Secureboot: Enhanced Multinode Comm: TPM_POISONED

This commit introduces a new attribute TPM_POISONED used to indicate that a certain TPM was poisoned during the boot. This attribute is also used to adjust the trustedboot flag in HDAT: if the primary TPM was poisoned during the IPL, the trustedboot setting is turned off in HDAT. Change-Id: I32ff6e79ebba0e38c0e8b4b9bd4aa0f52a250d9a RTC: 203645 Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/72129 Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Ilya Smirnov <ismirno@us.ibm.com> 2019-02-19 09:19:35 -0600
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2019-03-01 15:06:57 -0600
commit: b1c1b2cc5e78267fadb9001587f66566cf19159e (patch)
tree: e40435fd16338b995a5b6c3b0c3bd132ce3d159f
parent: 7364f2447d187b1b7dfff42403db051c4fc7e4e4 (diff)
download: blackbird-hostboot-b1c1b2cc5e78267fadb9001587f66566cf19159e.tar.gz
blackbird-hostboot-b1c1b2cc5e78267fadb9001587f66566cf19159e.zip
7 files changed, 54 insertions, 8 deletions
diff --git a/src/include/usr/secureboot/trustedbootif.H b/src/include/usr/secureboot/trustedbootif.H
index 72849c2eb..66d44852e 100644
--- a/src/include/usr/secureboot/trustedbootif.H
+++ b/src/include/usr/secureboot/trustedbootif.H
@@ -322,7 +322,7 @@ namespace TRUSTEDBOOT
      *  @return errlHndl_t nullptr if successful or error log otherwise. Failure
      *                     to poison a TPM will result in deconfiguring the TPM.
      */
-    errlHndl_t poisonTpm(const TpmTarget* i_pTpm);
+    errlHndl_t poisonTpm(TpmTarget* i_pTpm);
 
     /**
      * @brief Poison all functional TPMs on the node. Calls poisonTpm for
diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C
index db32eef40..75c8f3a2f 100644
--- a/src/usr/runtime/populate_hbruntime.C
+++ b/src/usr/runtime/populate_hbruntime.C
@@ -5,7 +5,7 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* Contributors Listed Below - COPYRIGHT 2016,2018                        */
+/* Contributors Listed Below - COPYRIGHT 2016,2019                        */
 /* [+] International Business Machines Corp.                              */
 /*                                                                        */
 /*                                                                        */
@@ -1762,6 +1762,22 @@ errlHndl_t populate_hbSecurebootData ( void )
         bool trusted = false;
 #ifdef CONFIG_TPMDD
         trusted = TRUSTEDBOOT::functionalPrimaryTpmExists();
+
+        if(trusted)
+        {
+            // Check if the primary TPM has been poisoned. If it has,
+            // trustedboot state cannot be guaranteed on the system.
+            TARGETING::Target* l_primaryTpm = nullptr;
+            TRUSTEDBOOT::getPrimaryTpm(l_primaryTpm);
+            if(!l_primaryTpm ||
+                l_primaryTpm->getAttr<TARGETING::ATTR_TPM_POISONED>())
+            {
+                // Primary TPM doesn't exist or is poisoned -
+                // turn off trustedboot
+                trusted = false;
+            }
+        }
+
 #endif
         l_sysSecSets->trustedboot = trusted? 1: 0;
 
diff --git a/src/usr/secureboot/node_comm/node_comm_exchange.C b/src/usr/secureboot/node_comm/node_comm_exchange.C
index 46eaabc69..fde09af52 100644
--- a/src/usr/secureboot/node_comm/node_comm_exchange.C
+++ b/src/usr/secureboot/node_comm/node_comm_exchange.C
@@ -770,11 +770,6 @@ errlHndl_t nodeCommProcessSlaveQuote(uint8_t* const i_slaveQuote,
             l_errl->collectTrace(TRBOOT_COMP_NAME);
             l_errl->collectTrace(NODECOMM_TRACE_NAME);
         }
-        else
-        {
-            // @TODO RTC 203645 need to notify HDAT to turn off trustedboot flag
-            // in RUNTIME::IPLPARMS_SYSTEM
-        }
         break;
     }
 
diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C
index 1237fe3b8..9c075dc7d 100644
--- a/src/usr/secureboot/trusted/trustedboot.C
+++ b/src/usr/secureboot/trusted/trustedboot.C
@@ -2254,7 +2254,7 @@ errlHndl_t GetRandom(const TpmTarget* i_pTpm,
 }
 #endif // CONFIG_TPMDD
 
