diff options
| author | Jaymes Wilks <mjwilks@us.ibm.com> | 2018-06-14 09:26:30 -0500 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2018-06-28 22:47:58 -0400 |
| commit | ef1e2276640040b2bbf187a1d85c8bd6929f4d56 (patch) | |
| tree | a34b2c4d647e3f047a8fed78f30596b548edbcb2 /src | |
| parent | cf258fcfb753bafcfac0659ded5f312c793d047d (diff) | |
| download | blackbird-hostboot-ef1e2276640040b2bbf187a1d85c8bd6929f4d56.tar.gz blackbird-hostboot-ef1e2276640040b2bbf187a1d85c8bd6929f4d56.zip | |
In non-MNFG, only match SBE keys for the sides that boot
FSP was not IPL'ing from SBE side 1 when production key is corrupt
in SEEPROM of SBE side 0 (due to the key mismatch check). This
change gets around that by only matching SBE keys for the sides
that booted in non-MNFG case.
Change-Id: I1dfcb5c7f7e281125fdbcfc8b8f3a84747c90f59
CQ:SW420430
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/60571
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: ILYA SMIRNOV <ismirno@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/usr/isteps/istep_reasoncodes.H | 4 | ||||
| -rw-r--r-- | src/include/usr/sbe/sbe_update.H | 7 | ||||
| -rw-r--r-- | src/usr/isteps/istep10/call_proc_cen_ref_clk_enable.C | 265 | ||||
| -rw-r--r-- | src/usr/sbe/sbe_update.C | 14 |
4 files changed, 216 insertions, 74 deletions
diff --git a/src/include/usr/isteps/istep_reasoncodes.H b/src/include/usr/isteps/istep_reasoncodes.H index 31bb8a7bb..282ebe3c3 100644 --- a/src/include/usr/isteps/istep_reasoncodes.H +++ b/src/include/usr/isteps/istep_reasoncodes.H @@ -54,7 +54,7 @@ namespace ISTEP MOD_PM_LOAD_HOST_DATA_TO_SRAM = 0x12, MOD_VOLTAGE_CONFIG = 0x13, MOD_PM_VERIFY_OCC_CHKPT = 0x14, - MOD_UPDATE_REDUNDANT_TPM = 0x15, + MOD_VALIDATE_SECURITY_SETTINGS = 0x15, MOD_PROC_EXIT_CACHE_CONTAINED = 0x16, MOD_SBE_PERFORM_UPDATE_CHECK = 0x1A, MOD_SET_IPL_PARMS = 0x1D, @@ -127,6 +127,8 @@ namespace ISTEP RC_ULTRA_TURBO_FREQ_MISMATCH = ISTEP_COMP_ID | 0x45, RC_NEST_FREQ_MISMATCH = ISTEP_COMP_ID | 0x46, RC_NO_VALID_MEM_CONFIG = ISTEP_COMP_ID | 0x47, + RC_MASTER_GET_SBE_BOOT_SEEPROM_FAIL = ISTEP_COMP_ID | 0x48, + RC_SLAVE_GET_SBE_BOOT_SEEPROM_FAIL = ISTEP_COMP_ID | 0x49, }; }; diff --git a/src/include/usr/sbe/sbe_update.H b/src/include/usr/sbe/sbe_update.H index 70ecf6f15..82b535ddc 100644 --- a/src/include/usr/sbe/sbe_update.H +++ b/src/include/usr/sbe/sbe_update.H @@ -317,10 +317,15 @@ namespace SBE * * @param[out] o_bootSide The Seeprom the SBE booted from * + * @param[in] i_failoverToMaster If the SBE is not started for the supplied + * processor, use master processor instead. + * default is true + * * @return errlHndl_t Error log handle on failure. */ errlHndl_t getSbeBootSeeprom(TARGETING::Target* i_target, - sbeSeepromSide_t& o_bootSide); + sbeSeepromSide_t& o_bootSide, + bool i_failoverToMaster = true); /** * @brief Collects Version information from a specific SEEPROM using I2C diff --git a/src/usr/isteps/istep10/call_proc_cen_ref_clk_enable.C b/src/usr/isteps/istep10/call_proc_cen_ref_clk_enable.C index f0828b072..c2b005b97 100644 --- a/src/usr/isteps/istep10/call_proc_cen_ref_clk_enable.C +++ b/src/usr/isteps/istep10/call_proc_cen_ref_clk_enable.C @@ -207,7 +207,7 @@ void handleProcessorSecurityError(TARGETING::Target* i_pProc, if (i_rc==RC_PROC_SECURITY_STATE_MISMATCH) { TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace, - ERR_MRK"handleProcessorSecurityError: processor state does match master for processor tgt=0x%X", + ERR_MRK"handleProcessorSecurityError: processor state doesn't match master for processor tgt=0x%X", TARGETING::get_huid(i_pProc)); TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace, @@ -243,14 +243,16 @@ void handleProcessorSecurityError(TARGETING::Target* i_pProc, i_rc==RC_MASTER_PROC_PRIMARY_HASH_READ_FAIL?"Master primary hash read": i_rc==RC_MASTER_PROC_BACKUP_HASH_READ_FAIL?"Master backup hash read": i_rc==RC_MASTER_PROC_CBS_CONTROL_READ_FAIL?"Master CBS control read": + i_rc==RC_MASTER_GET_SBE_BOOT_SEEPROM_FAIL?"Master get SBE boot Seeprom": i_rc==RC_SLAVE_PROC_PRIMARY_HASH_READ_FAIL?"Slave primary hash read": i_rc==RC_SLAVE_PROC_BACKUP_HASH_READ_FAIL?"Slave backup hash read": i_rc==RC_SLAVE_PROC_CBS_CONTROL_READ_FAIL?"Slave CBS control read": + i_rc==RC_SLAVE_GET_SBE_BOOT_SEEPROM_FAIL?"Slave get SBE Boot Seeprom": "unknown"); } auto err = new ERRORLOG::ErrlEntry(l_severity, - ISTEP::MOD_UPDATE_REDUNDANT_TPM, + ISTEP::MOD_VALIDATE_SECURITY_SETTINGS, i_rc, TARGETING::get_huid(i_pProc), TO_UINT64(i_mismatches.val), @@ -295,7 +297,7 @@ void handleProcessorSecurityError(TARGETING::Target* i_pProc, } // save off reason code before committing - auto l_reason = err->reasonCode(); + const auto l_reason = err->reasonCode(); ERRORLOG::errlCommit(err, ISTEP_COMP_ID); @@ -399,7 +401,7 @@ void validateSecuritySettings() TARGETING::get_huid(l_tpm)); // save the plid from the error before commiting - auto plid = err->plid(); + const auto plid = err->plid(); ERRORLOG::ErrlUserDetailsTarget(*pProcItr).addToLog(err); @@ -409,7 +411,7 @@ void validateSecuritySettings() /*@ * @errortype * @reasoncode ISTEP::RC_UPDATE_SECURITY_CTRL_HWP_FAIL - * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM + * @moduleid ISTEP::MOD_VALIDATE_SECURITY_SETTINGS * @severity ERRL_SEV_UNRECOVERABLE * @userdata1 Processor Target * @userdata2 TPM Target @@ -419,7 +421,7 @@ void validateSecuritySettings() * @custdesc Platform security problem detected */ err = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_UNRECOVERABLE, - ISTEP::MOD_UPDATE_REDUNDANT_TPM, + ISTEP::MOD_VALIDATE_SECURITY_SETTINGS, ISTEP::RC_UPDATE_SECURITY_CTRL_HWP_FAIL, TARGETING::get_huid(*pProcItr), TARGETING::get_huid(l_tpm), @@ -468,6 +470,17 @@ void validateSecuritySettings() uint64_t l_mainCbs = 0; + // we need to know if we're in manufacturing mode to do some logic later + TARGETING::Target* sys = nullptr; + (void) targetService().getTopLevelTarget(sys); + assert(sys, "validateSecuritySettings() system target is null"); + const auto mnfg_flags = sys->getAttr<ATTR_MNFG_FLAGS>(); + bool mnfg_mode = false; + if(mnfg_flags & MNFG_FLAG_SRC_TERM) + { + mnfg_mode = true; + } + // a list of hashes we will