diff options
| author | Mike Baiocchi <mbaiocch@us.ibm.com> | 2017-05-18 17:12:26 -0500 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-06-07 09:40:09 -0400 |
| commit | 94eff06a67f84e9eb0f2189efd7a0b47029fd154 (patch) | |
| tree | 963bbdaa8eb9fe5dc72e4bec62b3c3b2c5880d53 /src/usr/secureboot/runtime/rt_secureboot.C | |
| parent | 449f2ba22f199b36de5e041ff8d028af8c3c3652 (diff) | |
| download | blackbird-hostboot-94eff06a67f84e9eb0f2189efd7a0b47029fd154.tar.gz blackbird-hostboot-94eff06a67f84e9eb0f2189efd7a0b47029fd154.zip | |
Disable Attribute Overrides in Secure Mode
This commit disables attribute overrides during the IPL and at Runtime
when the system has security enabled.
Change-Id: Ia56b11fc1450c8e11be27c90c0de179038273873
RTC: 163094
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/40735
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/secureboot/runtime/rt_secureboot.C')
| -rw-r--r-- | src/usr/secureboot/runtime/rt_secureboot.C | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/src/usr/secureboot/runtime/rt_secureboot.C b/src/usr/secureboot/runtime/rt_secureboot.C index 3b7626553..1c84c2bf1 100644 --- a/src/usr/secureboot/runtime/rt_secureboot.C +++ b/src/usr/secureboot/runtime/rt_secureboot.C @@ -32,9 +32,60 @@ #include <config.h> #include "common/securetrace.H" +#include <secureboot/service.H> +#include <secureboot/secure_reasoncodes.H> + +#include <errl/errlmanager.H> +#include <runtime/rt_targeting.H> +#include <targeting/common/commontargeting.H> +#include <targeting/common/targetservice.H> +#include <devicefw/userif.H> + namespace SECUREBOOT { +using namespace TARGETING; + +#if defined(CONFIG_SECUREBOOT) && defined(__HOSTBOOT_RUNTIME) +bool enabled() +{ + errlHndl_t l_errl = nullptr; + uint64_t l_regValue = 0; + size_t l_size = sizeof(l_regValue); + + TargetService& tS = targetService(); + Target* masterProcChipTargetHandle = nullptr; + + do + { + l_errl = tS.queryMasterProcChipTargetHandle( + masterProcChipTargetHandle); + + if (l_errl) + { + errlCommit(l_errl, SECURE_COMP_ID); + break; + } + + l_errl = deviceRead(masterProcChipTargetHandle, + &l_regValue, l_size, + DEVICE_SCOM_ADDRESS( + static_cast<uint64_t>(ProcSecurity::SwitchRegister))); + if (l_errl) + { + errlCommit(l_errl, SECURE_COMP_ID); + break; + } + + assert(l_size == sizeof(l_regValue)); + } while (0); + + // if there was an error l_regValue is zero, so we return false. + // Unfortunately this is all we can do. These shouldn't fail. + + return l_regValue & static_cast<uint64_t>(ProcSecurity::SabBit); +} +#endif int verify_container( const void* i_pContainer, @@ -59,6 +110,7 @@ int verify_container( return rc; } + struct registerSecurebootRt { registerSecurebootRt() |
