Remove Secure Boot workarounds

- Removing the magic number checks that would block sb functionality if things didn't appear secure - Remove Best Effort Policy and all of its related code - Remove the legacy PCR extension - Remove the non-secure header preservation path. - Always load HB base image header from the bl to hb data path vs settings unsecurely out of pnor Change-Id: Ie638384ac50ed47850985c959ea7a32e5757d64e RTC: 178520 RTC: 155374 RTC: 173489 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49925 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Stephen Cprek <smcprek@us.ibm.com> 2017-11-20 16:56:44 -0600
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2017-12-18 17:27:59 -0500
commit: 9ae6e9595f9773d295b7e3ade47088f554c1ed48 (patch)
tree: f33427b681154991423fb9faad3476bf4aa17ff4 /src/include/usr/secureboot
parent: 8392e4f606607e505bb99de2a8d229ae69be5efe (diff)
download: blackbird-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.tar.gz
blackbird-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.zip
3 files changed, 4 insertions, 39 deletions
diff --git a/src/include/usr/secureboot/header.H b/src/include/usr/secureboot/header.H
index 0478fa675..eff1f6769 100644
--- a/src/include/usr/secureboot/header.H
+++ b/src/include/usr/secureboot/header.H
@@ -59,34 +59,14 @@ namespace SECUREBOOT
                 iv_data=NULL;
             }
 
-            // @TODO RTC 178520 Converge to single method of reading
-            // secure header
-
             /**
              *  @brief Extracts base image (HBB) header (ECC removed) from
-             *      security area preserved across the bootloader to HBB
-             *      handoff to support extending HBB measurements to TPM in
-             *      secure mode.
+             *      area preserved across the bootloader to HBB handoff to
+             *      support extending HBB measurements to TPM
              *
              *  @warning Asserts if header is already cached (code bug)
              */
-            void loadSecurely();
-
-            // @TODO RTC 178520 Converge to single method of reading
-            // secure header
-
-            /**
-             *  @brief Caches non-secure PNOR copy of the base image (HBB)
-             *      header (ECC removed) to support extending HBB measurements
-             *      to TPM in non-secure mode.
-             *
-             *  @param[in] i_pHeader Pointer to non-secure 4k HBB header
-             *      extracted from PNOR.
-             *
-             *  @warning Carries all the same warnings as _set
-             */
-            void setNonSecurely(
-                const void* i_pHeader);
+            void loadHeader();
 
             /**
              *  @brief Return pointer to base image (HBB) header.
diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H
index 638c23505..dc1fd5a78 100644
--- a/src/include/usr/secureboot/service.H
+++ b/src/include/usr/secureboot/service.H
@@ -330,12 +330,6 @@ namespace SECUREBOOT
      */
     bool allowAttrOverrides();
 
-    /* Definition in settings.H */
-    bool bestEffortPolicy();
-
-    /* Definition in securerommgr.H */
-    bool secureRomValidPolicy();
-
     /*
      *  @brief Gets the current SBE security mode value from the secureboot
      *         subsystem
diff --git a/src/include/usr/secureboot/settings.H b/src/include/usr/secureboot/settings.H
index 491c607d3..417e14d96 100644
--- a/src/include/usr/secureboot/settings.H
+++ b/src/include/usr/secureboot/settings.H
@@ -90,8 +90,7 @@ namespace SECUREBOOT
     class Settings
     {
         public:
-            Settings() : iv_enabled(false),
-                         iv_bestEffortPolicy(false) { _init(); };
+            Settings() : iv_enabled(false) { _init(); };
             ~Settings() {};
 
             /** @brief Determine if Secureboot is enabled. */
@@ -136,13 +135,6 @@ namespace SECUREBOOT
                 TARGETING::Target* i_pProc
                     = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL) const;
 
-            /** @brief Determines if the Secureboot best effort policy is
-             *         enabled. Uses knowledge of compile config options and
-             *         secure mode enabled
-             * @return bool - True if enabled, false otherwise
-             */
-            bool getBestEffortPolicy() const;
-
         private:
             void _init();
 
@@ -192,7 +184,6 @@ namespace SECUREBOOT
 
             /** Cached secure boot enabled value */
             bool iv_enabled;
-            bool iv_bestEffortPolicy;
     };
 }
author	Stephen Cprek <smcprek@us.ibm.com>	2017-11-20 16:56:44 -0600
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2017-12-18 17:27:59 -0500
commit	9ae6e9595f9773d295b7e3ade47088f554c1ed48 (patch)
tree	f33427b681154991423fb9faad3476bf4aa17ff4 /src/include/usr/secureboot
parent	8392e4f606607e505bb99de2a8d229ae69be5efe (diff)
download	blackbird-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.tar.gz blackbird-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.zip