diff options
| author | Mike Baiocchi <mbaiocch@us.ibm.com> | 2017-05-18 17:12:26 -0500 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-06-07 09:40:09 -0400 |
| commit | 94eff06a67f84e9eb0f2189efd7a0b47029fd154 (patch) | |
| tree | 963bbdaa8eb9fe5dc72e4bec62b3c3b2c5880d53 /src | |
| parent | 449f2ba22f199b36de5e041ff8d028af8c3c3652 (diff) | |
| download | blackbird-hostboot-94eff06a67f84e9eb0f2189efd7a0b47029fd154.tar.gz blackbird-hostboot-94eff06a67f84e9eb0f2189efd7a0b47029fd154.zip | |
Disable Attribute Overrides in Secure Mode
This commit disables attribute overrides during the IPL and at Runtime
when the system has security enabled.
Change-Id: Ia56b11fc1450c8e11be27c90c0de179038273873
RTC: 163094
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/40735
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/usr/secureboot/service.H | 3 | ||||
| -rw-r--r-- | src/include/usr/targeting/common/targreasoncodes.H | 4 | ||||
| -rw-r--r-- | src/usr/pnor/pnor_common.C | 8 | ||||
| -rw-r--r-- | src/usr/pnor/runtime/rt_pnor.C | 46 | ||||
| -rw-r--r-- | src/usr/secureboot/runtime/rt_secureboot.C | 52 | ||||
| -rw-r--r-- | src/usr/targeting/runtime/attrPlatOverride_rt.C | 99 |
6 files changed, 156 insertions, 56 deletions
diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H index 8826fe252..94fa09ec5 100644 --- a/src/include/usr/secureboot/service.H +++ b/src/include/usr/secureboot/service.H @@ -83,12 +83,11 @@ namespace SECUREBOOT /** @brief Determines if Secureboot is enabled. */ -#if defined(CONFIG_SECUREBOOT) && !defined(__HOSTBOOT_RUNTIME) +#if defined(CONFIG_SECUREBOOT) bool enabled(); #else inline bool enabled() { return false; }; #endif - //@fixme-RTC:163094-Remove RUNTIME check once the code is there /** @brief Get security switch register value * @par Detailed Description: diff --git a/src/include/usr/targeting/common/targreasoncodes.H b/src/include/usr/targeting/common/targreasoncodes.H index 979513cd5..cf88bc1a9 100644 --- a/src/include/usr/targeting/common/targreasoncodes.H +++ b/src/include/usr/targeting/common/targreasoncodes.H @@ -5,7 +5,7 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2012,2016 */ +/* Contributors Listed Below - COPYRIGHT 2012,2017 */ /* [+] International Business Machines Corp. */ /* */ /* */ @@ -47,6 +47,7 @@ enum TargetingModuleId TARG_PARSE_ATTR_SECT_HEADER = 0x07, TARG_MSG_SERVICE_TASK = 0x08, TARG_CREATE_VMM_SECTIONS = 0x09, + TARG_APPLY_ATTR_OVER = 0x0A, }; enum TargetingReasonCode @@ -70,6 +71,7 @@ enum TargetingReasonCode TARG_RC_WRITE_ATTR_OVER_WRONG_PNOR_SEC = TARG_COMP_ID | 0x11, TARG_RC_WRITE_ATTR_OVER_NO_TANK_LAYER = TARG_COMP_ID | 0x12, TARG_RC_MM_BLOCK_MAP_FAIL = TARG_COMP_ID | 0x13, + TARG_RC_APPLY_ATTR_OVER_NOT_ALLOWED = TARG_COMP_ID | 0x14, }; }; // End TARGETING namespace diff --git a/src/usr/pnor/pnor_common.C b/src/usr/pnor/pnor_common.C index eb62a6c36..2c491d990 100644 --- a/src/usr/pnor/pnor_common.C +++ b/src/usr/pnor/pnor_common.C @@ -385,12 +385,10 @@ errlHndl_t PNOR::extendHash(uint64_t i_addr, bool PNOR::isInhibitedSection(const uint32_t i_section) { -// TODO securebootp9 for now we won't be inhibiting overrides #ifdef CONFIG_SECUREBOOT -// return (i_section == ATTR_PERM || -// i_section == ATTR_TMP) && -// SECUREBOOT::enabled(); - return