discover: Recognise and open LUKS encrypted partitions

[petitboot] / discover / platform-powerpc.c

diff --git a/discover/platform-powerpc.c b/discover/platform-powerpc.c
index 84e18ccca5c51e73edc93585cbefe1a30b822598..5d7cc597697f683fda11a439a0e2cc278d24f493 100644 (file)
--- a/discover/platform-powerpc.c
+++ b/discover/platform-powerpc.c
@@ -8,12 +8,14 @@
 #include <sys/wait.h>
 #include <sys/stat.h>
 #include <asm/byteorder.h>
+#include <limits.h>
 
 #include <file/file.h>
 #include <talloc/talloc.h>
 #include <list/list.h>
 #include <log/log.h>
 #include <process/process.h>
+#include <crypt/crypt.h>
 
 #include "hostboot.h"
 #include "platform.h"
@@ -25,15 +27,20 @@ static const char *sysparams_dir = "/sys/firmware/opal/sysparams/";
 static const char *devtree_dir = "/proc/device-tree/";
 
 struct platform_powerpc {
-       struct param_list params;
+       struct param_list *params;
        struct ipmi     *ipmi;
-       bool            ipmi_bootdev_persistent;
+       char            *ipmi_mailbox_original_config;
        int             (*get_ipmi_bootdev)(
                                struct platform_powerpc *platform,
                                uint8_t *bootdev, bool *persistent);
        int             (*clear_ipmi_bootdev)(
                                struct platform_powerpc *platform,
                                bool persistent);
+       int             (*get_ipmi_boot_mailbox)(
+                               struct platform_powerpc *platform,
+                               char **buf);
+       int             (*clear_ipmi_boot_mailbox)(
+                               struct platform_powerpc *platform);
        int             (*set_os_boot_sensor)(
                                struct platform_powerpc *platform);
        void            (*get_platform_versions)(struct system_info *info);
@@ -89,13 +96,13 @@ static int parse_nvram_params(struct platform_powerpc *platform,
                if (namelen == 0)
                        continue;
 
-               if (!param_list_is_known_n(&platform->params, name, namelen))
+               if (!param_list_is_known_n(platform->params, name, namelen))
                        continue;
 
                *value = '\0';
                value++;
 
-               param_list_set(&platform->params, name, value, false);
+               param_list_set(platform->params, name, value, false);
        }
 
        return 0;
@@ -145,7 +152,7 @@ static int write_nvram(struct platform_powerpc *platform)
        process->path = "nvram";
        process->argv = argv;
 
-       param_list_for_each(&platform->params, param) {
+       param_list_for_each(platform->params, param) {
                char *paramstr;
 
                if (!param->modified)
@@ -368,6 +375,7 @@ static int get_ipmi_bootdev_ipmi(struct platform_powerpc *platform,
 {
        uint16_t resp_len;
        uint8_t resp[8];
+       char *debug_buf;
        int rc;
        uint8_t req[] = {
                0x05, /* parameter selector: boot flags */
@@ -392,10 +400,9 @@ static int get_ipmi_bootdev_ipmi(struct platform_powerpc *platform,
                return -1;
        }
 
-       pb_debug("IPMI get_bootdev response:\n");
-       for (int i = 0; i < resp_len; i++)
-               pb_debug("%x ", resp[i]);
-       pb_debug("\n");
+       debug_buf = format_buffer(platform, resp, resp_len);
+       pb_debug_fn("IPMI get_bootdev response:\n%s\n", debug_buf);
+       talloc_free(debug_buf);
 
        if (resp[0] != 0) {
                pb_log("platform: non-zero completion code %d from IPMI req\n",
@@ -429,6 +436,211 @@ static int get_ipmi_bootdev_ipmi(struct platform_powerpc *platform,
        return 0;
 }
 
