diff options
author | Ilya Smirnov <ismirno@us.ibm.com> | 2019-02-19 09:19:35 -0600 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2019-03-01 15:06:57 -0600 |
commit | b1c1b2cc5e78267fadb9001587f66566cf19159e (patch) | |
tree | e40435fd16338b995a5b6c3b0c3bd132ce3d159f | |
parent | 7364f2447d187b1b7dfff42403db051c4fc7e4e4 (diff) | |
download | blackbird-hostboot-b1c1b2cc5e78267fadb9001587f66566cf19159e.tar.gz blackbird-hostboot-b1c1b2cc5e78267fadb9001587f66566cf19159e.zip |
Secureboot: Enhanced Multinode Comm: TPM_POISONED
This commit introduces a new attribute TPM_POISONED used
to indicate that a certain TPM was poisoned during the boot.
This attribute is also used to adjust the trustedboot flag
in HDAT: if the primary TPM was poisoned during the IPL,
the trustedboot setting is turned off in HDAT.
Change-Id: I32ff6e79ebba0e38c0e8b4b9bd4aa0f52a250d9a
RTC: 203645
Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/72129
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
-rw-r--r-- | src/include/usr/secureboot/trustedbootif.H | 2 | ||||
-rw-r--r-- | src/usr/runtime/populate_hbruntime.C | 18 | ||||
-rw-r--r-- | src/usr/secureboot/node_comm/node_comm_exchange.C | 5 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedboot.C | 10 | ||||
-rw-r--r-- | src/usr/targeting/common/xmltohb/attribute_types.xml | 23 | ||||
-rw-r--r-- | src/usr/targeting/common/xmltohb/target_types.xml | 3 | ||||
-rwxr-xr-x | src/usr/targeting/targetservicestart.C | 1 |
7 files changed, 54 insertions, 8 deletions
diff --git a/src/include/usr/secureboot/trustedbootif.H b/src/include/usr/secureboot/trustedbootif.H index 72849c2eb..66d44852e 100644 --- a/src/include/usr/secureboot/trustedbootif.H +++ b/src/include/usr/secureboot/trustedbootif.H @@ -322,7 +322,7 @@ namespace TRUSTEDBOOT * @return errlHndl_t nullptr if successful or error log otherwise. Failure * to poison a TPM will result in deconfiguring the TPM. */ - errlHndl_t poisonTpm(const TpmTarget* i_pTpm); + errlHndl_t poisonTpm(TpmTarget* i_pTpm); /** * @brief Poison all functional TPMs on the node. Calls poisonTpm for diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C index db32eef40..75c8f3a2f 100644 --- a/src/usr/runtime/populate_hbruntime.C +++ b/src/usr/runtime/populate_hbruntime.C @@ -5,7 +5,7 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2016,2018 */ +/* Contributors Listed Below - COPYRIGHT 2016,2019 */ /* [+] International Business Machines Corp. */ /* */ /* */ @@ -1762,6 +1762,22 @@ errlHndl_t populate_hbSecurebootData ( void ) bool trusted = false; #ifdef CONFIG_TPMDD trusted = TRUSTEDBOOT::functionalPrimaryTpmExists(); + + if(trusted) + { + // Check if the primary TPM has been poisoned. If it has, + // trustedboot state cannot be guaranteed on the system. + TARGETING::Target* l_primaryTpm = nullptr; + TRUSTEDBOOT::getPrimaryTpm(l_primaryTpm); + if(!l_primaryTpm || + l_primaryTpm->getAttr<TARGETING::ATTR_TPM_POISONED>()) + { + // Primary TPM doesn't exist or is poisoned - + // turn off trustedboot + trusted = false; + } + } + #endif l_sysSecSets->trustedboot = trusted? 