false; + return (i_section == ATTR_PERM || + i_section == ATTR_TMP) && + SECUREBOOT::enabled(); #else return false; #endif diff --git a/src/usr/pnor/runtime/rt_pnor.C b/src/usr/pnor/runtime/rt_pnor.C index cde36a487..a154254b3 100644 --- a/src/usr/pnor/runtime/rt_pnor.C +++ b/src/usr/pnor/runtime/rt_pnor.C @@ -40,6 +40,7 @@ #include <util/align.H> #include <runtime/customize_attrs_for_payload.H> #include <securerom/ROM.H> +#include <config.h> // Trace definition extern trace_desc_t* g_trac_pnor; @@ -109,9 +110,9 @@ void PNOR::getPnorInfo( PnorInfo_t& o_pnorInfo ) o_pnorInfo.mmioOffset = LPC_SFC_MMIO_OFFSET | LPC_FW_SPACE; //Using sys target - TARGETING::Target* sys = NULL; + TARGETING::Target* sys = nullptr; TARGETING::targetService().getTopLevelTarget( sys ); - assert(sys != NULL); + assert(sys != nullptr); o_pnorInfo.norWorkarounds = sys->getAttr< TARGETING::ATTR_PNOR_FLASH_WORKAROUNDS>(); @@ -154,24 +155,37 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section, PNOR::SectionInfo_t& o_info) { TRACFCOMP(g_trac_pnor, ENTER_MRK"RtPnor::getSectionInfo"); - errlHndl_t l_err = NULL; + errlHndl_t l_err = nullptr; do { - if (i_section == PNOR::INVALID_SECTION) + bool l_inhibited = false; + #ifdef CONFIG_SECUREBOOT + l_inhibited = PNOR::isInhibitedSection(i_section); + #endif + if (i_section == PNOR::INVALID_SECTION || l_inhibited) { TRACFCOMP(g_trac_pnor, "RtPnor::getSectionInfo: Invalid Section" " %d", (int)i_section); + #ifdef CONFIG_SECUREBOOT + if (l_inhibited) + { + TRACFCOMP(g_trac_pnor, "RtPnor::getSectionInfo: " + "attribute overrides inhibited by secureboot"); + } + #endif /*@ * @errortype * @moduleid PNOR::MOD_RTPNOR_GETSECTIONINFO * @reasoncode PNOR::RC_RTPNOR_INVALID_SECTION * @userdata1 PNOR::SectionId - * @devdesc invalid section passed to getSectionInfo + * @userdata2 Inhibited by secureboot + * @devdesc invalid section passed to getSectionInfo or + * section prohibited by secureboot */ l_err = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_UNRECOVERABLE, PNOR::MOD_RTPNOR_GETSECTIONINFO, PNOR::RC_RTPNOR_INVALID_SECTION, - i_section, 0,true); + i_section, l_inhibited, true); break; } @@ -199,8 +213,8 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section, bool l_ecc = (iv_TOC[i_section].integrity&FFS_INTEG_ECC_PROTECT) ? true : false; - void* l_pWorking = NULL; - void* l_pClean = NULL; + void* l_pWorking = nullptr; + void* l_pClean = nullptr; //find the section in the map first if(iv_pnorMap.find(i_section) != iv_pnorMap.end()) @@ -263,7 +277,7 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section, errlHndl_t RtPnor::flush( PNOR::SectionId i_section) { TRACFCOMP(g_trac_pnor, ENTER_MRK"RtPnor::flush"); - errlHndl_t l_err = NULL; + errlHndl_t l_err = nullptr; do { if (i_section == PNOR::INVALID_SECTION) @@ -388,8 +402,8 @@ errlHndl_t RtPnor::readFromDevice (uint64_t i_procId, TRACFCOMP(g_trac_pnor, ENTER_MRK"RtPnor::readFromDevice: i_offset=0x%X, " "i_procId=%d sec=%d size=0x%X ecc=%d", i_offset, i_procId, i_section, i_size, i_ecc); - errlHndl_t l_err = NULL; - uint8_t* l_eccBuffer = NULL; + errlHndl_t l_err = nullptr; + uint8_t* l_eccBuffer = nullptr; do { @@ -587,8 +601,8 @@ errlHndl_t RtPnor::writeToDevice( uint64_t