summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/include/usr/runtime/runtime.H13
-rwxr-xr-xsrc/usr/hdat/hdatiplparms.C31
-rwxr-xr-xsrc/usr/hdat/hdatiplparms.H3
-rw-r--r--src/usr/isteps/istep21/call_host_runtime_setup.C15
-rw-r--r--src/usr/runtime/hdatstructs.H15
-rw-r--r--src/usr/runtime/populate_hbruntime.C115
6 files changed, 160 insertions, 32 deletions
diff --git a/src/include/usr/runtime/runtime.H b/src/include/usr/runtime/runtime.H
index dc24175cb..bde444d0d 100644
--- a/src/include/usr/runtime/runtime.H
+++ b/src/include/usr/runtime/runtime.H
@@ -5,7 +5,7 @@
/* */
/* OpenPOWER HostBoot Project */
/* */
-/* Contributors Listed Below - COPYRIGHT 2012,2016 */
+/* Contributors Listed Below - COPYRIGHT 2012,2017 */
/* [+] International Business Machines Corp. */
/* */
/* */
@@ -69,6 +69,17 @@ errlHndl_t load_host_data( void );
errlHndl_t populate_hbRuntimeData( void );
/**
+ * @brief Populate HB secureboot data in mainstore
+ *
+ * @description Populates the System Parameters section of HDAT with
+ * values acquired via the secureboot module from a verified source, and
+ * so, henceforth are available to the host at runtime.
+ *
+ * @return errlHndl_t NULL on Success
+ */
+errlHndl_t populate_hbSecurebootData( void );
+
+/**
* @brief Fills in HBRT for given NODE
*
* @param[in] iNodeId : Node number from 0 to 7 ..etc...
diff --git a/src/usr/hdat/hdatiplparms.C b/src/usr/hdat/hdatiplparms.C
index 33f2c4b3f..900dbf07c 100755
--- a/src/usr/hdat/hdatiplparms.C
+++ b/src/usr/hdat/hdatiplparms.C
@@ -773,32 +773,15 @@ void HdatIplParms::hdatGetSystemParamters()
HDAT_ERR("Error in getting SYSTEM_BRAND_NAME");
}
- //TODO RTC Story 161867
- //Need to remove the hard coding data
- this->iv_hdatIPLParams->iv_sysParms.hdatTpmDrawer = 1;
+ // The next 4 fields are set to their final values in a common handler
+ // in istep 21.1, to avoid trust issues when HDAT is initially populated
+ // by a service processor
+ this->iv_hdatIPLParams->iv_sysParms.hdatSysSecuritySetting = 0;
- TARGETING::ATTR_SECURITY_ENABLE_type l_sysSecuritySetting;
- if(l_pSysTarget->tryGetAttr<TARGETING::ATTR_SECURITY_ENABLE>
- (l_sysSecuritySetting))
- {
- this->iv_hdatIPLParams->iv_sysParms.hdatSysSecuritySetting =
- l_sysSecuritySetting;
- }
- else
- {
- HDAT_ERR("Error in getting SECURITY_ENABLE attribute");
- }
+ this->iv_hdatIPLParams->iv_sysParms.hdatTpmConfBits = 0;
+
+ this->iv_hdatIPLParams->iv_sysParms.hdatTpmDrawer = 0;
- TARGETING::ATTR_TPM_REQUIRED_type l_tpmConfBits;
- if(l_pSysTarget->tryGetAttr<TARGETING::ATTR_TPM_REQUIRED>
- (l_tpmConfBits))
- {
- this->iv_hdatIPLParams->iv_sysParms.hdatTpmConfBits = l_tpmConfBits;
- }
- else
- {
- HDAT_ERR("Error in getting TPM_REQUIRED attribute");
- }
memset(this->iv_hdatIPLParams->iv_sysParms.hdatHwKeyHashValue, 0x00, 64);
memset(this->iv_hdatIPLParams->iv_sysParms.hdatSystemFamily, 0x00, 64);
diff --git a/src/usr/hdat/hdatiplparms.H b/src/usr/hdat/hdatiplparms.H
index c8117aeb1..bdbfeb5db 100755
--- a/src/usr/hdat/hdatiplparms.H
+++ b/src/usr/hdat/hdatiplparms.H
@@ -5,7 +5,7 @@
/* */
/* OpenPOWER HostBoot Project */
/* */
-/* Contributors Listed Below - COPYRIGHT 2016 */
+/* Contributors Listed Below - COPYRIGHT 2016,2017 */
/* [+] International Business Machines Corp. */
/* */
/* */
@@ -58,7 +58,6 @@ const uint16_t HDAT_IPL_PARAMS_VERSION = 0x5F;
const char HDAT_IPLP_STRUCT_NAME[7] = "IPLPMS";
