| 155 | + |
| 156 | + // now that we've skipped the header |
| 157 | + // adjust the size to reflect that |
| 158 | + io_TOC[secId].size -= PAGESIZE; |
| 159 | + } |
| 160 | + |
| 161 | } // For TOC Entries |
| 162 | |
| 163 | #ifndef BOOTLOADER |
| 164 | diff --git a/src/usr/pnor/pnorrp.C b/src/usr/pnor/pnorrp.C |
| 165 | index 1262db0b889f..e33a1b0c377c 100644 |
| 166 | --- a/src/usr/pnor/pnorrp.C |
| 167 | +++ b/src/usr/pnor/pnorrp.C |
| 168 | @@ -489,8 +489,6 @@ errlHndl_t PnorRP::getSectionInfo( PNOR::SectionId i_section, |
| 169 | { |
| 170 | TRACDCOMP( g_trac_pnor, "PnorRP::getSectionInfo: i_section=%d, id=%d", i_section, iv_TOC[i_section].id ); |
| 171 | |
| 172 | - uint64_t l_sectionVaddr = iv_TOC[id].virtAddr; |
| 173 | - uint64_t l_sectionSize = iv_TOC[id].size; |
| 174 | // copy my data into the external format |
| 175 | o_info.id = iv_TOC[id].id; |
| 176 | o_info.name = SectionIdToString(id); |
| 177 | @@ -504,17 +502,16 @@ errlHndl_t PnorRP::getSectionInfo( PNOR::SectionId i_section, |
| 178 | // sections in SPnorRP's address space |
| 179 | if (o_info.secure) |
| 180 | { |
| 181 | - uint8_t* l_vaddrPtr = |
| 182 | - reinterpret_cast<uint8_t*>(l_sectionVaddr); |
| 183 | + uint8_t* l_vaddr = reinterpret_cast<uint8_t*>(iv_TOC[id].virtAddr); |
| 184 | // By adding VMM_VADDR_SPNOR_DELTA twice we can translate a pnor |
| 185 | - // address into a secure pnor address, since pnor, temp, and |
| 186 | - // spnor spaces are equidistant. |
| 187 | + // address into a secure pnor address, since pnor, temp, and spnor |
| 188 | + // spaces are equidistant. |
| 189 | // See comments in SPnorRP::verifySections() method in spnorrp.C |
| 190 | // and the definition of VMM_VADDR_SPNOR_DELTA in vmmconst.h |
| 191 | // for specifics. |
| 192 | - l_sectionVaddr = reinterpret_cast<uint64_t>(l_vaddrPtr) |
| 193 | - + VMM_VADDR_SPNOR_DELTA |
| 194 | - + VMM_VADDR_SPNOR_DELTA; |
| 195 | + o_info.vaddr = reinterpret_cast<uint64_t>(l_vaddr) |
| 196 | + + VMM_VADDR_SPNOR_DELTA |
| 197 | + + VMM_VADDR_SPNOR_DELTA; |
| 198 | |
| 199 | // Get size of the secured payload for the secure section |
| 200 | // Note: the payloadSize we get back is untrusted because |
| 201 | @@ -524,7 +521,7 @@ errlHndl_t PnorRP::getSectionInfo( PNOR::SectionId i_section, |
| 202 | // and has valid beginning bytes. For optional Secure PNOR sections. |
| 203 | |
| 204 | SECUREBOOT::ContainerHeader l_conHdr; |
| 205 | - l_errhdl = l_conHdr.setHeader(l_vaddrPtr); |
| 206 | + l_errhdl = l_conHdr.setHeader(l_vaddr); |
| 207 | if (l_errhdl) |
| 208 | { |
| 209 | TRACFCOMP(g_trac_pnor, ERR_MRK"PnorRP::getSectionInfo: setheader failed"); |
| 210 | @@ -560,69 +557,25 @@ errlHndl_t PnorRP::getSectionInfo( PNOR::SectionId i_section, |
| 211 | } |
| 212 | |
| 213 | // skip secure header for secure sections at this point in time |
| 214 | - l_sectionVaddr += PAGESIZE; |
| 215 | + o_info.vaddr += PAGESIZE; |
| 216 | // now that we've skipped the header we also need to adjust the |
| 217 | // size of the section to reflect that. |
| 218 | // Note: For unsecured sections, the header skip and size decrement |
| 219 | // was done previously in pnor_common.C |
| 220 | - l_sectionSize -= PAGESIZE; |
| 221 | + o_info.size -= PAGESIZE; |
| 222 | |
| 223 | // cache the value in SectionInfo struct so that we can |
| 224 | // parse the container header less often |
| 225 | o_info.secureProtectedPayloadSize = payloadTextSize; |
