summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/usr/secureboot/secure_reasoncodes.H2
-rw-r--r--src/include/usr/secureboot/service_ext.H40
-rw-r--r--src/usr/isteps/istep18/establish_system_smp.C6
-rw-r--r--src/usr/secureboot/ext/makefile18
-rw-r--r--src/usr/secureboot/ext/service_ext.C105
5 files changed, 170 insertions, 1 deletions
diff --git a/src/include/usr/secureboot/secure_reasoncodes.H b/src/include/usr/secureboot/secure_reasoncodes.H
index c584ed107..8b18b9a5e 100644
--- a/src/include/usr/secureboot/secure_reasoncodes.H
+++ b/src/include/usr/secureboot/secure_reasoncodes.H
@@ -48,6 +48,7 @@ namespace SECUREBOOT
MOD_SECURE_GET_ALL_SEC_REGS = 0x0E,
MOD_SECURE_LOAD_HEADER = 0x0F,
MOD_SECURE_VALIDATE_ECID_COUNT = 0x10,
+ MOD_LOCK_ABUS_SEC_MAILBOXES = 0x11,
// Use 0x20-0x2F range for Node Communications
MOD_NCDD_CHECK_FOR_ERRORS = 0x20,
@@ -80,6 +81,7 @@ namespace SECUREBOOT
RC_DEVICE_READ_ERR = SECURE_COMP_ID | 0x11,
RC_INVALID_BASE_HEADER = SECURE_COMP_ID | 0x12,
RC_INVALID_ECID_COUNT = SECURE_COMP_ID | 0x13,
+ RC_LOCK_MAILBOXES_FAILED = SECURE_COMP_ID | 0x14,
// Use 0x20-0x2F range for Node Communications
RC_NCDD_HW_ERROR_FOUND = SECURE_COMP_ID | 0x20,
diff --git a/src/include/usr/secureboot/service_ext.H b/src/include/usr/secureboot/service_ext.H
new file mode 100644
index 000000000..4be08d52f
--- /dev/null
+++ b/src/include/usr/secureboot/service_ext.H
@@ -0,0 +1,40 @@
+/* IBM_PROLOG_BEGIN_TAG */
+/* This is an automatically generated prolog. */
+/* */
+/* $Source: src/include/usr/secureboot/service_ext.H $ */
+/* */
+/* OpenPOWER HostBoot Project */
+/* */
+/* Contributors Listed Below - COPYRIGHT 2018 */
+/* [+] International Business Machines Corp. */
+/* */
+/* */
+/* Licensed under the Apache License, Version 2.0 (the "License"); */
+/* you may not use this file except in compliance with the License. */
+/* You may obtain a copy of the License at */
+/* */
+/* http://www.apache.org/licenses/LICENSE-2.0 */
+/* */
+/* Unless required by applicable law or agreed to in writing, software */
+/* distributed under the License is distributed on an "AS IS" BASIS, */
+/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */
+/* implied. See the License for the specific language governing */
+/* permissions and limitations under the License. */
+/* */
+/* IBM_PROLOG_END_TAG */
+#ifndef __SERVICE_EXT_H
+#define __SERVICE_EXT_H
+
+#include <errl/errlentry.H>
+
+namespace SECUREBOOT
+{
+ /*
+ * @brief Calls p9_update_security_ctrl HWP to lock down the Abus secure
+ * mailboxes on all functional processors. All errors are committed
+ * internally.
+ */
+ void lockAbusSecMailboxes();
+
+} // namespace SECUREBOOT
+#endif
diff --git a/src/usr/isteps/istep18/establish_system_smp.C b/src/usr/isteps/istep18/establish_system_smp.C
index c5e4aab2d..a912bfcab 100644
--- a/src/usr/isteps/istep18/establish_system_smp.C
+++ b/src/usr/isteps/istep18/establish_system_smp.C
@@ -82,6 +82,8 @@
#include "establish_system_smp.H"
+#include <secureboot/service_ext.H>
+
namespace ESTABLISH_SYSTEM_SMP
{
@@ -537,6 +539,10 @@ void *host_sys_fab_iovalid_processing(void* io_ptr )
sys->setAttr<TARGETING::ATTR_HB_EXISTING_IMAGE>(hb_existing_image);
+#ifdef CONFIG_TPMDD
+ SECUREBOOT::lockAbusSecMailboxes();
+#endif
+
// after agreement, open a-busses as required
// @TODO RTC:187337 -- HB doesn't have the knowledge of attributes that
// p9_fab_iovalid requires at the moment. Currently, this is being called
diff --git a/src/usr/secureboot/ext/makefile b/src/usr/secureboot/ext/makefile
index 952a8cc56..9b5adeaf7 100644
--- a/src/usr/secureboot/ext/makefile
+++ b/src/usr/secureboot/ext/makefile
@@ -5,7 +5,7 @@
#
# OpenPOWER HostBoot Project
#
-# Contributors Listed Below - COPYRIGHT 2013,2017
+# Contributors Listed Below - COPYRIGHT 2013,2018
# [+] International Business Machines Corp.
#
#
@@ -26,7 +26,23 @@ ROOTPATH = ../../../..