+static int get_ipmi_boot_mailbox_block(struct platform_powerpc *platform,
+               char *buf, uint8_t block)
+{
+       size_t blocksize = 16;
+       uint8_t resp[3 + 16];
+       uint16_t resp_len;
+       char *debug_buf;
+       int rc;
+       uint8_t req[] = {
+               0x07,  /* parameter selector: boot initiator mailbox */
+               block, /* set selector */
+               0x00,  /* no block selector */
+       };
+
+       resp_len = sizeof(resp);
+       rc = ipmi_transaction(platform->ipmi, IPMI_NETFN_CHASSIS,
+                       IPMI_CMD_CHASSIS_GET_SYSTEM_BOOT_OPTIONS,
+                       req, sizeof(req),
+                       resp, &resp_len,
+                       ipmi_timeout);
+       if (rc) {
+               pb_log("platform: error reading IPMI boot options\n");
+               return -1;
+       }
+
+       if (resp_len < sizeof(resp)) {
+               if (resp_len < 3) {
+                       pb_log("platform: unexpected length (%d) in "
+                                       "boot options mailbox response\n",
+                                       resp_len);
+                       return -1;
+               }
+
+               if (resp_len == 4) {
+                       pb_debug_fn("block %hu empty\n", block);
+                       return 0;
+               }
+
+               blocksize = sizeof(resp) - 3;
+               pb_debug_fn("Mailbox block %hu returns only %zu bytes in block\n",
+                               block, blocksize);
+       }
+
+       debug_buf = format_buffer(platform, resp, resp_len);
+       pb_debug_fn("IPMI bootdev mailbox block %hu:\n%s\n", block, debug_buf);
+       talloc_free(debug_buf);
+
+       if (resp[0] != 0) {
+               pb_log("platform: non-zero completion code %d from IPMI req\n",
+                               resp[0]);
+               return -1;
+       }
+
+       /* check for correct parameter version */
+       if ((resp[1] & 0xf) != 0x1) {
+               pb_log("platform: unexpected version (0x%x) in "
+                               "boot mailbox response\n", resp[0]);
+               return -1;
+       }
+
+       /* check for valid paramters */
+       if (resp[2] & 0x80) {
+               pb_debug("platform: boot mailbox parameters are invalid/locked\n");
+               return -1;
+       }
+
+       memcpy(buf, &resp[3], blocksize);
+
+       return blocksize;
+}
+
+static int get_ipmi_boot_mailbox(struct platform_powerpc *platform,
+               char **buf)
+{
+       char *mailbox_buffer, *prefix;
+       const size_t blocksize = 16;
+       char block_buffer[blocksize];
+       size_t mailbox_size;
+       int content_size;
+       uint8_t i;
+       int rc;
+
+       mailbox_buffer = NULL;
+       mailbox_size = 0;
+
+       /*
+        * The BMC may hold up to 255 blocks of data but more likely the number
+        * will be closer to the minimum of 5 set by the specification and error
+        * on higher numbers.
+        */
+       for (i = 0; i < UCHAR_MAX; i++) {
+               rc = get_ipmi_boot_mailbox_block(platform, block_buffer, i);
+               if (rc < 3 && i == 0) {
+                       /*
+                        * Immediate failure, no blocks read or missing IANA
+                        * number.
+                        */
+                       return -1;
+               }
+               if (rc < 1) {
+                       /* Error or no bytes read */
+                       break;
+               }
+
+               if (i == 0) {
+                       /*
+                        * The first three bytes of block zero are an IANA
+                        * Enterprise ID number. Check it matches the IBM
+                        * number, '2'.
+                        */
+                       if (block_buffer[0] != 0x02 ||
+                               block_buffer[1] != 0x00 ||
+                               block_buffer[2] != 0x00) {
+                               pb_log_fn("IANA number unrecognised: 0x%x:0x%x:0x%x\n",
+                                               block_buffer[0],
+                                               block_buffer[1],
+                                               block_buffer[2]);
+                               return -1;
+                       }
+               }
+
+               mailbox_buffer = talloc_realloc(platform, mailbox_buffer,
+                               char, mailbox_size + rc);
+               if (!mailbox_buffer) {
+                       pb_log_fn("Failed to allocate mailbox buffer\n");
+                       return -1;
+               }
+               memcpy(mailbox_buffer + mailbox_size, block_buffer, rc);
+               mailbox_size += rc;
+       }
+
+       if (i < 5)
+               pb_log_fn("Only %hu blocks read, spec requires at least 5.\n"
+                         "Send a bug report to your preferred BMC vendor!\n",
+                         i);
+       else
+               pb_debug_fn("%hu blocks read (%zu bytes)\n", i, mailbox_size);
+
+       if (mailbox_size < 3 + strlen("petitboot,bootdevs="))
+               return -1;
+
+       prefix = talloc_strndup(mailbox_buffer, mailbox_buffer + 3,
+                       strlen("petitboot,bootdevs="));
+       if (!prefix) {
+               pb_log_fn("Couldn't check prefix\n");
+               talloc_free(mailbox_buffer);
+               return -1;
+       }
+
+       if (strncmp(prefix, "petitboot,bootdevs=",
+                               strlen("petitboot,bootdevs=")) != 0 ) {
+               /* Empty or garbage */
+               pb_debug_fn("Buffer looks unconfigured\n");
+               talloc_free(mailbox_buffer);
+               *buf = NULL;
+               return 0;
+       }
+
+       /* Don't include IANA number in buffer */
+       content_size = mailbox_size - 3 - strlen("petitboot,bootdevs=");
+       *buf = talloc_memdup(platform,
+                       mailbox_buffer + 3 + strlen("petitboot,bootdevs="),
+                       content_size + 1);
+       (*buf)[content_size] = '\0';
+
+       talloc_free(mailbox_buffer);
+       return 0;
+}
+
+static int clear_ipmi_boot_mailbox(struct platform_powerpc *platform)
+{
+       uint8_t req[18] = {0}; /* req (2) + blocksize (16) */
+       uint16_t resp_len;
+       uint8_t resp[1];
+       uint8_t i;
+       int rc;
+
+       req[0] = 0x07;  /* parameter selector: boot initiator mailbox */
+
+       resp_len = sizeof(resp);
+
+       for (i = 0; i < UCHAR_MAX; i++) {
+               req[1] = i; /* set selector */
+               rc = ipmi_transaction(platform->ipmi, IPMI_NETFN_CHASSIS,
+                               IPMI_CMD_CHASSIS_SET_SYSTEM_BOOT_OPTIONS,
+                               req, sizeof(req),
+                               resp, &resp_len,
+                               ipmi_timeout);
+
+               if (rc || resp[0]) {
+                       if (i == 0) {
+                               pb_log_fn("error clearing IPMI boot mailbox, "
+                                               "rc %d resp[0] %hu\n",
+                                               rc, resp[0]);
+                               return -1;
+                       }
+                       break;
+               }
+       }
+
+       pb_debug_fn("Cleared %hu blocks\n", i);
+
+       return 0;
+}
+
 static int set_ipmi_os_boot_sensor(struct platform_powerpc *platform)
 {
        int sensor_number;
@@ -472,6 +684,7 @@ static void get_ipmi_network_override(struct platform_powerpc *platform,
        uint16_t min_len = 12, resp_len = 53, version;
        const uint32_t magic_value = 0x21706221;
        uint8_t resp[resp_len];
+       char *debug_buf;
        uint32_t cookie;
        bool persistent;
        int i, rc;
@@ -487,17 +700,9 @@ static void get_ipmi_network_override(struct platform_powerpc *platform,
                        resp, &resp_len,
                        ipmi_timeout);
 
