diff options
| author | Jaymes Wilks <mjwilks@us.ibm.com> | 2016-11-11 14:58:58 -0600 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-01-30 12:17:06 -0500 |
| commit | 8363cdd8fff56e20f25a6ffee5b43c887c6049c4 (patch) | |
| tree | 64cc9d93e04066d51ee6decdcbbe6d2d0708a575 /src/usr/secureboot | |
| parent | 89c55d65e62b74221262652c02c4afef0590e127 (diff) | |
| download | blackbird-hostboot-8363cdd8fff56e20f25a6ffee5b43c887c6049c4.tar.gz blackbird-hostboot-8363cdd8fff56e20f25a6ffee5b43c887c6049c4.zip | |
Generalize secure boot settings for all processors
Adds the ability to specify which processor target user code is
interested in when querying secure boot settings.
Change-Id: I0375af03ce8f4e33029736ff2e2d60416629a295
RTC:161916
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/32556
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/secureboot')
| -rw-r--r-- | src/usr/secureboot/base/makefile | 6 | ||||
| -rw-r--r-- | src/usr/secureboot/base/securerom.C | 4 | ||||
| -rw-r--r-- | src/usr/secureboot/base/service.C | 13 | ||||
| -rw-r--r-- | src/usr/secureboot/base/settings.C | 145 | ||||
| -rw-r--r-- | src/usr/secureboot/settings.H | 82 | ||||
| -rw-r--r-- | src/usr/secureboot/trusted/trustedboot.C | 26 |
6 files changed, 155 insertions, 121 deletions
diff --git a/src/usr/secureboot/base/makefile b/src/usr/secureboot/base/makefile index e2b143978..a2de4cdb3 100644 --- a/src/usr/secureboot/base/makefile +++ b/src/usr/secureboot/base/makefile @@ -5,7 +5,7 @@ # # OpenPOWER HostBoot Project # -# Contributors Listed Below - COPYRIGHT 2013,2016 +# Contributors Listed Below - COPYRIGHT 2013,2017 # [+] International Business Machines Corp. # # @@ -36,6 +36,10 @@ OBJS += trustedboot_base.o OBJS += $(if $(CONFIG_TPMDD),trustedbootMsg.o,) OBJS += containerheader.o OBJS += ${SECUREBOOT_COMMON_OBJS} +OBJS += targutilbase.o + +VPATH += $(ROOTPATH)/src/usr/targeting/common +EXTRAINCDIR += $(ROOTPATH)/src/include/usr VPATH += ../common diff --git a/src/usr/secureboot/base/securerom.C b/src/usr/secureboot/base/securerom.C index 9a1bca5ae..dd1428f33 100644 --- a/src/usr/secureboot/base/securerom.C +++ b/src/usr/secureboot/base/securerom.C @@ -5,7 +5,7 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2013,2016 */ +/* Contributors Listed Below - COPYRIGHT 2013,2017 */ /* [+] International Business Machines Corp. */ /* */ /* */ @@ -35,7 +35,7 @@ #include "../common/securetrace.H" #include "securerom.H" -#include "../settings.H" +#include <secureboot/settings.H> // Quick change for unit testing //#define TRACUCOMP(args...) TRACFCOMP(args) diff --git a/src/usr/secureboot/base/service.C b/src/usr/secureboot/base/service.C index 59750b786..beed71616 100644 --- a/src/usr/secureboot/base/service.C +++ b/src/usr/secureboot/base/service.C @@ -5,7 +5,7 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2013,2016 */ +/* Contributors Listed Below - COPYRIGHT 2013,2017 */ /* [+] International Business Machines Corp. */ /* */ /* */ @@ -35,7 +35,7 @@ #include <errl/errlmanager.H> #include <errl/errludtarget.H> #include <initservice/initserviceif.H> -#include "settings.H" +#include <secureboot/settings.H> #include <secureboot/header.H> #include "purge.H" #include <kernel/misc.H> @@ -97,9 +97,14 @@ bool enabled() return Singleton<Settings>::instance().getEnabled(); } -bool getJumperState() +errlHndl_t getSecuritySwitch(uint64_t& o_regValue, TARGETING::Target* i_targ) { - return