-errlHndl_t poisonTpm(const TpmTarget* i_pTpm)
+errlHndl_t poisonTpm(TpmTarget* i_pTpm)
 {
     uint64_t l_randNum = 0;
     errlHndl_t l_errl = nullptr;
@@ -2263,6 +2263,14 @@ errlHndl_t poisonTpm(const TpmTarget* i_pTpm)
 
     do {
 
+    l_errl = validateTpmHandle(i_pTpm);
+    if(l_errl)
+    {
+        break;
+    }
+
+    i_pTpm->setAttr<TARGETING::ATTR_TPM_POISONED>(true);
+
     // Note: GetRandom validates the TPM handle internally and returns an
     // error log if invalid
     l_errl = GetRandom(i_pTpm,
diff --git a/src/usr/targeting/common/xmltohb/attribute_types.xml b/src/usr/targeting/common/xmltohb/attribute_types.xml
index 065c65307..0a51d45b8 100644
--- a/src/usr/targeting/common/xmltohb/attribute_types.xml
+++ b/src/usr/targeting/common/xmltohb/attribute_types.xml
@@ -7618,6 +7618,29 @@
   </attribute>
 
   <attribute>
+    <id>TPM_POISONED</id>
+    <description>
+        A flag indicating whether the TPM has been poisoned. A poisoned TPM
+        has a random number extended into its PCR but not mirrorred to its
+        log. That creates a disconnection between the TPM and its log, which
+        in turn makes it impossible to perform remote attestation on the TPM.
+    </description>
+    <range>
+      <min>0</min>
+      <max>1</max>
+    </range>
+    <simpleType>
+      <uint8_t>
+        <default>0</default>
+      </uint8_t>
+    </simpleType>
+    <persistency>volatile-zeroed</persistency>
+    <readable/>
+    <writeable/>
+    <no_export/>
+  </attribute>
+
+  <attribute>
     <description>
         Setting to require(0x1) or not require(0x0) a functional TPM to
         boot the system.
diff --git a/src/usr/targeting/common/xmltohb/target_types.xml b/src/usr/targeting/common/xmltohb/target_types.xml
index bed5fc6fe..51e8bb501 100644
--- a/src/usr/targeting/common/xmltohb/target_types.xml
+++ b/src/usr/targeting/common/xmltohb/target_types.xml
@@ -927,6 +927,9 @@
       <id>TPM_INFO</id>
     </attribute>
     <attribute>
+      <id>TPM_POISONED</id>
+    </attribute>
+    <attribute>
       <id>TPM_UNUSABLE</id>
     </attribute>
     <attribute>
diff --git a/src/usr/targeting/targetservicestart.C b/src/usr/targeting/targetservicestart.C
index 74cd23fc6..943b7befc 100755
--- a/src/usr/targeting/targetservicestart.C
+++ b/src/usr/targeting/targetservicestart.C
@@ -636,6 +636,7 @@ static void initializeAttributes(TargetService& i_targetService,
             {
                 tpm->setAttr<ATTR_HB_TPM_INIT_ATTEMPTED>(0);
                 tpm->setAttr<ATTR_HB_TPM_LOG_MGR_PTR>(0);
+                tpm->setAttr<ATTR_TPM_POISONED>(0);
             }
 
             //Assemble list of membuf and zero out some virtual address attributes
author	Ilya Smirnov <ismirno@us.ibm.com>	2019-02-19 09:19:35 -0600
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2019-03-01 15:06:57 -0600
commit	b1c1b2cc5e78267fadb9001587f66566cf19159e (patch)
tree	e40435fd16338b995a5b6c3b0c3bd132ce3d159f
parent	7364f2447d187b1b7dfff42403db051c4fc7e4e4 (diff)
download	blackbird-hostboot-b1c1b2cc5e78267fadb9001587f66566cf19159e.tar.gz blackbird-hostboot-b1c1b2cc5e78267fadb9001587f66566cf19159e.zip