-       pb_debug("IPMI net override resp [%d][%d]:\n", rc, resp_len);
-       if (resp_len > 0) {
-               for (i = 0; i < resp_len; i++) {
-                       pb_debug(" %02x", resp[i]);
-                       if (i && (i + 1) % 16 == 0 && i != resp_len - 1)
-                               pb_debug("\n");
-                       else if (i && (i + 1) % 8 == 0)
-                               pb_debug(" ");
-               }
-               pb_debug("\n");
-       }
+       debug_buf = format_buffer(platform, resp, resp_len);
+       pb_debug_fn("IPMI net override response:\n%s\n", debug_buf);
+       talloc_free(debug_buf);
 
        if (rc) {
                pb_debug("IPMI network config option unavailable\n");
@@ -562,7 +767,7 @@ static void get_ipmi_network_override(struct platform_powerpc *platform,
 
        if (!rc && persistent) {
                /* Write this new config to NVRAM */
-               params_update_network_values(&platform->params,
+               params_update_network_values(platform->params,
                        "petitboot,network", config);
                rc = write_nvram(platform);
                if (rc)
@@ -606,13 +811,39 @@ err:
 static int load_config(struct platform *p, struct config *config)
 {
        struct platform_powerpc *platform = to_platform_powerpc(p);
+       const char *hash;
        int rc;
 
        rc = parse_nvram(platform);
        if (rc)
                pb_log_fn("Failed to parse nvram\n");
 