-
/** @enum hdatDataPtrs
* Constants for the internal data pointers that are added to the base
* class
diff --git a/src/usr/isteps/istep21/call_host_runtime_setup.C b/src/usr/isteps/istep21/call_host_runtime_setup.C
index f32827fbf..4d4a85220 100644
--- a/src/usr/isteps/istep21/call_host_runtime_setup.C
+++ b/src/usr/isteps/istep21/call_host_runtime_setup.C
@@ -74,8 +74,10 @@ void* call_host_runtime_setup (void *io_pArgs)
for(auto l_proc : l_procChips)
{
//Get fabric info from proc
- uint8_t l_fabricChipId = l_proc->getAttr<TARGETING::ATTR_FABRIC_CHIP_ID>();
- uint8_t l_fabricGroupId = l_proc->getAttr<TARGETING::ATTR_FABRIC_GROUP_ID>();
+ uint8_t l_fabricChipId =
+ l_proc->getAttr<TARGETING::ATTR_FABRIC_CHIP_ID>();
+ uint8_t l_fabricGroupId =
+ l_proc->getAttr<TARGETING::ATTR_FABRIC_GROUP_ID>();
//Calculate what bit position this will be
uint8_t l_bitPos = l_fabricChipId + (8 * l_fabricGroupId);
@@ -132,6 +134,15 @@ void* call_host_runtime_setup (void *io_pArgs)
// Fill in Hostboot runtime data if there is a PAYLOAD
if( !(TARGETING::is_no_load()) )
{
+ // API call to fix up the secureboot fields
+ l_err = RUNTIME::populate_hbSecurebootData();
+ if ( l_err )
+ {
+ TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace,
+ "Failed hbSecurebotData setup" );
+ break;
+ }
+
// Fill in Hostboot runtime data for all nodes
// (adjunct partition)
// Write the HB runtime data into mainstore
diff --git a/src/usr/runtime/hdatstructs.H b/src/usr/runtime/hdatstructs.H
index 804f8414e..aee2c8108 100644
--- a/src/usr/runtime/hdatstructs.H
+++ b/src/usr/runtime/hdatstructs.H
@@ -5,7 +5,7 @@
/* */
/* OpenPOWER HostBoot Project */
/* */
-/* Contributors Listed Below - COPYRIGHT 2012,2016 */
+/* Contributors Listed Below - COPYRIGHT 2012,2017 */
/* [+] International Business Machines Corp. */
/* */
/* */
@@ -33,7 +33,6 @@
// offset in mainstore where NACA starts
const uint64_t HDAT_NACA_OFFSET = 0x00004000;
-
/* NOTE: Most of these structures were copied and adapted from the HDAT
component in FipS. They do not need to be kept exactly in sync so long
as this code follows the HDAT specification. */
@@ -255,6 +254,18 @@ struct hdatSysParms_t
uint8_t vTpmEnabled;
uint8_t hdatReserved;
uint16_t hdatDispWheel;
+ uint32_t hdatNestFreq; // Nest Clock Frequency in MHz
+ uint8_t hdatSplitCoreMode; // Split Core Mode
+ uint8_t hdatReserved4; // Reserved
+ uint16_t hdatReserved5; // Reserved
+ uint8_t hdatSystemVendorName[64]; // System Vendor Name
+ uint16_t hdatSysSecuritySetting; // System Security Settings
+ uint16_t hdatTpmConfBits; // TPM Configuration Bits
+ uint16_t hdatTpmDrawer; // TPMs/Drawer
+ uint16_t hdatReserved6; // Reserved
+ uint8_t hdatHwKeyHashValue[64]; // Hardware Keys Hash Value
+ char hdatSystemFamily[64]; // System Family/Vendor Name
+ char hdatSystemType[64]; // System Type/Vendor Type
} __attribute__ ((packed));
diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C
index e3eaffdc1..5dbaa5291 100644
--- a/src/usr/runtime/populate_hbruntime.C
+++ b/src/usr/runtime/populate_hbruntime.C
@@ -5,7 +5,7 @@
/* */
/* OpenPOWER HostBoot Project */
/* */
-/* Contributors Listed Below - COPYRIGHT 2016 */
+/* Contributors Listed Below - COPYRIGHT 2016,2017 */
/* [+] International Business Machines Corp. */
/* */
/* */
@@ -49,10 +49,17 @@
#include <targeting/attrrp.H>
#include <sys/mm.h>
#include <util/align.H>
+#include <secureboot/trustedbootif.H>