Singleton<Settings>::instance().getJumperState(); + return Singleton<Settings>::instance().getSecuritySwitch(o_regValue,i_targ); +} + +errlHndl_t getJumperState(SecureJumperState& o_state, TARGETING::Target* i_targ) +{ + return Singleton<Settings>::instance().getJumperState(o_state, i_targ); } void handleSecurebootFailure(errlHndl_t &io_err, bool i_waitForShutdown) diff --git a/src/usr/secureboot/base/settings.C b/src/usr/secureboot/base/settings.C index 9f4377178..e06e179e3 100644 --- a/src/usr/secureboot/base/settings.C +++ b/src/usr/secureboot/base/settings.C @@ -5,7 +5,7 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2013,2016 */ +/* Contributors Listed Below - COPYRIGHT 2013,2017 */ /* [+] International Business Machines Corp. */ /* */ /* */ @@ -26,7 +26,11 @@ #include <errl/errlmanager.H> #include <devicefw/userif.H> #include <secureboot/service.H> -#include "settings.H" +#include <secureboot/secure_reasoncodes.H> +#include <targeting/common/util.H> +#include <targeting/common/target.H> +#include <initservice/initserviceif.H> +#include <secureboot/settings.H> // SECUREBOOT : General driver traces #include "../common/securetrace.H" @@ -34,12 +38,38 @@ namespace SECUREBOOT { using namespace TARGETING; + using namespace ERRORLOG; + + // symbolic constant for the trace size + enum { + ERROR_TRACE_SIZE = 256, + }; void Settings::_init() { + uint64_t l_regValue = 0; + + // read security switch register + auto l_errl = getSecuritySwitch(l_regValue, + MASTER_PROCESSOR_CHIP_TARGET_SENTINEL); + + if (NULL != l_errl) + { + + // Grab errlog reason code before committing. + uint16_t l_rc = l_errl->reasonCode(); + + errlCommit(l_errl, SECURE_COMP_ID); + // we need to shutdown here because getSecuritySwitch does not + // return a fatal error log in some cases + INITSERVICE::doShutdown(l_rc); + } + // cache only the enabled flag - iv_enabled = (0 != (getSecuritySwitch() & - static_cast<uint64_t>(ProcSecurity::SabBit))); + iv_enabled = (0 != (l_regValue & + static_cast<uint64_t>(ProcSecurity::SabBit))); + + SB_INF("getEnabled() state:%i",iv_enabled); } bool Settings::getEnabled() const @@ -47,46 +77,107 @@ namespace SECUREBOOT return iv_enabled; } - bool Settings::getJumperState() const + errlHndl_t Settings::getJumperState(SecureJumperState& o_state, + Target* i_targ) const { - auto l_regValue = readSecurityRegister( - static_cast<uint64_t>(ProcCbsControl::StatusRegister)); + uint64_t l_regValue = 0; + o_state = SecureJumperState::SECURITY_DEASSERTED; - return 0 != (l_regValue & - static_cast<uint64_t>(ProcCbsControl::JumperStateBit)); + errlHndl_t l_errl = nullptr; + + do + { + // the supplied target input parameter is validated in one place + // inside the readSecurityRegister function + l_errl = readSecurityRegister(i_targ, + static_cast<uint64_t>(ProcCbsControl::StatusRegister), + l_regValue); + + SB_DBG("getJumperState() err:%i reg:%.16llX huid:%.8X", + !!l_errl, l_regValue, get_huid(i_targ)); + + if (l_errl) + { + break; + } + o_state = (l_regValue & + static_cast<uint64_t>(ProcCbsControl::JumperStateBit)) ? + SecureJumperState::SECURITY_ASSERTED : + SecureJumperState::SECURITY_DEASSERTED; + + SB_INF("getJumperState() state:%i huid:%.8X", o_state, + get_huid(i_targ)); + + } while(0); + + return l_errl; } - uint64_t Settings::getSecuritySwitch() const + errlHndl_t Settings::getSecuritySwitch(uint64_t& o_regValue, + Target* i_targ) const { - return readSecurityRegister( - static_cast<uint64_t>(ProcSecurity::SwitchRegister)); + auto