summaryrefslogtreecommitdiffstats
path: root/src/usr/secureboot/base/settings.C
Commit message (Collapse)AuthorAgeFilesLines
* Automatically include config.hDan Crowell2019-12-061-2/+1
| | | | | | | | | | | | | | | | | | Rather than having to remember to include config.h anywhere we reference a CONFIG variable (and usually forgetting), this adds it to the default compiler flags so that it gets included in every source file we build. Change-Id: I53622ab4d46c55d942e98cae6ec03049fd5b3d08 Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/87475 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Zachary Clark <zach@ibm.com> Reviewed-by: Roland Veloz <rveloz@us.ibm.com> Reviewed-by: Christian R Geddes <crgeddes@us.ibm.com> Reviewed-by: Nicholas E Bofferding <bofferdn@us.ibm.com>
* Display Secure Mode Console Trace During BootIlya Smirnov2018-07-121-2/+8
| | | | | | | | | | | | | | This change adds a trace to explicitly state the status of secure mode on the system. A message indicating the state of secure mode will be displayed on console early in the boot. Change-Id: Ie36249695a56838879d47a9de300ad58cd7b8feb CQ: SW424336 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/62305 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Convert asserts to error logs where it makes senseStephen Cprek2017-12-201-9/+74
| | | | | | | | | | | | | | Change-Id: Idd15e39cc6be44c0865f13503bfa4482d77fcf0d RTC:181899 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/51042 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Martin Gloff <mgloff@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Remove Secure Boot workaroundsStephen Cprek2017-12-181-20/+0
| | | | | | | | | | | | | | | | | | | | | | | - Removing the magic number checks that would block sb functionality if things didn't appear secure - Remove Best Effort Policy and all of its related code - Remove the legacy PCR extension - Remove the non-secure header preservation path. - Always load HB base image header from the bl to hb data path vs settings unsecurely out of pnor Change-Id: Ie638384ac50ed47850985c959ea7a32e5757d64e RTC: 178520 RTC: 155374 RTC: 173489 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49925 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Create better anti-deadlock strategy for vfsJaymes Wilks2017-12-121-2/+2
| | | | | | | | | | | | | | | | | | | | Addresses situations in the error paths of vfs resource provider where the handler may deadlock. As a precautionary measure, the same change was applied to secure PNOR resource provider just in case a new deadlock scenario gets introduced through future code changes. Change-Id: I1bda8c28ad9a3a1758cd6b8ae2e35f67c3e0572c RTC:176134 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/50068 Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Refactor SecureBoot Workarounds to better control leniencyStephen Cprek2017-08-251-1/+20
| | | | | | | | | | | | | | | | | | At this time we are trying to secure OpenPOWER in secure mode, but allow best effort policies in other scenarios Change-Id: I9ec2b5be49dbfcff678c4d30bb85f8762e448cb6 RTC: 170136 RTC: 155374 RTC: 168021 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/43640 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Add Security Settings User Details to Error LogsStephen Cprek2017-07-101-1/+3
| | | | | | | | | | | | | Change-Id: Ife4a19ea7f94670143b701f740c80f991f924601 RTC:165693 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/41904 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Add SECUREBOOT::enabled() state to printkMike Baiocchi2017-06-191-2/+4
| | | | | | | | | | | | | | | | This commit traces the setting of SECUREBOOT::enabled() to the kernel printk buffer for debug purposes. It also updates a trace to display the register value at the end. Change-Id: I3b9abe54b86e4a8c2399c09074bd41f2f7ae1c8b Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/41977 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Remove error generated when not in secure modeNick Bofferding2017-05-231-57/+17
| | | | | | | | | | | | | Change-Id: Ica80df3ac61e0f32755ba51544717e6ee1d5f67f CQ: SW389129 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/40824 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Enforce synchronized processor security stateJaymes Wilks2017-05-101-17/+104
| | | | | | | | | | | | | | | Ensure the secure state is consistent across all processors. Change-Id: I671253b99d5d87509909681a2cec2380ca6918b0 RTC:167775 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/38764 Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Trace Processor Security Registers; add them to Secure Error LogsMike Baiocchi2017-03-151-5/+0
| | | | | | | | | | | | | | | | This commit adds a trace of the Security Switch and CBS Control/Status registers for all processors in the system. These registers are also captured for Security-specific error logs. Change-Id: I245815c720725a9aaf15a3cbad9a50b3288fc1f9 RTC:165205 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/37290 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Support DRTM RIT protectionNick Bofferding2017-03-031-0/+135
