From da8911ce095aa7d18231c9d344dc978dae7cf984 Mon Sep 17 00:00:00 2001
From: Ilya Smirnov <ismirno@us.ibm.com>
Date: Mon, 19 Mar 2018 17:12:32 -0500
Subject: Secure Boot: Support Phyp debug flag in HDAT

PHYP needs a way to know if SBE security backdoor is enabled
for debug purposes. This change creates a flag in TPM instance
data structure to indicate whether the backdoor is enabled. This
flag is passed by SBE to the hb bootloader; also added the flag
to indicate whether PCR is poisoned (default of 0).
The population of this flag will be implemented on Fleetwood.

Change-Id: I22305dbc9651134ba7dfe3b0bd3c760fe53c2c85
RTC: 188961
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/56045
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
CI-Ready: Daniel M. Crowell <dcrowell@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
---
 src/usr/runtime/populate_hbruntime.C | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'src/usr/runtime')

diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C
index 1f59a8d43..1554633ae 100644
--- a/src/usr/runtime/populate_hbruntime.C
+++ b/src/usr/runtime/populate_hbruntime.C
@@ -1430,7 +1430,11 @@ errlHndl_t populate_hbSecurebootData ( void )
             uint16_t secureboot : 1;
             // bit 1: Measurements Extended to Secure Boot TPM
             uint16_t trustedboot : 1;
-            uint16_t reserved : 14;
+            // bit 2: SBE Security Backdoor bit.
+            // NOTE: This bit is labeled "Platform Security Overrides Allowed"
+            // in the section 6.1.1 of HDAT spec.
+            uint16_t sbeSecBackdoor : 1;
+            uint16_t reserved : 13;
         } SysSecSets;
 
         // populate system security settings in hdat
@@ -1451,6 +1455,9 @@ errlHndl_t populate_hbSecurebootData ( void )
 #endif
         l_sysSecSets->secureboot = secure? 1: 0;
 
+        // populate security override setting
+        l_sysSecSets->sbeSecBackdoor = SECUREBOOT::getSbeSecurityBackdoor();
+
         // populate TPM config bits in hdat
         bool tpmRequired = false;
 #ifdef CONFIG_TPMDD
@@ -1768,6 +1775,9 @@ errlHndl_t populate_TpmInfoByNode(const uint64_t i_instance)
             l_tpmInstInfo->hdatFunctionalStatus = HDAT::TpmNonPresent;
         }
 
+        // Set TPM configuration flag
+        l_tpmInstInfo->hdatTpmConfigFlags.pcrPoisonedFlag = 0;
+
         // advance the current offset to account for this tpm instance info
         l_currOffset += sizeof(*l_tpmInstInfo);
 
-- 
cgit v1.2.3