From 94eff06a67f84e9eb0f2189efd7a0b47029fd154 Mon Sep 17 00:00:00 2001
From: Mike Baiocchi <mbaiocch@us.ibm.com>
Date: Thu, 18 May 2017 17:12:26 -0500
Subject: Disable Attribute Overrides in Secure Mode

This commit disables attribute overrides during the IPL and at Runtime
when the system has security enabled.

Change-Id: Ia56b11fc1450c8e11be27c90c0de179038273873
RTC: 163094
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/40735
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
---
 src/usr/secureboot/runtime/rt_secureboot.C | 52 ++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

(limited to 'src/usr/secureboot/runtime/rt_secureboot.C')

diff --git a/src/usr/secureboot/runtime/rt_secureboot.C b/src/usr/secureboot/runtime/rt_secureboot.C
index 3b7626553..1c84c2bf1 100644
--- a/src/usr/secureboot/runtime/rt_secureboot.C
+++ b/src/usr/secureboot/runtime/rt_secureboot.C
@@ -32,9 +32,60 @@
 #include <config.h>
 
 #include "common/securetrace.H"
+#include <secureboot/service.H>
+#include <secureboot/secure_reasoncodes.H>
+
+#include <errl/errlmanager.H>
+#include <runtime/rt_targeting.H>
+#include <targeting/common/commontargeting.H>
+#include <targeting/common/targetservice.H>
+#include <devicefw/userif.H>
+
 
 namespace SECUREBOOT
 {
+using namespace TARGETING;
+
+#if defined(CONFIG_SECUREBOOT) && defined(__HOSTBOOT_RUNTIME)
+bool enabled()
+{
+    errlHndl_t l_errl = nullptr;
+    uint64_t l_regValue = 0;
+    size_t l_size = sizeof(l_regValue);
+
+    TargetService& tS = targetService();
+    Target* masterProcChipTargetHandle = nullptr;
+
+    do
+    {
+        l_errl = tS.queryMasterProcChipTargetHandle(
+                                            masterProcChipTargetHandle);
+
+        if (l_errl)
+        {
+            errlCommit(l_errl, SECURE_COMP_ID);
+            break;
+        }
+
+        l_errl = deviceRead(masterProcChipTargetHandle,
+                        &l_regValue, l_size,
+                        DEVICE_SCOM_ADDRESS(
+                          static_cast<uint64_t>(ProcSecurity::SwitchRegister)));
+        if (l_errl)
+        {
+            errlCommit(l_errl, SECURE_COMP_ID);
+            break;
+        }
+
+        assert(l_size == sizeof(l_regValue));
+    } while (0);
+
+    // if there was an error l_regValue is zero, so we return false.
+    // Unfortunately this is all we can do. These shouldn't fail.
+
+    return l_regValue & static_cast<uint64_t>(ProcSecurity::SabBit);
+}
+#endif
 
 int verify_container(
     const void*  i_pContainer,
@@ -59,6 +110,7 @@ int verify_container(
     return rc;
 }
 
+
 struct registerSecurebootRt
 {
     registerSecurebootRt()
-- 
cgit v1.2.3