mirror of
https://github.com/Dasharo/skiboot.git
synced 2026-03-06 14:50:44 -08:00
Nayna Jain
f65d51cdfe
OS Secure Boot establishes a chain of trust from firmware to the OS. However, OS Secure Boot can only be secure if the chain of trust beneath it - from hardware to firmware - has been established by Firmware Secure Boot. This patch ensures that OS Secure Boot is enabled only if Firmware Secure Boot is enabled. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Signed-off-by: Eric Richter <erichte@linux.ibm.com> Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
40 lines
1.0 KiB
C
40 lines
1.0 KiB
C
// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
|
/* Copyright 2013-2017 IBM Corp. */
|
|
|
|
#ifndef __SECUREBOOT_H
|
|
#define __SECUREBOOT_H
|
|
|
|
#include <platform.h>
|
|
#include <device.h>
|
|
#include "container.h"
|
|
#include "cvc.h"
|
|
|
|
enum secureboot_version {
|
|
IBM_SECUREBOOT_V1,
|
|
IBM_SECUREBOOT_SOFTROM,
|
|
IBM_SECUREBOOT_V2,
|
|
};
|
|
|
|
void secureboot_enforce(void);
|
|
bool secureboot_is_compatible(struct dt_node *node, int *version, const char **compat);
|
|
void secureboot_init(void);
|
|
bool is_fw_secureboot(void);
|
|
|
|
/**
|
|
* secureboot_verify - verify a PNOR partition content
|
|
* @id : PNOR partition id
|
|
* @buf : PNOR partition content to be verified
|
|
* @len : @buf length
|
|
*
|
|
* This verifies the integrity and authenticity of @buf downloaded from PNOR if
|
|
* secure mode is on. The verification is done by the Container Verification
|
|
* Code (CVC) flashed in ROM.
|
|
*
|
|
* For more information refer to 'doc/stb.rst'
|
|
*
|
|
* returns: 0 otherwise the boot process is aborted
|
|
*/
|
|
int secureboot_verify(enum resource_id id, void *buf, size_t len);
|
|
|
|
#endif /* __SECUREBOOT_H */
|