-       config_populate_all(config, &platform->params);
+       /*
+        * If we have an IPMI mailbox configuration available use it instead of
+        * the boot order found in NVRAM.
+        */
+       if (platform->get_ipmi_boot_mailbox) {
+               char *mailbox;
+               struct param *param;
+               rc = platform->get_ipmi_boot_mailbox(platform, &mailbox);
+               if (!rc && mailbox) {
+                       platform->ipmi_mailbox_original_config =
+                               talloc_strdup(
+                                       platform,
+                                       param_list_get_value(
+                                               platform->params, "petitboot,bootdevs"));
+                       param_list_set(platform->params, "petitboot,bootdevs",
+                                       mailbox, false);
+                       param = param_list_get_param(platform->params,
+                                       "petitboot,bootdevs");
+                       /* Avoid writing this to NVRAM */
+                       param->modified = false;
+                       config->ipmi_bootdev_mailbox = true;
+                       talloc_free(mailbox);
+               }
+       }
+
+       config_populate_all(config, platform->params);
 
        if (platform->get_ipmi_bootdev) {
                bool bootdev_persistent;
@@ -630,6 +861,14 @@ static int load_config(struct platform *p, struct config *config)
 
        config_get_active_consoles(config);
 
+
+       hash = param_list_get_value(platform->params, "petitboot,password");
+       if (hash) {
+               rc = crypt_set_password_hash(platform, hash);
+               if (rc)
+                       pb_log("Failed to set password hash\n");
+       }
+
        return 0;
 }
 
@@ -637,6 +876,7 @@ static int save_config(struct platform *p, struct config *config)
 {
        struct platform_powerpc *platform = to_platform_powerpc(p);
        struct config *defaults;
+       struct param *param;
 
        if (config->ipmi_bootdev == IPMI_BOOTDEV_INVALID &&
            platform->clear_ipmi_bootdev) {
@@ -646,10 +886,27 @@ static int save_config(struct platform *p, struct config *config)
                config->ipmi_bootdev_persistent = false;
        }
 
+       if (!config->ipmi_bootdev_mailbox &&
+                       platform->ipmi_mailbox_original_config) {
+               param = param_list_get_param(platform->params,
+                               "petitboot,bootdevs");
+               /* Restore old boot order if unmodified */
+               if (!param->modified) {
+                       param_list_set(platform->params, "petitboot,bootdevs",
+                                       platform->ipmi_mailbox_original_config,
+                                       false);
+                       param->modified = false;
+                       config_populate_bootdev(config, platform->params);
+               }
+               platform->clear_ipmi_boot_mailbox(platform);
+               talloc_free(platform->ipmi_mailbox_original_config);
+               platform->ipmi_mailbox_original_config = NULL;
+       }
+
        defaults = talloc_zero(platform, struct config);
        config_set_defaults(defaults);
 
-       params_update_all(&platform->params, config, defaults);
+       params_update_all(platform->params, config, defaults);
 
        talloc_free(defaults);
        return write_nvram(platform);
@@ -697,6 +954,23 @@ static int get_sysinfo(struct platform *p, struct system_info *sysinfo)
        return 0;
 }
 
+static bool restrict_clients(struct platform *p)
+{
+       struct platform_powerpc *platform = to_platform_powerpc(p);
+
+       return param_list_get_value(platform->params, "petitboot,password") != NULL;
+}
+
+static int set_password(struct platform *p, const char *hash)
+{
+       struct platform_powerpc *platform = to_platform_powerpc(p);
+
+       param_list_set(platform->params, "petitboot,password", hash, true);
+       write_nvram(platform);
+
+       return 0;
+}
+
 static bool probe(struct platform *p, void *ctx)
 {
        struct platform_powerpc *platform;
@@ -713,7 +987,8 @@ static bool probe(struct platform *p, void *ctx)
                return false;
 
        platform = talloc_zero(ctx, struct platform_powerpc);
-       param_list_init(&platform->params, common_known_params());
+       platform->params = talloc_zero(platform, struct param_list);
+       param_list_init(platform->params, common_known_params());
 
        p->platform_data = platform;
 
@@ -724,6 +999,8 @@ static bool probe(struct platform *p, void *ctx)
                platform->ipmi = ipmi_open(platform);
                platform->get_ipmi_bootdev = get_ipmi_bootdev_ipmi;
                platform->clear_ipmi_bootdev = clear_ipmi_bootdev_ipmi;
+               platform->get_ipmi_boot_mailbox = get_ipmi_boot_mailbox;
+               platform->clear_ipmi_boot_mailbox = clear_ipmi_boot_mailbox;
                platform->set_os_boot_sensor = set_ipmi_os_boot_sensor;
        } else if (!stat(sysparams_dir, &statbuf)) {
                pb_debug("platform: using sysparams for IPMI paramters\n");
@@ -749,6 +1026,8 @@ static struct platform platform_powerpc = {
        .save_config            = save_config,
        .pre_boot               = pre_boot,
        .get_sysinfo            = get_sysinfo,
+       .restrict_clients       = restrict_clients,
+       .set_password           = set_password,
 };
 
 register_platform(platform_powerpc);