i_procId, TRACFCOMP(g_trac_pnor, ENTER_MRK"RtPnor::writeToDevice: i_offset=0x%X, " "i_procId=%d sec=%d size=0x%X ecc=%d", i_offset, i_procId, i_section, i_size, i_ecc); - errlHndl_t l_err = NULL; - uint8_t* l_eccBuffer = NULL; + errlHndl_t l_err = nullptr; + uint8_t* l_eccBuffer = nullptr; do { @@ -804,7 +818,7 @@ RtPnor& RtPnor::getInstance() errlHndl_t RtPnor::getSideInfo( PNOR::SideId i_side, PNOR::SideInfo_t& o_info) { - errlHndl_t l_err = NULL; + errlHndl_t l_err = nullptr; do { // We only support the working side at runtime @@ -850,10 +864,10 @@ errlHndl_t RtPnor::getSideInfo( PNOR::SideId i_side, errlHndl_t RtPnor::clearSection(PNOR::SectionId i_section) { TRACFCOMP(g_trac_pnor, "RtPnor::clearSection Section id = %d", i_section); - errlHndl_t l_errl = NULL; + errlHndl_t l_errl = nullptr; const uint64_t CLEAR_BYTE = 0xFF; uint8_t* l_buf = new uint8_t[PAGESIZE](); - uint8_t* l_eccBuf = NULL; + uint8_t* l_eccBuf = nullptr; do { diff --git a/src/usr/secureboot/runtime/rt_secureboot.C b/src/usr/secureboot/runtime/rt_secureboot.C index 3b7626553..1c84c2bf1 100644 --- a/src/usr/secureboot/runtime/rt_secureboot.C +++ b/src/usr/secureboot/runtime/rt_secureboot.C @@ -32,9 +32,60 @@ #include <config.h> #include "common/securetrace.H" +#include <secureboot/service.H> +#include <secureboot/secure_reasoncodes.H> + +#include <errl/errlmanager.H> +#include <runtime/rt_targeting.H> +#include <targeting/common/commontargeting.H> +#include <targeting/common/targetservice.H> +#include <devicefw/userif.H> + namespace SECUREBOOT { +using namespace TARGETING; + +#if defined(CONFIG_SECUREBOOT) && defined(__HOSTBOOT_RUNTIME) +bool enabled() +{ + errlHndl_t l_errl = nullptr; + uint64_t l_regValue = 0; + size_t l_size = sizeof(l_regValue); + + TargetService& tS = targetService(); + Target* masterProcChipTargetHandle = nullptr; + + do + { + l_errl = tS.queryMasterProcChipTargetHandle( + masterProcChipTargetHandle); + + if (l_errl) + { + errlCommit(l_errl, SECURE_COMP_ID); + break; + } + + l_errl = deviceRead(masterProcChipTargetHandle, + &l_regValue, l_size, + DEVICE_SCOM_ADDRESS( + static_cast<uint64_t>(ProcSecurity::SwitchRegister))); + if (l_errl) + { + errlCommit(l_errl, SECURE_COMP_ID); + break; + } + + assert(l_size == sizeof(l_regValue)); + } while (0); + + // if there was an error l_regValue is zero, so we return false. + // Unfortunately this is all we can do. These shouldn't fail. + + return l_regValue & static_cast<uint64_t>(ProcSecurity::SabBit); +} +#endif int verify_container( const void* i_pContainer, @@ -59,6 +110,7 @@ int verify_container( return rc; } + struct registerSecurebootRt { registerSecurebootRt() diff --git a/src/usr/targeting/runtime/attrPlatOverride_rt.C b/src/usr/targeting/runtime/attrPlatOverride_rt.C index 0ceb99e26..c348b52e8 100644 --- a/src/usr/targeting/runtime/attrPlatOverride_rt.C +++ b/src/usr/targeting/runtime/attrPlatOverride_rt.C @@ -31,6 +31,10 @@ #include <targeting/common/trace.H> #include <errl/errlmanager.H> #include <initservice/initserviceif.H> +#include <config.h> +#include <secureboot/service.H> +#include <targeting/common/targreasoncodes.H> +#include <devicefw/userif.H> using namespace TARGETING; @@ -45,45 +49,76 @@ int apply_attr_override(uint8_t* i_data, TRACFCOMP(g_trac_targeting, "enter