+#include <secureboot/service.H>
+#include <config.h>
+
namespace RUNTIME
{
+// used for populating the TPM required bit in HDAT
+const uint16_t TPM_REQUIRED_BIT = 0x8000; //leftmost bit of uint16_t set to 1
+
trace_desc_t *g_trac_runtime = NULL;
TRAC_INIT(&g_trac_runtime, RUNTIME_COMP_NAME, KILOBYTE);
@@ -226,6 +233,112 @@ errlHndl_t populate_RtDataByNode(uint64_t iNodeId)
} // end populate_RtDataByNode
+errlHndl_t populate_hbSecurebootData ( void )
+{
+ using namespace TARGETING;
+
+ errlHndl_t l_elog = nullptr;
+
+ do {
+
+ const uint64_t l_instance = 0; // pass 0 since sys parms has only one record
+ uint64_t l_hbrtDataAddr = 0;
+ uint64_t l_hbrtDataSizeMax = 0;
+ l_elog = RUNTIME::get_host_data_section(RUNTIME::IPLPARMS_SYSTEM,
+ l_instance,
+ l_hbrtDataAddr,
+ l_hbrtDataSizeMax);
+ if(l_elog != nullptr)
+ {
+ TRACFCOMP( g_trac_runtime, ERR_MRK "populate_hbSecurebootData: "
+ "get_host_data_section() failed for system IPL parameters section");
+ break;
+ }
+
+ hdatSysParms_t* const l_sysParmsPtr
+ = reinterpret_cast<hdatSysParms_t*>(l_hbrtDataAddr);
+
+ typedef struct sysSecSets
+ {
+ // bit 0: Code Container Digital Signature Checking
+ uint16_t secureboot : 1;
+ // bit 1: Measurements Extended to Secure Boot TPM
+ uint16_t trustedboot : 1;
+ uint16_t reserved : 14;
+ } SysSecSets;
+
+ // populate system security settings in hdat
+ SysSecSets* const l_sysSecSets =
+ reinterpret_cast<SysSecSets*>(&l_sysParmsPtr->hdatSysSecuritySetting);
+
+ // populate secure setting for trusted boot
+ bool trusted = false;
+ #ifdef CONFIG_TPMDD
+ trusted = TRUSTEDBOOT::enabled();
+ #endif
+ l_sysSecSets->trustedboot = trusted? 1: 0;
+
+ // populate secure setting for secureboot
+ bool secure = false;
+ #ifdef CONFIG_SECUREBOOT
+ secure = SECUREBOOT::enabled();
+ #endif
+ l_sysSecSets->secureboot = secure? 1: 0;
+
+ // populate TPM config bits in hdat
+ bool tpmRequired = false;
+ #ifdef CONFIG_TRUSTEDBOOT
+ tpmRequired = TRUSTEDBOOT::isTpmRequired();
+ #endif
+
+ l_sysParmsPtr->hdatTpmConfBits = tpmRequired? TPM_REQUIRED_BIT: 0;
+
+ // find max # of TPMs per drawer and populate hdat with it
+
+ // look for class ENC type NODE and class chip TPM to find TPMs
+ TARGETING::TargetHandleList l_nodeEncList;
+
+ getEncResources(l_nodeEncList, TYPE_NODE, UTIL_FILTER_ALL);
+
+ uint16_t l_maxTpms = 0;
+
+ // loop thru the nodes and check number of TPMs
+ for (TargetHandleList::const_iterator
+ l_node_iter = l_nodeEncList.begin();
+ l_node_iter != l_nodeEncList.end();
+ ++l_node_iter)
+ {
+ // for this Node, get a list of tpms
+ TARGETING::TargetHandleList l_tpmChipList;
+
+ getChildAffinityTargets ( l_tpmChipList, *l_node_iter,
+ TARGETING::CLASS_CHIP, TYPE_TPM, false );
+
+ size_t l_numTpms = l_tpmChipList.size();
+
+ if (l_numTpms > l_maxTpms)
+ {
+ l_maxTpms = static_cast<uint16_t>(l_numTpms);
+ }
+ }
+
+ l_sysParmsPtr->hdatTpmDrawer = l_maxTpms;
+ TRACFCOMP(g_trac_runtime,"Max TPMs = 0x%04X", l_maxTpms);
+
+ // populate hw key hash in hdat
+ #ifdef CONFIG_SECUREBOOT
+ auto hash = l_sysParmsPtr->hdatHwKeyHashValue;
+ SECUREBOOT::getHwKeyHash(hash);
+ #else
+ memset(l_sysParmsPtr->hdatHwKeyHashValue,0,
+ sizeof(l_sysParmsPtr->hdatHwKeyHashValue));
+ #endif
+
+ } while(0);
+
+ return (l_elog);
+} // end populate_hbRuntiome
+
errlHndl_t populate_hbRuntimeData( void )
{
errlHndl_t l_elog = NULL;
OpenPOWER on IntegriCloud