talos-hostboot/src/bootloader, branch master

Secure Boot: Support Phyp debug flag in HDAT

2018-04-09T20:29:14+00:00

PHYP needs a way to know if SBE security backdoor is enabled for debug purposes. This change creates a flag in TPM instance data structure to indicate whether the backdoor is enabled. This flag is passed by SBE to the hb bootloader; also added the flag to indicate whether PCR is poisoned (default of 0). The population of this flag will be implemented on Fleetwood. Change-Id: I22305dbc9651134ba7dfe3b0bd3c760fe53c2c85 RTC: 188961 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/56045 Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Tested-by: FSP CI Jenkins Reviewed-by: Nicholas E. Bofferding Reviewed-by: Michael Baiocchi CI-Ready: Daniel M. Crowell Reviewed-by: Daniel M. Crowell

Force checkstops for unhandled machine checks

2018-03-29T16:03:50+00:00

Default MSR[ME]=0 during initial boot for bootloader and hostboot kernel Once the xscom address range has been mapped in, enable the machine check handler to force a checkstop and set MSR[ME]=1 to allow regular machine check handling CQ: SW401402 Change-Id: I104e39465e61b3b19d5c073e71271102711ae54f Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/47179 Reviewed-by: Christian R. Geddes Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Tested-by: FSP CI Jenkins Reviewed-by: William G. Hoffa Reviewed-by: Daniel M. Crowell

Remove Secure Boot workarounds

2017-12-18T22:27:59+00:00

- Removing the magic number checks that would block sb functionality if things didn't appear secure - Remove Best Effort Policy and all of its related code - Remove the legacy PCR extension - Remove the non-secure header preservation path. - Always load HB base image header from the bl to hb data path vs settings unsecurely out of pnor Change-Id: Ie638384ac50ed47850985c959ea7a32e5757d64e RTC: 178520 RTC: 155374 RTC: 173489 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49925 Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Reviewed-by: Nicholas E. Bofferding Tested-by: FSP CI Jenkins Tested-by: Jenkins OP HW Reviewed-by: Michael Baiocchi Reviewed-by: Daniel M. Crowell

Add component ID check for Master Container Lid Processing

2017-12-12T22:06:11+00:00

Change-Id: Ie6d99d6f67f09861f0d09c8432cf90abc27400b8 RTC: 181848 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/50156 Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Reviewed-by: Michael Baiocchi Reviewed-by: Nicholas E. Bofferding Tested-by: FSP CI Jenkins Reviewed-by: Daniel M. Crowell

Story 179465 - Smarter HBBL id handling ...

2017-11-19T18:15:50+00:00

to avoid constant SBE updates Change-Id: Id02c7eb95a8e83274968477514130512ee553968 RTC: 179465 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49748 Reviewed-by: Martin Gloff Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Tested-by: FSP CI Jenkins Reviewed-by: Christian R. Geddes Reviewed-by: Daniel M. Crowell

Secure Boot: Enforce PNOR section component IDs

2017-11-03T13:45:20+00:00

- In secure mode, bootloader will enforce that HBB component ID is set - In secure mode, Hostboot will enforce that PNOR component IDs are set Change-Id: I04f3bbc45417b3229003c56e1083e1fc31c01cd7 RTC: 179422 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/48711 Reviewed-by: Michael Baiocchi Tested-by: Jenkins Server Reviewed-by: Marshall J. Wilks Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Reviewed-by: Stephen M. Cprek Tested-by: FSP CI Jenkins Reviewed-by: William G. Hoffa

Refactor SecureBoot Workarounds to better control leniency

2017-08-26T03:16:28+00:00

At this time we are trying to secure OpenPOWER in secure mode, but allow best effort policies in other scenarios Change-Id: I9ec2b5be49dbfcff678c4d30bb85f8762e448cb6 RTC: 170136 RTC: 155374 RTC: 168021 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/43640 Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Reviewed-by: Nicholas E. Bofferding Reviewed-by: Michael Baiocchi Tested-by: FSP CI Jenkins Reviewed-by: Daniel M. Crowell

Pass Key-Addr info through bootloader

2017-08-18T14:26:41+00:00

RTC: 165369 Change-Id: If15f6ccc7a7c3649b8352467ae10173a15f3f501 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/44426 Tested-by: Jenkins Server Tested-by: FSP CI Jenkins Tested-by: Jenkins OP Build CI Reviewed-by: Matt Derksen Reviewed-by: Martin Gloff Tested-by: Jenkins OP HW Reviewed-by: Daniel M. Crowell

Fix duplicate sha512 definitions

2017-08-04T13:53:51+00:00

All instances for sha2_hash_t have been replaced with SHA512_t and the SHA512_t typedef is now in securerom/contrib/sha512.H in place of the old definition. Change-Id: I32524524d755eb3b0264881317d9be5a294dc9a7 RTC:172333 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/43610 Tested-by: Jenkins Server Reviewed-by: Stephen M. Cprek Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Tested-by: FSP CI Jenkins Reviewed-by: Michael Baiocchi Reviewed-by: Daniel M. Crowell

Hostboot not able to send a valid TI after corrupting HB base

2017-08-04T13:28:37+00:00

Bootloader TI design is incomplete and does not set up the TI info at HBB offset 0x2000 with the magic signature or pointer to the Bootloader TI data. Change-Id: I16229fed67a2cf67322dce02f0a1b8f0b68d275f CQ: SW397043 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/43941 Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: FSP CI Jenkins Tested-by: Jenkins OP HW Reviewed-by: Christian R. Geddes Reviewed-by: Stephen M. Cprek Reviewed-by: Corey V. Swenson Reviewed-by: Daniel M. Crowell