summaryrefslogtreecommitdiff
path: root/src/soc/intel
diff options
context:
space:
mode:
authorJulius Werner <jwerner@chromium.org>2022-08-08 18:08:35 -0700
committerJulius Werner <jwerner@chromium.org>2022-09-02 23:51:29 +0000
commitd96ca2465227f29354b41ce2ea7a17f1c5b8f1c1 (patch)
tree835f9410585448932b2195bfdb7b4066204411f3 /src/soc/intel
parentb45b48de739ebaf52584bc23797869028950a535 (diff)
cbfs/vboot: Adapt to new vb2_digest API
CL:3825558 changes all vb2_digest and vb2_hash functions to take a new hwcrypto_allowed argument, to potentially let them try to call the vb2ex_hwcrypto API for hash calculation. This change will open hardware crypto acceleration up to all hash calculations in coreboot (most notably CBFS verification). As part of this change, the vb2_digest_buffer() function has been removed, so replace existing instances in coreboot with the newer vb2_hash_calculate() API. Due to the circular dependency of these changes with vboot, this patch also needs to update the vboot submodule: Updating from commit id 18cb85b5: 2load_kernel.c: Expose load kernel as vb2_api to commit id b827ddb9: tests: Ensure auxfw sync runs after EC sync This brings in 15 new commits. Signed-off-by: Julius Werner <jwerner@chromium.org> Change-Id: I287d8dac3c49ad7ea3e18a015874ce8d610ec67e Reviewed-on: https://review.coreboot.org/c/coreboot/+/66561 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Jakub Czapiga <jacz@semihalf.com>
Diffstat (limited to 'src/soc/intel')
-rw-r--r--src/soc/intel/alderlake/hsphy.c29
-rw-r--r--src/soc/intel/common/block/cse/cse_lite.c8
2 files changed, 12 insertions, 25 deletions
diff --git a/src/soc/intel/alderlake/hsphy.c b/src/soc/intel/alderlake/hsphy.c
index e958d723f3..9d41600e0f 100644
--- a/src/soc/intel/alderlake/hsphy.c
+++ b/src/soc/intel/alderlake/hsphy.c
@@ -10,6 +10,7 @@
#include <device/pci_ops.h>
#include <intelblocks/cse.h>
#include <intelblocks/systemagent.h>
+#include <security/vboot/misc.h>
#include <soc/hsphy.h>
#include <soc/iomap.h>
#include <soc/pci_devs.h>
@@ -105,42 +106,28 @@ static int heci_get_hsphy_payload(void *buf, uint32_t *buf_size, uint8_t *hash_b
static int verify_hsphy_hash(void *buf, uint32_t buf_size, uint8_t *hash_buf, uint8_t hash_alg)
{
- enum vb2_hash_algorithm alg;
- uint32_t hash_size;
- uint8_t hash_calc[MAX_HASH_SIZE];
+ struct vb2_hash hash;
switch (hash_alg) {
case HASHALG_SHA256:
- alg = VB2_HASH_SHA256;
- hash_size = VB2_SHA256_DIGEST_SIZE;
+ hash.algo = VB2_HASH_SHA256;
break;
case HASHALG_SHA384:
- alg = VB2_HASH_SHA384;
- hash_size = VB2_SHA384_DIGEST_SIZE;
+ hash.algo = VB2_HASH_SHA384;
break;
case HASHALG_SHA512:
- alg = VB2_HASH_SHA512;
- hash_size = VB2_SHA512_DIGEST_SIZE;
+ hash.algo = VB2_HASH_SHA512;
break;
case HASHALG_SHA1:
default:
printk(BIOS_ERR, "Hash alg %d not supported, trying SHA384\n", hash_alg);
- alg = VB2_HASH_SHA384;
- hash_size = VB2_SHA384_DIGEST_SIZE;
+ hash.algo = VB2_HASH_SHA384;
break;
}
+ memcpy(hash.raw, hash_buf, vb2_digest_size(hash.algo));
- if (vb2_digest_buffer(buf, buf_size, alg, hash_calc, hash_size)) {
- printk(BIOS_ERR, "HSPHY SHA calculation failed\n");
- return -1;
- }
-
- if (memcmp(hash_buf, hash_calc, hash_size)) {
+ if (vb2_hash_verify(vboot_hwcrypto_allowed(), buf, buf_size, &hash) != VB2_SUCCESS) {
printk(BIOS_ERR, "HSPHY SHA hashes do not match\n");
- printk(BIOS_DEBUG, "Hash from CSME:\n");
- hexdump(hash_buf, hash_size);
- printk(BIOS_DEBUG, "Calculated hash:\n");
- hexdump(hash_calc, hash_size);
return -1;
}
diff --git a/src/soc/intel/common/block/cse/cse_lite.c b/src/soc/intel/common/block/cse/cse_lite.c
index 40ae9953ec..1d30a8d0d5 100644
--- a/src/soc/intel/common/block/cse/cse_lite.c
+++ b/src/soc/intel/common/block/cse/cse_lite.c
@@ -544,15 +544,15 @@ static bool cse_verify_cbfs_rw_sha256(const uint8_t *expected_rw_blob_sha,
const void *rw_blob, const size_t rw_blob_sz)
{
- uint8_t rw_comp_sha[VB2_SHA256_DIGEST_SIZE];
+ struct vb2_hash calculated;
- if (vb2_digest_buffer(rw_blob, rw_blob_sz, VB2_HASH_SHA256, rw_comp_sha,
- VB2_SHA256_DIGEST_SIZE)) {
+ if (vb2_hash_calculate(vboot_hwcrypto_allowed(), rw_blob, rw_blob_sz,
+ VB2_HASH_SHA256, &calculated)) {
printk(BIOS_ERR, "cse_lite: CSE CBFS RW's SHA-256 calculation has failed\n");
return false;
}
- if (memcmp(expected_rw_blob_sha, rw_comp_sha, VB2_SHA256_DIGEST_SIZE)) {
+ if (memcmp(expected_rw_blob_sha, calculated.sha256, sizeof(calculated.sha256))) {
printk(BIOS_ERR, "cse_lite: Computed CBFS RW's SHA-256 does not match with"
"the provided SHA in the metadata\n");
return false;