From 4102b64a509331d327d931bf8bad612bd1d97c76 Mon Sep 17 00:00:00 2001 From: Chris Engel Date: Wed, 28 Sep 2016 11:15:39 -0500 Subject: Support for TPM Required IPMI sensor Change-Id: Ib34f9ff272840fcd04e407a07c2e6e8c2bb7f603 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/30953 Tested-by: Jenkins Server Tested-by: FSP CI Jenkins Reviewed-by: Nicholas E. Bofferding Reviewed-by: William G. Hoffa --- src/usr/secureboot/trusted/trustedboot.C | 66 +++++++++++++++++++++++++------- 1 file changed, 53 insertions(+), 13 deletions(-) (limited to 'src/usr/secureboot') diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C index e3e0d6c10..566cad335 100644 --- a/src/usr/secureboot/trusted/trustedboot.C +++ b/src/usr/secureboot/trusted/trustedboot.C @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include @@ -45,6 +46,8 @@ #include #include #include +#include +#include #include "trustedboot.H" #include "trustedTypes.H" #include "trustedbootCmds.H" @@ -698,7 +701,8 @@ void tpmVerifyFunctionalTpmExists() "NO FUNCTIONAL TPM FOUND"); // Check to ensure jumper indicates we are running secure - if (SECUREBOOT::getJumperState()) + if (false) /// @todo Story 161916 Change to call getJumperState + // if (SECUREBOOT::getJumperState()) { /*@ * @errortype @@ -720,18 +724,8 @@ void tpmVerifyFunctionalTpmExists() // Log this failure here errlCommit(err, SECURE_COMP_ID); -#if 0 - // Code for early release - // Only terminate in manufacturing mode - // Get manufacturing mode flags - TARGETING::Target* pTopLevel = NULL; - TARGETING::targetService().getTopLevelTarget(pTopLevel); - TARGETING::ATTR_MNFG_FLAGS_type mnfgFlags = - pTopLevel->getAttr(); - if (mnfgFlags & TARGETING::MNFG_FLAG_SRC_TERM) -#else + if (isTpmRequired()) -#endif { // terminating the IPL with this fail @@ -889,7 +883,53 @@ bool isTpmRequired() TARGETING::ATTR_TPM_REQUIRED_type tpmRequired = pTopLevel->getAttr(); - retVal = tpmRequired; + + // TPM Required is on in the attributes, now let's check the BMC sensor + if (tpmRequired) + { +#ifdef CONFIG_BMC_IPMI + uint32_t sensorNum = TARGETING::UTIL::getSensorNumber(pTopLevel, + TARGETING::SENSOR_NAME_TPM_REQUIRED); + // VALID IPMI sensors are 0-0xFE + if (TARGETING::UTIL::INVALID_IPMI_SENSOR != sensorNum) + { + // Check if TPM is required by BMC + SENSOR::getSensorReadingData tpmRequiredData; + SENSOR::SensorBase tpmRequired(TARGETING::SENSOR_NAME_TPM_REQUIRED, + pTopLevel); + errlHndl_t err = tpmRequired.readSensorData(tpmRequiredData); + if (NULL == err) + { + // 0x02 == Asserted bit (TPM is required) + if ((tpmRequiredData.event_status & + (1 << SENSOR::ASSERTED)) == + (1 << SENSOR::ASSERTED)) + { + retVal = true; + } + } + else + { + // error reading sensor, assume TPM is required + TRACFCOMP( g_trac_trustedboot, + "Unable to read Tpm Required Sensor : rc = 0x%04X", + err->reasonCode()); + delete err; + err = NULL; + retVal = true; + } + } + else + { + // Sensor not supported so assume TPM required + retVal = true; + } +#else + // IPMI support not there, assume true + retVal = true; +#endif + } + TRACFCOMP( g_trac_trustedboot, "Tpm Required: %s",(retVal ? "Yes" : "No")); -- cgit v1.2.3