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Added mailbox scratch register 7 definition - Added DRTM functions - Added set/clear security switch register functions - Added additional security switch bit definitions - Added secureboot extended library to host DRTM functions - Inhibited TPM start command in DRTM flow - Added new config options for DRTM and DRTM RIT protection - Added new DRTM attribute to indicate if DRTM is active - Added new DRTM attribute to hold DRTM payload address - Added new DRTM attribute to initiate DRTM in lieu of loading payload - Updated target service init to determine DRTM settings - Updated host start payload step to initiate DRTM if conditions are met - Updated host MPIPL service to verify DRTM payload and clean up DRTM HW state - Updated host gard step to verify DRTM HW state - Rerouted PCR extensions to PCR 17 in DRTM boot - Use locality 2 for all PCR extensions in DRTM boot - Inhibit extension logging (for now) in DRTM boot - Only extend seperator to PCR 17 in DRTM boot Change-Id: Id52c36c3a64ca002571396d605caa308d9dc0199 RTC: 157140 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/35633 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Timothy R. Block <block@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Invert polarity of secure jumper bitNick Bofferding2017-02-071-2/+6
| | | | | | | | | | | | Change-Id: I58b67d83225bd72a25b275cca61845719dfb1245 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/35803 Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Generalize secure boot settings for all processorsJaymes Wilks2017-01-301-27/+118
| | | | | | | | | | | | | | | Adds the ability to specify which processor target user code is interested in when querying secure boot settings. Change-Id: I0375af03ce8f4e33029736ff2e2d60416629a295 RTC:161916 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/32556 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* port p8 secureboot settings code to p9Jaymes Wilks2017-01-051-19/+47
| | | | | | | | | | | | | | | | Update the p9 branch to handle the secure settings states as per p8 code but with the new updated p9 constant values. Remove caching of register values. Change-Id: I0a29ce0103a8f9b60b421a4bb625f12adcd916f8 RTC:161916 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/32490 Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
* Extend basic config entries to TPMChris Engel2016-05-131-1/+8
| | | | | | | | | | | | Change-Id: I17c215c3120782d022ade0ac8343934c64e2e13e Original-Change-Id: I92e2c7758ebac2912caa9f449c3531c584487bd5 FowardPort: yes Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/22002 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/24481 Tested-by: Jenkins Server Tested-by: FSP CI Jenkins Reviewed-by: Christopher J. Engel <cjengel@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
* Change copyright prolog for all files to Apache.Patrick Williams2014-05-211-10/+10
| | | | | | | Change-Id: I5664587b4f889099290ef50d50fa9ce5e580e1eb Reviewed-on: http://gfw160.aus.stglabs.ibm.com:8080/gerrit/11167 Tested-by: Jenkins Server Reviewed-by: A. Patrick Williams III <iawillia@us.ibm.com>
* Remove leftover fixme/todo and update error calloutsDan Crowell2014-01-101-2/+2
| | | | | | | | | | | | | | | | Remove all untagged fixme/todo comments Adde new parm to error log constructor to avoid extra code in common software error case Update error callouts Add strncpy Change-Id: I8bd8f48193a96b79db91ed35c4fd485e6da38dba RTC: 67921 Reviewed-on: http://gfw160.aus.stglabs.ibm.com:8080/gerrit/7921 Tested-by: Jenkins Server Reviewed-by: Michael Baiocchi <baiocchi@us.ibm.com> Reviewed-by: Brian H. Horton <brianh@linux.ibm.com> Reviewed-by: A. Patrick Williams III <iawillia@us.ibm.com>
* Base Support for Secure ROM verificationMike Baiocchi2013-07-081-0/+5
| | | | | | | | | | | | This change adds the basic structure needed to call and implement a verifcation of a signed container via the loaded/initliaized Secure ROM device. Change-Id: Ieada4eb0b557fc556cd12647a698bbfa16aba278 RTC:64764 Reviewed-on: http://gfw160.austin.ibm.com:8080/gerrit/4958 Tested-by: Jenkins Server Reviewed-by: A. Patrick Williams III <iawillia@us.ibm.com>
* Secureboot memory layout support.Patrick Williams2013-06-141-0/+52
* Start kernel in 1/4 cache mode per Secureboot. * Copy Secureboot header for base image for later use. * Blind-purge bottom half of cache. * Add bottom of cache into memory maps for 1/2 cache mode. RTC: 64762 Change-Id: I1b45f30a2d45c9709d4fd486cfe0ca2ce86b051c Reviewed-on: http://gfw160.austin.ibm.com:8080/gerrit/3773 Reviewed-by: Michael Baiocchi <baiocchi@us.ibm.com> Tested-by: Jenkins Server Reviewed-by: ADAM R. MUHLE <armuhle@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com> Reviewed-by: A. Patrick Williams III <iawillia@us.ibm.com>
OpenPOWER on IntegriCloud