From 35aa4355c411b2d5fa8062c8a29949b806c03445 Mon Sep 17 00:00:00 2001 From: Karthikeyan Ramasubramanian Date: Thu, 25 Aug 2022 12:52:13 -0600 Subject: [PATCH] soc/amd/mendocino: Add svc_set_fw_hash_table Add new PSP svc call to pass psp firmware hash table to the PSP. psp_verstage will verify hash table and then pass them to the PSP. The PSP will check if signed firmware contents match these hashes. This will prevent anyone replacing signed firmware in the RW region. BUG=b:203597980 TEST=Build and boot to OS in Skyrim. Change-Id: I512d359967eae925098973e90250111d6f59dd39 Signed-off-by: Karthikeyan Ramasubramanian Reviewed-on: https://review.coreboot.org/c/coreboot/+/67259 Reviewed-by: Robert Zieba Reviewed-by: Matt DeVillier Reviewed-by: Raul Rangel Tested-by: build bot (Jenkins) --- src/soc/amd/mendocino/psp_verstage/svc.c | 10 ++++++ src/soc/amd/mendocino/psp_verstage/svc.h | 4 +++ .../include/bl_uapp/bl_syscall_public.h | 31 +++++++++++++++++++ 3 files changed, 45 insertions(+) diff --git a/src/soc/amd/mendocino/psp_verstage/svc.c b/src/soc/amd/mendocino/psp_verstage/svc.c index ad52b6f394..99fcc5769e 100644 --- a/src/soc/amd/mendocino/psp_verstage/svc.c +++ b/src/soc/amd/mendocino/psp_verstage/svc.c @@ -204,3 +204,13 @@ uint32_t svc_set_platform_boot_mode(enum chrome_platform_boot_mode boot_mode) SVC_CALL2(SVC_VERSTAGE_CMD, CMD_SET_PLATFORM_BOOT_MODE, (void *)¶m, retval); return retval; } + +uint32_t svc_set_fw_hash_table(struct psp_fw_hash_table *hash_table) +{ + uint32_t retval = 0; + struct cmd_param_set_fw_hash_table param = { + .ptr_psp_fw_hash_table = hash_table, + }; + SVC_CALL2(SVC_VERSTAGE_CMD, CMD_SET_FW_HASH_TABLE, (void *)¶m, retval); + return retval; +} diff --git a/src/soc/amd/mendocino/psp_verstage/svc.h b/src/soc/amd/mendocino/psp_verstage/svc.h index 941fa763a8..354d89a2aa 100644 --- a/src/soc/amd/mendocino/psp_verstage/svc.h +++ b/src/soc/amd/mendocino/psp_verstage/svc.h @@ -141,4 +141,8 @@ struct cmd_param_set_platform_boot_mode { uint32_t boot_mode; }; +struct cmd_param_set_fw_hash_table { + struct psp_fw_hash_table *ptr_psp_fw_hash_table; +}; + #endif /* PSP_VERSTAGE_SVC_H */ diff --git a/src/vendorcode/amd/fsp/mendocino/include/bl_uapp/bl_syscall_public.h b/src/vendorcode/amd/fsp/mendocino/include/bl_uapp/bl_syscall_public.h index 48c35e54ac..ad3f31467e 100644 --- a/src/vendorcode/amd/fsp/mendocino/include/bl_uapp/bl_syscall_public.h +++ b/src/vendorcode/amd/fsp/mendocino/include/bl_uapp/bl_syscall_public.h @@ -54,6 +54,7 @@ enum verstage_cmd_id { CMD_UNMAP_FCH_IO_DEVICE, CMD_CCP_DMA, CMD_SET_PLATFORM_BOOT_MODE, + CMD_SET_FW_HASH_TABLE, }; struct mod_exp_params { @@ -152,6 +153,26 @@ enum chrome_platform_boot_mode CHROME_BOOK_BOOT_MODE_TYPE_MAX_LIMIT = 0x4, // used for boundary check }; +struct psp_fw_entry_hash_256 { + uint16_t fw_type; + uint16_t sub_type; + uint8_t sha[32]; +} __packed; + +struct psp_fw_entry_hash_384 { + uint16_t fw_type; + uint16_t sub_type; + uint8_t sha[48]; +} __packed; + +struct psp_fw_hash_table { + uint16_t version; // Version of psp_fw_hash_table, Start with 0. + uint16_t no_of_entries_256; + uint16_t no_of_entries_384; + struct psp_fw_entry_hash_256 *fw_hash_256; + struct psp_fw_entry_hash_384 *fw_hash_384; +} __packed; + /* * Exit to the main Boot Loader. This does not return back to user application. * @@ -338,6 +359,16 @@ uint32_t svc_ccp_dma(uint32_t spi_rom_offset, void *dest, uint32_t size); -----------------------------------------------------------------------------*/ uint32_t svc_set_platform_boot_mode(enum chrome_platform_boot_mode boot_mode); +/* + * Set the PSP FW hash table. + * + * Parameters: + * - hash_table - Table of hash for each PSP binary signed against SoC chain of trust + * + * Return value: BL_OK or error code + */ +uint32_t svc_set_fw_hash_table(struct psp_fw_hash_table *hash_table); + /* C entry point for the Bootloader Userspace Application */ void Main(void);