From c7384e829f3dec35cbdf3a18dba432c8fcd1c069 Mon Sep 17 00:00:00 2001 From: Ilya Smirnov Date: Tue, 29 May 2018 15:16:28 -0500 Subject: Secure Boot: Support API to fence off all node processors' secure mailboxes This change imlpements the logic to lock down the Abus secure mailboxes prior to starting PHyp. The lock down is perormed as part of secure node communication in istep 18 Change-Id: I4bc678ce7844290a7229b605406d5d3c689a0c6c RTC: 191005 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/59692 Reviewed-by: Michael Baiocchi Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Tested-by: FSP CI Jenkins Reviewed-by: Daniel M. Crowell --- src/usr/secureboot/ext/makefile | 18 +++++- src/usr/secureboot/ext/service_ext.C | 105 +++++++++++++++++++++++++++++++++++ 2 files changed, 122 insertions(+), 1 deletion(-) create mode 100644 src/usr/secureboot/ext/service_ext.C (limited to 'src/usr/secureboot') diff --git a/src/usr/secureboot/ext/makefile b/src/usr/secureboot/ext/makefile index 952a8cc56..9b5adeaf7 100644 --- a/src/usr/secureboot/ext/makefile +++ b/src/usr/secureboot/ext/makefile @@ -5,7 +5,7 @@ # # OpenPOWER HostBoot Project # -# Contributors Listed Below - COPYRIGHT 2013,2017 +# Contributors Listed Below - COPYRIGHT 2013,2018 # [+] International Business Machines Corp. # # @@ -26,7 +26,23 @@ ROOTPATH = ../../../.. MODULE = secureboot_ext SUBDIRS += +PERV_HWP_PATH = $(ROOTPATH)/src/import/chips/p9/procedures/hwp/perv + OBJS += $(if $(CONFIG_DRTM),drtm.o) +OBJS += $(if $(CONFIG_SECUREBOOT), service_ext.o) + +VPATH += $(PERV_HWP_PATH) + +EXTRAINCDIR += $(ROOTPATH)/src/include/usr +EXTRAINCDIR += $(ROOTPATH)/src/include/usr/fapi2/ +EXTRAINCDIR += $(ROOTPATH)/src/import/hwpf/fapi2/include +EXTRAINCDIR += $(ROOTPATH)/src/import/chips/common/utils/imageProcs +EXTRAINCDIR += $(ROOTPATH)/src/import/chips/p9/procedures/hwp/ffdc +EXTRAINCDIR += $(PERV_HWP_PATH) + +#Include HWP procedure makefiles +include $(ROOTPATH)/procedure.rules.mk +include $(PERV_HWP_PATH)/p9_update_security_ctrl.mk CFLAGS += -iquote ../ include ${ROOTPATH}/config.mk diff --git a/src/usr/secureboot/ext/service_ext.C b/src/usr/secureboot/ext/service_ext.C new file mode 100644 index 000000000..1f8595a71 --- /dev/null +++ b/src/usr/secureboot/ext/service_ext.C @@ -0,0 +1,105 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/ext/service_ext.C $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2018 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +#include +#include +#include +#include +#include +#include +#include + +#include "../common/securetrace.H" + +#include +#include + +#include +#include + +namespace SECUREBOOT +{ + +void lockAbusSecMailboxes() +{ +#ifdef CONFIG_TPMDD + errlHndl_t l_errl = nullptr; + TARGETING::TargetHandleList l_procs; + getAllChips(l_procs, TARGETING::TYPE_PROC, true); + + auto l_pProc = l_procs.begin(); + while(l_pProc != l_procs.end()) + { + const fapi2::Targetl_fapiProc(*l_pProc); + FAPI_INVOKE_HWP(l_errl, + p9_update_security_ctrl, + l_fapiProc, + false, // do not force security + true); // lock down Abus mailboxes + + if(l_errl) + { + SB_ERR("lockAbusSecMailboxes: p9_update_security_ctrl failed for" + " proc 0x%X!. Deconfiguring the proc.", + TARGETING::get_huid(*l_pProc)); + + auto l_plid = l_errl->plid(); + + ERRORLOG::ErrlUserDetailsTarget(*l_pProc).addToLog(l_errl); + ERRORLOG::errlCommit(l_errl, SECURE_COMP_ID); + + /* + * @errortype + * @reasoncode RC_LOCK_MAILBOXES_FAILED + * @moduleid MOD_LOCK_ABUS_SEC_MAILBOXES + * @userdata1 Target HUID + * @devdesc Failed to lock Abus secure mailboxes + * on target processor. + * @custdesc Secure Boot failure + */ + l_errl = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_UNRECOVERABLE, + SECUREBOOT::MOD_LOCK_ABUS_SEC_MAILBOXES, + SECUREBOOT::RC_LOCK_MAILBOXES_FAILED, + TARGETING::get_huid(*l_pProc), + 0, + true); + l_errl->addHwCallout(*l_pProc, + HWAS::SRCI_PRIORITY_LOW, + HWAS::DELAYED_DECONFIG, + HWAS::GARD_NULL); + l_errl->collectTrace(SECURE_COMP_NAME); + l_errl->collectTrace(FAPI_TRACE_NAME); + l_errl->plid(l_plid); + ERRORLOG::ErrlUserDetailsTarget(*l_pProc).addToLog(l_errl); + + ERRORLOG::errlCommit(l_errl, SECURE_COMP_ID); + } + + ++l_pProc; + + } // while +#endif +} + +} // namespace SECUREBOOT -- cgit v1.2.3