1: 0; diff --git a/src/usr/secureboot/node_comm/node_comm_exchange.C b/src/usr/secureboot/node_comm/node_comm_exchange.C index 46eaabc69..fde09af52 100644 --- a/src/usr/secureboot/node_comm/node_comm_exchange.C +++ b/src/usr/secureboot/node_comm/node_comm_exchange.C @@ -770,11 +770,6 @@ errlHndl_t nodeCommProcessSlaveQuote(uint8_t* const i_slaveQuote, l_errl->collectTrace(TRBOOT_COMP_NAME); l_errl->collectTrace(NODECOMM_TRACE_NAME); } - else - { - // @TODO RTC 203645 need to notify HDAT to turn off trustedboot flag - // in RUNTIME::IPLPARMS_SYSTEM - } break; } diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C index 1237fe3b8..9c075dc7d 100644 --- a/src/usr/secureboot/trusted/trustedboot.C +++ b/src/usr/secureboot/trusted/trustedboot.C @@ -2254,7 +2254,7 @@ errlHndl_t GetRandom(const TpmTarget* i_pTpm, } #endif // CONFIG_TPMDD -errlHndl_t poisonTpm(const TpmTarget* i_pTpm) +errlHndl_t poisonTpm(TpmTarget* i_pTpm) { uint64_t l_randNum = 0; errlHndl_t l_errl = nullptr; @@ -2263,6 +2263,14 @@ errlHndl_t poisonTpm(const TpmTarget* i_pTpm) do { + l_errl = validateTpmHandle(i_pTpm); + if(l_errl) + { + break; + } + + i_pTpm->setAttr<TARGETING::ATTR_TPM_POISONED>(true); + // Note: GetRandom validates the TPM handle internally and returns an // error log if invalid l_errl = GetRandom(i_pTpm, diff --git a/src/usr/targeting/common/xmltohb/attribute_types.xml b/src/usr/targeting/common/xmltohb/attribute_types.xml index 065c65307..0a51d45b8 100644 --- a/src/usr/targeting/common/xmltohb/attribute_types.xml +++ b/src/usr/targeting/common/xmltohb/attribute_types.xml @@ -7618,6 +7618,29 @@ </attribute> <attribute> + <id>TPM_POISONED</id> + <description> + A flag indicating whether the TPM has been poisoned. A poisoned TPM + has a random number extended into its PCR but not mirrorred to its + log. That creates a disconnection between the TPM and its log, which + in turn makes it impossible to perform remote attestation on the TPM. + </description> + <range> + <min>0</min> + <max>1</max> + </range> + <simpleType> + <uint8_t> + <default>0</default> + </uint8_t> + </simpleType> + <persistency>volatile-zeroed</persistency> + <readable/> + <writeable/> + <no_export/> + </attribute> + + <attribute> <description> Setting to require(0x1) or not require(0x0) a functional TPM to boot the system. diff --git a/src/usr/targeting/common/xmltohb/target_types.xml b/src/usr/targeting/common/xmltohb/target_types.xml index bed5fc6fe..51e8bb501 100644 --- a/src/usr/targeting/common/xmltohb/target_types.xml +++ b/src/usr/targeting/common/xmltohb/target_types.xml @@ -927,6 +927,9 @@ <id>TPM_INFO</id> </attribute> <attribute> + <id>TPM_POISONED</id> + </attribute> + <attribute> <id>TPM_UNUSABLE</id> </attribute> <attribute> diff --git a/src/usr/targeting/targetservicestart.C b/src/usr/targeting/targetservicestart.C index 74cd23fc6..943b7befc 100755 --- a/src/usr/targeting/targetservicestart.C +++ b/src/usr/targeting/targetservicestart.C @@ -636,6 +636,7 @@ static void initializeAttributes(TargetService& i_targetService, { tpm->setAttr<ATTR_HB_TPM_INIT_ATTEMPTED>(0); tpm->setAttr<ATTR_HB_TPM_LOG_MGR_PTR>(0); + tpm->setAttr<ATTR_TPM_POISONED>(0); } //Assemble list of membuf and zero out some virtual address attributes |