MODULE = secureboot_ext
SUBDIRS +=
+PERV_HWP_PATH = $(ROOTPATH)/src/import/chips/p9/procedures/hwp/perv
+
OBJS += $(if $(CONFIG_DRTM),drtm.o)
+OBJS += $(if $(CONFIG_SECUREBOOT), service_ext.o)
+
+VPATH += $(PERV_HWP_PATH)
+
+EXTRAINCDIR += $(ROOTPATH)/src/include/usr
+EXTRAINCDIR += $(ROOTPATH)/src/include/usr/fapi2/
+EXTRAINCDIR += $(ROOTPATH)/src/import/hwpf/fapi2/include
+EXTRAINCDIR += $(ROOTPATH)/src/import/chips/common/utils/imageProcs
+EXTRAINCDIR += $(ROOTPATH)/src/import/chips/p9/procedures/hwp/ffdc
+EXTRAINCDIR += $(PERV_HWP_PATH)
+
+#Include HWP procedure makefiles
+include $(ROOTPATH)/procedure.rules.mk
+include $(PERV_HWP_PATH)/p9_update_security_ctrl.mk
CFLAGS += -iquote ../
include ${ROOTPATH}/config.mk
diff --git a/src/usr/secureboot/ext/service_ext.C b/src/usr/secureboot/ext/service_ext.C
new file mode 100644
index 000000000..1f8595a71
--- /dev/null
+++ b/src/usr/secureboot/ext/service_ext.C
@@ -0,0 +1,105 @@
+/* IBM_PROLOG_BEGIN_TAG */
+/* This is an automatically generated prolog. */
+/* */
+/* $Source: src/usr/secureboot/ext/service_ext.C $ */
+/* */
+/* OpenPOWER HostBoot Project */
+/* */
+/* Contributors Listed Below - COPYRIGHT 2018 */
+/* [+] International Business Machines Corp. */
+/* */
+/* */
+/* Licensed under the Apache License, Version 2.0 (the "License"); */
+/* you may not use this file except in compliance with the License. */
+/* You may obtain a copy of the License at */
+/* */
+/* http://www.apache.org/licenses/LICENSE-2.0 */
+/* */
+/* Unless required by applicable law or agreed to in writing, software */
+/* distributed under the License is distributed on an "AS IS" BASIS, */
+/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */
+/* implied. See the License for the specific language governing */
+/* permissions and limitations under the License. */
+/* */
+/* IBM_PROLOG_END_TAG */
+#include <secureboot/service_ext.H>
+#include <targeting/common/util.H>
+#include <targeting/common/target.H>
+#include <errl/errlentry.H>
+#include <errl/errlmanager.H>
+#include <errl/errludtarget.H>
+#include <secureboot/secure_reasoncodes.H>
+
+#include "../common/securetrace.H"
+
+#include <fapi2.H>
+#include <fapi2/plat_hwp_invoker.H>
+
+#include <p9_update_security_ctrl.H>
+#include <config.h>
+
+namespace SECUREBOOT
+{
+
+void lockAbusSecMailboxes()
+{
+#ifdef CONFIG_TPMDD
+ errlHndl_t l_errl = nullptr;
+ TARGETING::TargetHandleList l_procs;
+ getAllChips(l_procs, TARGETING::TYPE_PROC, true);
+
+ auto l_pProc = l_procs.begin();
+ while(l_pProc != l_procs.end())
+ {
+ const fapi2::Target<fapi2::TARGET_TYPE_PROC_CHIP>l_fapiProc(*l_pProc);
+ FAPI_INVOKE_HWP(l_errl,
+ p9_update_security_ctrl,
+ l_fapiProc,
+ false, // do not force security
+ true); // lock down Abus mailboxes
+
+ if(l_errl)
+ {
+ SB_ERR("lockAbusSecMailboxes: p9_update_security_ctrl failed for"
+ " proc 0x%X!. Deconfiguring the proc.",
+ TARGETING::get_huid(*l_pProc));
+
+ auto l_plid = l_errl->plid();
+
+ ERRORLOG::ErrlUserDetailsTarget(*l_pProc).addToLog(l_errl);
+ ERRORLOG::errlCommit(l_errl, SECURE_COMP_ID);
+
+ /*
+ * @errortype
+ * @reasoncode RC_LOCK_MAILBOXES_FAILED
+ * @moduleid MOD_LOCK_ABUS_SEC_MAILBOXES
+ * @userdata1 Target HUID
+ * @devdesc Failed to lock Abus secure mailboxes
+ * on target processor.
+ * @custdesc Secure Boot failure
+ */
+ l_errl = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_UNRECOVERABLE,
+ SECUREBOOT::MOD_LOCK_ABUS_SEC_MAILBOXES,
+ SECUREBOOT::RC_LOCK_MAILBOXES_FAILED,
+ TARGETING::get_huid(*l_pProc),
+ 0,
+ true);
+ l_errl->addHwCallout(*l_pProc,
+ HWAS::SRCI_PRIORITY_LOW,
+ HWAS::DELAYED_DECONFIG,
+ HWAS::GARD_NULL);
+ l_errl->collectTrace(SECURE_COMP_NAME);
+ l_errl->collectTrace(FAPI_TRACE_NAME);
+ l_errl->plid(l_plid);
+ ERRORLOG::ErrlUserDetailsTarget(*l_pProc).addToLog(l_errl);
+
+ ERRORLOG::errlCommit(l_errl, SECURE_COMP_ID);
+ }
+
+ ++l_pProc;
+
+ } // while
+#endif
+}
+
+} // namespace SECUREBOOT
OpenPOWER on IntegriCloud