l_errl = readSecurityRegister(i_targ, + static_cast<uint64_t>(ProcSecurity::SwitchRegister), + o_regValue); + SB_INF("getSecuritySwitch() err:%i reg:%.16llX huid:%.8X", + !!l_errl, o_regValue, get_huid(i_targ)); + + return l_errl; } - uint64_t Settings::readSecurityRegister(const uint64_t i_scomAddress) const + errlHndl_t Settings::readSecurityRegister(Target* i_targ, + const uint64_t i_scomAddress, + uint64_t& o_regValue) const { errlHndl_t l_errl = nullptr; - uint64_t l_regValue = 0; - size_t size = sizeof(l_regValue); + size_t size = sizeof(o_regValue); - // Read secure register setting from processor. - l_errl = deviceRead(MASTER_PROCESSOR_CHIP_TARGET_SENTINEL, - &l_regValue, size, + do + { + + // make sure we are not passed a null target pointer or the wrong + // target type (must be a processor target) or the sentinel + if ( i_targ != MASTER_PROCESSOR_CHIP_TARGET_SENTINEL && + (i_targ == nullptr || i_targ->getAttr<ATTR_TYPE>() != TYPE_PROC) + ) + { + /*@ + * @errortype + * @moduleid SECUREBOOT::MOD_SECURE_READ_REG + * @reasoncode SECUREBOOT::RC_SECURE_BAD_TARGET + * @userdata1 Target pointer value + * @userdata2 Target's HUID or 0 if null + * target pointer. + * @devdesc Invalid target used to read security + * switch register. + * @custdesc Internal Firmware error. + */ + l_errl = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_UNRECOVERABLE, + SECUREBOOT::MOD_SECURE_READ_REG, + SECUREBOOT::RC_SECURE_BAD_TARGET, + reinterpret_cast<uint64_t>(i_targ), + TO_UINT64(get_huid(i_targ)), + true /* Add HB Software Callout */ ); + l_errl->collectTrace(SECURE_COMP_NAME, ERROR_TRACE_SIZE); + break; + } + + // Read security switch setting from processor. + l_errl = deviceRead(i_targ, + &o_regValue, size, DEVICE_SCOM_ADDRESS(i_scomAddress)); if (nullptr != l_errl) { - errlCommit(l_errl, SECURE_COMP_ID); - // This assert is needed because the deviceRead returns an - // informational error log so the system would otherwise not be - // halted. - assert(false,"SECUREBOOT::Settings::readSecurityRegister() Unable" - " to read security register"); + break; } - assert(size == sizeof(l_regValue), + assert(size == sizeof(o_regValue), "size returned from device read is not the expected size of %i", - sizeof(l_regValue)); + sizeof(o_regValue)); + + } while(0); - return l_regValue; + return l_errl; } } diff --git a/src/usr/secureboot/settings.H b/src/usr/secureboot/settings.H deleted file mode 100644 index 499fea5eb..000000000 --- a/src/usr/secureboot/settings.H +++ /dev/null @@ -1,82 +0,0 @@ -/* IBM_PROLOG_BEGIN_TAG */ -/* This is an automatically generated prolog. */ -/* */ -/* $Source: src/usr/secureboot/settings.H $ */ -/* */ -/* OpenPOWER HostBoot Project */ -/* */ -/* Contributors Listed Below - COPYRIGHT 2013,2016 */ -/* [+] International Business Machines Corp. */ -/* */ -/* */ -/* Licensed under the Apache License, Version 2.0 (the "License"); */ -/* you may not use this file except in compliance with the License. */ -/* You may obtain a copy of the License at */ -/* */ -/* http://www.apache.org/licenses/LICENSE-2.0 */ -/* */ -/* Unless required by applicable law or agreed to in writing, software */ -/* distributed under the License is distributed on an "AS IS" BASIS, */ -/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ -/* implied. See the License for the specific language governing */ -/* permissions and limitations under the License. */ -/* */ -/* IBM_PROLOG_END_TAG */ -#ifndef __SECUREBOOT_SETTINGS_H -#define __SECUREBOOT_SETTINGS_H - -#include <stdint.h> - -namespace SECUREBOOT -{ - /** @class Settings - * - * @brief Caches and parses the hardware settings for Secureboot. - */ - class Settings - { - public: - Settings() : iv_enabled(false) { _init(); }; - ~Settings() {}; - - /** @brief Determine if Secureboot is enabled. */ - bool getEnabled() const; - - /** @brief Get security switch register value */ - uint64_t getSecuritySwitch() const; - - /** @brief Returns the state of the secure jumper as reported by the - * master processor. - * - * @par Detailed Description: - * Returns the state of the secure jumper as reported by the - * master processor. This should NOT be used to determine - * whether security is enabled, because several conditions are - * aggregated together to determine that. To query whether - * security is actually enabled or not, call the enabled() API. - * This is a limited-use API intended to be called by trusted - * boot code to determine whether a system shipped with a - * secure jumper applied or removed, in order to decide - * whether to enforce the "TPM Required" policy or not. - * @return Boolean indicating acting master processor's secure - * jumper state - * @retval true Jumper is configured to request HW security. This - * does not necessarily imply security is enabled, because an - * open SBE can override the HW policy. Use the getEnabled() - * API to determine whether security is actually enabled. - * @retval false Jumper is configured to disble HW security. - */ - bool getJumperState() const; - - private: - void _init(); - - /** helper function to encapsulate the details of register reads */ - uint64_t readSecurityRegister(const uint64_t i_scomAddress) const; - - /** Cached secure boot enabled value */ - bool iv_enabled; - }; -} - -#endif diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C index 7de63e1d7..a7b7f8c56 100644 --- a/src/usr/secureboot/trusted/trustedboot.C +++ b/src/usr/secureboot/trusted/trustedboot.C @@ -55,7 +55,7 @@ #include "trustedbootUtils.H" #include "tpmLogMgr.H" #include "base/trustedbootMsg.H" -#include "../settings.H" +#include <secureboot/settings.H> namespace TRUSTEDBOOT { @@ -506,8 +506,13 @@ errlHndl_t tpmLogConfigEntries(TRUSTEDBOOT::TpmTarget & io_target) memset(l_digest, 0, sizeof(uint64_t)); // Security switches - uint64_t l_securitySwitchValue = Singleton<SECUREBOOT::Settings>:: - instance().getSecuritySwitch(); + uint64_t l_securitySwitchValue = 0; + l_err = SECUREBOOT::getSecuritySwitch(l_securitySwitchValue, + TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL); + if (l_err) + { + break; + } TRACFCOMP(g_trac_trustedboot, "security switch value = 0x%X", l_securitySwitchValue); // Extend to TPM - PCR_1 @@ -774,8 +779,19 @@ void tpmVerifyFunctionalTpmExists() "NO FUNCTIONAL TPM FOUND"); // Check to ensure jumper indicates we are running secure - if (false) /// @todo Story 161916 Change to call getJumperState - // if (SECUREBOOT::getJumperState()) + SECUREBOOT::SecureJumperState l_state + = SECUREBOOT::SecureJumperState::SECURITY_DEASSERTED; + err = SECUREBOOT::getJumperState(l_state); + if (err) + { + errlCommit(err, SECURE_COMP_ID); + + auto errPlid = err->plid(); + + // we should not continue if we could not read the jumper state + INITSERVICE::doShutdown(errPlid); + } + else if (l_state == SECUREBOOT::SecureJumperState::SECURITY_ASSERTED) { /*@ * @errortype |