| 226 | } |
| 227 | -#else |
| 228 | - // If secureboot is not compiled, still check the sections that are |
| 229 | - // marked with sha512 tag in the xml to catch sections without fake |
| 230 | - // headers. If we expect a header to be present and it's not, |
| 231 | - // the virtual address of the section will not be pointing to the |
| 232 | - // correct offset into the section. |
| 233 | - if(iv_TOC[id].version & FFS_VERS_SHA512) |
| 234 | + else |
| 235 | +#endif |
| 236 | { |
| 237 | - uint64_t l_magicNumber = 0; |
| 238 | - bool l_knownHeader = PNOR::hasKnownHeader( |
| 239 | - reinterpret_cast<uint8_t*>(l_sectionVaddr), |
| 240 | - l_magicNumber); |
| 241 | - if(!l_knownHeader) |
| 242 | - { |
| 243 | - TRACFCOMP(g_trac_pnor, ERR_MRK"PnorRP::getSectionInfo: " |
| 244 | - "The header of the partition %s" |
| 245 | - " is not of a known header format. Magic number" |
| 246 | - " = 0x%016llx", |
| 247 | - PNOR::SectionIdToString(id), |
| 248 | - l_magicNumber); |
| 249 | - /*@ |
| 250 | - * @errortype ERRORLOG::ERRL_SEV_UNRECOVERABLE |
| 251 | - * @moduleid PNOR::MOD_PNORCOMMON_GETSECTIONINFO |
| 252 | - * @reasoncode PNOR::RC_BAD_HEADER_FORMAT |
| 253 | - * @userdata1 Partition ID |
| 254 | - * @userdata2 Partition's magic number |
| 255 | - * @devdesc Error parsing partition header |
| 256 | - * @custdesc Boot firmware integrity error; |
| 257 | - * reinstall the boot firmware |
| 258 | - */ |
| 259 | - l_errhdl = new ERRORLOG::ErrlEntry( |
| 260 | - ERRORLOG::ERRL_SEV_UNRECOVERABLE, |
| 261 | - PNOR::MOD_PNORCOMMON_GETSECTIONINFO, |
| 262 | - PNOR::RC_BAD_HEADER_FORMAT, |
| 263 | - id, |
| 264 | - l_magicNumber, |
| 265 | - true/*SW Error*/); |
| 266 | - l_errhdl->collectTrace(PNOR_COMP_NAME); |
| 267 | - l_errhdl->collectTrace(SECURE_COMP_NAME); |
| 268 | - break; |
| 269 | - } |
| 270 | - // Skip the fake header in memory after we've checked it. |
| 271 | - // The vaddr of the parition will now point to the start |
| 272 | - // of the actual partition. |
| 273 | - l_sectionSize -= PAGESIZE; |
| 274 | - l_sectionVaddr += PAGESIZE; |
| 275 | + o_info.vaddr = iv_TOC[id].virtAddr; |
| 276 | } |
| 277 | |
| 278 | -#endif |
| 279 | o_info.flashAddr = iv_TOC[id].flashAddr; |
| 280 | - o_info.size = l_sectionSize; |
| 281 | - o_info.vaddr = l_sectionVaddr; |
| 282 | + o_info.size = iv_TOC[id].size; |
| 283 | o_info.eccProtected = ((iv_TOC[id].integrity & FFS_INTEG_ECC_PROTECT) |
| 284 | != 0) ? true : false; |
| 285 | o_info.sha512Version = ((iv_TOC[id].version & FFS_VERS_SHA512) |
| 286 | diff --git a/src/usr/pnor/runtime/rt_pnor.C b/src/usr/pnor/runtime/rt_pnor.C |
| 287 | index 02b230456661..ba23cecb5ab4 100644 |
| 288 | --- a/src/usr/pnor/runtime/rt_pnor.C |
| 289 | +++ b/src/usr/pnor/runtime/rt_pnor.C |
| 290 | @@ -263,13 +263,6 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section, |
| 291 | o_info.sha512perEC = |
| 292 | (iv_TOC[i_section].version & FFS_VERS_SHA512_PER_EC) ? true : false; |
| 293 | o_info.secure = iv_TOC[i_section].secure; |
| 294 | -#ifndef CONFIG_SECUREBOOT |
| 295 | - if(iv_TOC[i_section].version & FFS_VERS_SHA512) |
| 296 | - { |
| 297 | - o_info.size -= PAGESIZE; |
| 298 | - o_info.vaddr += PAGESIZE; |
| 299 | - } |
| 300 | -#endif |
| 301 | } while (0); |
| 302 | |
| 303 | TRACFCOMP(g_trac_pnor, EXIT_MRK"RtPnor::getSectionInfo %d", i_section); |
| 304 | -- |
| 305 | 2.14.3 |
| 306 | |