be using to match primary to backups and // masters to slaves std::vector<HashNode> l_hashes; @@ -495,7 +508,7 @@ void validateSecuritySettings() if (err) { // if this happens we are in big trouble - auto rc = err->reasonCode(); + const auto rc = err->reasonCode(); ERRORLOG::errlCommit(err, ISTEP_COMP_ID); TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace, "Terminating because future security cannot be guaranteed."); @@ -508,13 +521,13 @@ void validateSecuritySettings() err = SECUREBOOT::getProcCbsControlRegister(l_mainCbs, mProc); if (err) { - auto plid = err->plid(); + const auto plid = err->plid(); ERRORLOG::errlCommit(err, ISTEP_COMP_ID); /*@ * @errortype * @reasoncode ISTEP::RC_MASTER_PROC_CBS_CONTROL_READ_FAIL - * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM + * @moduleid ISTEP::MOD_VALIDATE_SECURITY_SETTINGS * @userdata1 Master Processor Target * @devdesc Unable to read the master processor CBS control * register @@ -528,62 +541,120 @@ void validateSecuritySettings() break; } - // read the primary sbe HW keys' hash for the master processor - err = SBE::getHwKeyHashFromSbeImage( - mProc, - EEPROM::SBE_PRIMARY, - l_masterHash); + SBE::sbeSeepromSide_t bootSide = SBE::SBE_SEEPROM_INVALID; + err = SBE::getSbeBootSeeprom(mProc, bootSide); if (err) { - auto plid = err->plid(); + const auto plid = err->plid(); ERRORLOG::errlCommit(err, ISTEP_COMP_ID); /*@ * @errortype - * @reasoncode ISTEP::RC_MASTER_PROC_PRIMARY_HASH_READ_FAIL - * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM + * @reasoncode ISTEP::RC_MASTER_GET_SBE_BOOT_SEEPROM_FAIL + * @moduleid ISTEP::MOD_VALIDATE_SECURITY_SETTINGS * @userdata1 Master Processor Target - * @devdesc Unable to read the master processor primary hash - * from the SBE + * @devdesc Unable to get the master SBE boot seeprom side + * * @custdesc Platform security problem detected */ handleProcessorSecurityError(mProc, + ISTEP::RC_MASTER_GET_SBE_BOOT_SEEPROM_FAIL, + l_hashes, + plid, + false); // stop IPL and deconfig processor + break; + } + + bool primaryReadFailAllowed = false; + + // read the primary sbe HW keys' hash for the master processor + err = SBE::getHwKeyHashFromSbeImage( + mProc, + EEPROM::SBE_PRIMARY, + l_masterHash); + + if (err) + { + if (!mnfg_mode && bootSide != SBE::SBE_SEEPROM0) + { + primaryReadFailAllowed = true; + TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace, "It's a non-mnfg boot and we failed to read the master primary HW SBE Keys' hash from seeprom 0. Ignoring the error since we didn't boot from that seeprom"); + err->collectTrace(ISTEP_COMP_NAME); + ERRORLOG::errlCommit(err, ISTEP_COMP_ID); + } + else + { + const auto plid = err->plid(); + ERRORLOG::errlCommit(err, ISTEP_COMP_ID); + + /*@ + * @errortype + * @reasoncode ISTEP::RC_MASTER_PROC_PRIMARY_HASH_READ_FAIL + * @moduleid ISTEP::MOD_VALIDATE_SECURITY_SETTINGS + * @userdata1 Master Processor Target + * @devdesc Unable to read the master processor primary hash + * from the SBE + * @custdesc Platform security problem detected + */ + handleProcessorSecurityError(mProc, ISTEP::RC_MASTER_PROC_PRIMARY_HASH_READ_FAIL, l_hashes, plid, false); // stop IPL and deconfig processor + } } + bool backupReadFailAllowed = false; + // read the backup sbe HW keys' hash for the master processor err = SBE::getHwKeyHashFromSbeImage( mProc, EEPROM::SBE_BACKUP, l_backupHash); + if (err) { - auto plid = err->plid(); - ERRORLOG::errlCommit(err, ISTEP_COMP_ID); + if (!mnfg_mode && bootSide != SBE::SBE_SEEPROM1) + { + backupReadFailAllowed = true; + TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace, "It's a non-mnfg boot and we failed to read the master backup HW SBE Keys' hash from seeprom 1. Ignoring the error since we didn't boot from that seeprom"); + err->collectTrace(ISTEP_COMP_NAME); + ERRORLOG::errlCommit(err, ISTEP_COMP_ID); + } + else + { + const auto plid = err->plid(); + ERRORLOG::errlCommit(err, ISTEP_COMP_ID); - /*@ - * @errortype - * @reasoncode ISTEP::RC_MASTER_PROC_BACKUP_HASH_READ_FAIL - * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM - * @userdata1 Processor Target - * @devdesc Unable to read the master processor backup hash - * from the SBE - * @custdesc Platform security problem detected - */ - handleProcessorSecurityError(mProc, + /*@ + * @errortype + * @reasoncode ISTEP::RC_MASTER_PROC_BACKUP_HASH_READ_FAIL + * @moduleid ISTEP::MOD_VALIDATE_SECURITY_SETTINGS + * @userdata1 Processor Target + * @devdesc Unable to read the master processor backup hash + * from the SBE + * @custdesc Platform security problem detected + */ + handleProcessorSecurityError(mProc, ISTEP::RC_MASTER_PROC_BACKUP_HASH_READ_FAIL, l_hashes, plid, false); // stop IPL and deconfig processor - break; + break; + } } // make sure the master processor primary and backup SBE HW keys' hashes - // match each other - if (memcmp(l_masterHash,l_backupHash, SHA512_DIGEST_LENGTH)!=0) + // match each other. + if (primaryReadFailAllowed) + { + memcpy(l_masterHash, l_backupHash, SHA512_DIGEST_LENGTH); + } + else if (backupReadFailAllowed) + { + memcpy(l_backupHash, l_masterHash, SHA512_DIGEST_LENGTH); + } + else if(memcmp(l_masterHash,l_backupHash, SHA512_DIGEST_LENGTH)!=0) { // add only the hashes relevant to the error to hashes vector l_hashes.push_back(l_master); @@ -593,7 +664,7 @@ void validateSecuritySettings() /*@ * @errortype * @reasoncode ISTEP::RC_MASTER_PROC_SBE_KEYS_HASH_MISMATCH - * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM + * @moduleid ISTEP::MOD_VALIDATE_SECURITY_SETTINGS * @severity ERRL_SEV_UNRECOVERABLE * @userdata1 Master Processor Target * @devdesc The primary SBE HW Keys' hash does not match the @@ -630,13 +701,13 @@ void validateSecuritySettings() err = SECUREBOOT::getProcCbsControlRegister(l_procCbs, pProc); if (err) { - auto plid = err->plid(); + const auto plid = err->plid(); ERRORLOG::errlCommit(err, ISTEP_COMP_ID); /*@ * @errortype * @reasoncode ISTEP::RC_SLAVE_PROC_CBS_CONTROL_READ_FAIL - * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM + * @moduleid ISTEP::MOD_VALIDATE_SECURITY_SETTINGS * @userdata1 Slave Processor Target * @devdesc Unable to read the slave processor CBS control * register @@ -651,33 +722,73 @@ void validateSecuritySettings() continue; } - // read the primary sbe HW keys' hash for the current processor - err = SBE::getHwKeyHashFromSbeImage( - pProc, - EEPROM::SBE_PRIMARY, - l_slaveHashPri); + bootSide = SBE::SBE_SEEPROM_INVALID; + err = getSbeBootSeeprom(pProc, bootSide, false); if (err) { - auto plid = err->plid(); + const auto plid = err->plid(); ERRORLOG::errlCommit(err, ISTEP_COMP_ID); /*@ * @errortype - * @reasoncode ISTEP::RC_SLAVE_PROC_PRIMARY_HASH_READ_FAIL - * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM + * @reasoncode ISTEP::RC_SLAVE_GET_SBE_BOOT_SEEPROM_FAIL + * @moduleid ISTEP::MOD_VALIDATE_SECURITY_SETTINGS * @userdata1 Slave Processor Target - * @devdesc Unable to read the slave processor primary - * hash from the SBE + * @devdesc Unable to get the slave SBE boot seeprom side + * * @custdesc Platform security problem detected */ handleProcessorSecurityError(pProc, - ISTEP::RC_SLAVE_PROC_PRIMARY_HASH_READ_FAIL, + ISTEP::RC_SLAVE_GET_SBE_BOOT_SEEPROM_FAIL, l_hashes, plid, true); // deconfigure proc and move on continue; } + bool skipPrimaryMatch = false; + + // read the primary sbe HW keys' hash for the current processor + err = SBE::getHwKeyHashFromSbeImage( + pProc, + EEPROM::SBE_PRIMARY, + l_slaveHashPri); + + if (err) + { + + if (!mnfg_mode && bootSide != SBE::SBE_SEEPROM0) + { + skipPrimaryMatch = true; + TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace, "It's a non-mnfg boot and we failed to read the HW SBE Keys' hash from seeprom 0, HUID:0x%.8X. Ignoring the error since we didn't boot from that seeprom", TARGETING::get_huid(pProc)); + err->collectTrace(ISTEP_COMP_NAME); + ERRORLOG::errlCommit(err, ISTEP_COMP_ID); + } + else + { + const auto plid = err->plid(); + ERRORLOG::errlCommit(err, ISTEP_COMP_ID); + + /*@ + * @errortype + * @reasoncode ISTEP::RC_SLAVE_PROC_PRIMARY_HASH_READ_FAIL + * @moduleid ISTEP::MOD_VALIDATE_SECURITY_SETTINGS + * @userdata1 Slave Processor Target + * @devdesc Unable to read the slave processor primary + * hash from the SBE + * @custdesc Platform security problem detected + */ + handleProcessorSecurityError(pProc, + ISTEP::RC_SLAVE_PROC_PRIMARY_HASH_READ_FAIL, + l_hashes, + plid, + true); // deconfigure proc and move on + continue; + } + } + + bool skipBackupMatch = false; + // read the backup sbe HW keys' hash for the current processor err = SBE::getHwKeyHashFromSbeImage( pProc, @@ -685,25 +796,35 @@ void validateSecuritySettings() l_slaveHashBac); if (err) { - auto plid = err->plid(); - ERRORLOG::errlCommit(err, ISTEP_COMP_ID); - - /*@ - * @errortype - * @reasoncode ISTEP::RC_SLAVE_PROC_BACKUP_HASH_READ_FAIL - * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM - * @userdata1 Slave Processor Target - * @devdesc Unable to read the slave processor backup - * hash from the SBE - * @custdesc Platform security problem detected - */ - handleProcessorSecurityError(pProc, + if (!mnfg_mode && bootSide != SBE::SBE_SEEPROM1) + { + skipBackupMatch = true; + TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace, "It's