apply_attr_override"); - // Clear fapi and targeting attribute override tanks. The tanks are - // expected to be empty. The passed overrides are added, not updated - // in place. - AttributeTank * l_pAttributeTank = - &fapi2::theAttrOverrideSync().iv_overrideTank; - if ((*l_pAttributeTank).attributesExist()) - { - TRACFCOMP(g_trac_targeting, "apply_attr_override:" - " clear FAPI attribute overrides"); - (*l_pAttributeTank).clearAllAttributes(); - } - l_pAttributeTank = &Target::theTargOverrideAttrTank(); - if ((*l_pAttributeTank).attributesExist()) - { - TRACFCOMP(g_trac_targeting, "apply_attr_override:" - " clear targeting attribute overrides"); - (*l_pAttributeTank).clearAllAttributes(); - } + bool l_allowOverrides = true; - // Pass attribute override blob as a pnor section - PNOR::SectionInfo_t l_sectionInfo; - l_sectionInfo.vaddr = (uint64_t)i_data; - l_sectionInfo.size = i_size; - l_sectionInfo.id = PNOR::ATTR_TMP; - l_sectionInfo.name = "Runtime TMP"; + #ifdef CONFIG_SECUREBOOT + l_allowOverrides = !SECUREBOOT::enabled(); + #endif - // Process attribute overrides - l_errl = TARGETING::getAttrOverrides(l_sectionInfo); - if (l_errl) + if (l_allowOverrides) { - TRACFCOMP(g_trac_targeting, "apply_attr_override:" - " getAttrOverrides failed"); - errlCommit(l_errl, TARG_COMP_ID); - rc = -1; + // Clear fapi and targeting attribute override tanks. The tanks are + // expected to be empty. The passed overrides are added, not updated + // in place. + AttributeTank * l_pAttributeTank = + &fapi2::theAttrOverrideSync().iv_overrideTank; + if ((*l_pAttributeTank).attributesExist()) + { + TRACFCOMP(g_trac_targeting, "apply_attr_override:" + " clear FAPI attribute overrides"); + (*l_pAttributeTank).clearAllAttributes(); + } + l_pAttributeTank = &Target::theTargOverrideAttrTank(); + if ((*l_pAttributeTank).attributesExist()) + { + TRACFCOMP(g_trac_targeting, "apply_attr_override:" + " clear targeting attribute overrides"); + (*l_pAttributeTank).clearAllAttributes(); + } + + // Pass attribute override blob as a pnor section + PNOR::SectionInfo_t l_sectionInfo; + l_sectionInfo.vaddr = (uint64_t)i_data; + l_sectionInfo.size = i_size; + l_sectionInfo.id = PNOR::ATTR_TMP; + l_sectionInfo.name = "Runtime TMP"; + + // Process attribute overrides + l_errl = TARGETING::getAttrOverrides(l_sectionInfo); + if (l_errl) + { + TRACFCOMP(g_trac_targeting, "apply_attr_override:" + " getAttrOverrides failed"); + errlCommit(l_errl, TARG_COMP_ID); + rc = -1; + } } else { - TRACFCOMP(g_trac_targeting, "apply_attr_override succeed"); +#ifdef CONFIG_SECUREBOOT + TRACFCOMP(g_trac_targeting, "apply_attr_override: skipping override" + " due to SECUREBOOT enablement"); + + /* @ + * @errortype + * @moduleid TARG_APPLY_ATTR_OVER + * @reasoncode TARG_RC_APPLY_ATTR_OVER_NOT_ALLOWED + * @devdesc PnorRP::getSectionInfo> Skipping attribute override + * because of secureboot enablement + * @custdesc Attributes overrides are not allowed in secure mode. + */ + l_errl = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_INFORMATIONAL, + TARG_APPLY_ATTR_OVER, + TARG_RC_APPLY_ATTR_OVER_NOT_ALLOWED, + 0, + 0, + true /* Add HB SW Callout */); + l_errl->collectTrace(TARG_COMP_NAME); + errlCommit(l_errl, TARG_COMP_ID); + rc = -1; +#endif } + return rc; } |