a non-mnfg boot and we failed to read the HW SBE Keys' hash from seeprom 1, HUID:0x%.8X Ignoring the error since we didn't boot from that seeprom", TARGETING::get_huid(pProc)); + err->collectTrace(ISTEP_COMP_NAME); + ERRORLOG::errlCommit(err, ISTEP_COMP_ID); + } + else + { + const auto plid = err->plid(); + ERRORLOG::errlCommit(err, ISTEP_COMP_ID); + + /*@ + * @errortype + * @reasoncode ISTEP::RC_SLAVE_PROC_BACKUP_HASH_READ_FAIL + * @moduleid ISTEP::MOD_VALIDATE_SECURITY_SETTINGS + * @userdata1 Slave Processor Target + * @devdesc Unable to read the slave processor backup + * hash from the SBE + * @custdesc Platform security problem detected + */ + handleProcessorSecurityError(pProc, ISTEP::RC_SLAVE_PROC_BACKUP_HASH_READ_FAIL, l_hashes, plid, true); // deconfigure proc and move on - continue; + continue; + } } // If the current processor has a key or SAB mismatch @@ -722,14 +843,20 @@ void validateSecuritySettings() (SECUREBOOT::ProcCbsControl::JumperStateBit & l_procCbs); // primary sbe hash mismatch - l_mismatches.primis = memcmp(l_slaveHashPri, - l_masterHash, - SHA512_DIGEST_LENGTH) != 0; + if (!skipPrimaryMatch) + { + l_mismatches.primis = memcmp(l_slaveHashPri, + l_masterHash, + SHA512_DIGEST_LENGTH) != 0; + } // backup sbe hash mismatch - l_mismatches.bacmis = memcmp(l_slaveHashBac, - l_masterHash, - SHA512_DIGEST_LENGTH) != 0; + if (!skipBackupMatch) + { + l_mismatches.bacmis = memcmp(l_slaveHashBac, + l_masterHash, + SHA512_DIGEST_LENGTH) != 0; + } // only provide the relevant hashes for error handling cases if(l_mismatches.primis || l_mismatches.bacmis) @@ -766,7 +893,7 @@ void validateSecuritySettings() /*@ * @errortype * @reasoncode ISTEP::RC_PROC_SECURITY_STATE_MISMATCH - * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM + * @moduleid ISTEP::MOD_VALIDATE_SECURITY_SETTINGS * @userdata1 Processor Target * @userdata2[60:60] SAB bit mismatch * @userdata2[61:61] Jumper (SMD) bit mismatch diff --git a/src/usr/sbe/sbe_update.C b/src/usr/sbe/sbe_update.C index c930706cc..63c8c458e 100644 --- a/src/usr/sbe/sbe_update.C +++ b/src/usr/sbe/sbe_update.C @@ -1624,7 +1624,8 @@ namespace SBE ///////////////////////////////////////////////////////////////////// errlHndl_t getSbeBootSeeprom(TARGETING::Target* i_target, - sbeSeepromSide_t& o_bootSide) + sbeSeepromSide_t& o_bootSide, + const bool i_failoverToMaster) { TRACFCOMP( g_trac_sbe, ENTER_MRK"getSbeBootSeeprom()" ); @@ -1635,15 +1636,22 @@ namespace SBE o_bootSide = SBE_SEEPROM_INVALID; do{ + assert(i_target != nullptr,"Bug! Attempting to get the boot seeprom of a null target."); - TARGETING::Target * l_target=i_target; + TARGETING::Target * l_target=i_target; // Get the Master Proc Chip Target for comparisons later TargetService& tS = targetService(); err = tS.queryMasterProcChipTargetHandle( masterProcChipTargetHandle); - if( (i_target != masterProcChipTargetHandle) && + if ( err ) + { + break; + } + + if( i_failoverToMaster && + (i_target != masterProcChipTargetHandle) && !(i_target->getAttr<ATTR_SBE_IS_STARTED>()) ) { l_target=masterProcChipTargetHandle; |
