talos-hostboot/src/usr/secureboot/base, branch 07-25-2019

Add README.md files to the secureboot component

2020-02-13T14:55:47+00:00

This commit adds a top-level README.md file to the secureboot component that then calls into new README.md files in the different sub-directories. Change-Id: I7460a0e591232c2f8387321b0251ac3f62a1c76e Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/89025 Reviewed-by: Ilya Smirnov Reviewed-by: Nicholas E Bofferding Reviewed-by: Christopher J Engel Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Tested-by: FSP CI Jenkins Reviewed-by: Daniel M Crowell

Automatically include config.h

2019-12-06T16:28:47+00:00

Rather than having to remember to include config.h anywhere we reference a CONFIG variable (and usually forgetting), this adds it to the default compiler flags so that it gets included in every source file we build. Change-Id: I53622ab4d46c55d942e98cae6ec03049fd5b3d08 Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/87475 Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Tested-by: FSP CI Jenkins Reviewed-by: Zachary Clark Reviewed-by: Roland Veloz Reviewed-by: Christian R Geddes Reviewed-by: Nicholas E Bofferding

Add page tables to read only partitions

2019-05-09T21:10:29+00:00

Changed partitions (WOFDATA, MEMD) to be signed with a hash page table bit. This generates a hash page table in the protected payload which will be used to validate pages in the unprotected payload Change-Id: I9be4b1f6e65b9a52a8b6ba23affdacc4d89f5295 RTC: 179519 Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/72776 Tested-by: Jenkins Server Reviewed-by: Nicholas E. Bofferding Tested-by: Jenkins OP Build CI Tested-by: FSP CI Jenkins Tested-by: Jenkins OP HW Reviewed-by: Michael Baiocchi Reviewed-by: Daniel M. Crowell

Send errors from previous boots as callhome type eSELs

2018-07-17T21:18:04+00:00

During early boot, Hostboot attempts to resend unacknowledged error logs from prior boots as eSELS, without correponding SELs. BMCs typically require both in order to expose a given error log to a customer. This change morphs errors from prior boots into callhome type logs, so that a simple eSEL will be enough to get the error propagated. Change-Id: If499defe8a39b9254f08392b264d72047b7e5f7c CQ: SW426731 RTC: 193265 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/62079 Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Tested-by: FSP CI Jenkins Reviewed-by: William G. Hoffa

Display Secure Mode Console Trace During Boot

2018-07-12T23:09:23+00:00

This change adds a trace to explicitly state the status of secure mode on the system. A message indicating the state of secure mode will be displayed on console early in the boot. Change-Id: Ie36249695a56838879d47a9de300ad58cd7b8feb CQ: SW424336 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/62305 Tested-by: Jenkins Server Tested-by: FSP CI Jenkins Reviewed-by: Daniel M. Crowell

Post informational error log for planar jumper settings

2018-06-26T13:55:27+00:00

Change-Id: Iebdc09d10a62abab4e71b53fa88a4b21c89822e4 CQ: SW432936 Forwardport: yes Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/61318 Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: FSP CI Jenkins Tested-by: Jenkins OP HW Reviewed-by: William G. Hoffa

Mark Read-Only Partitions as Such

2018-04-12T20:20:04+00:00

Partitions marked with readOnly tag in the xml were treated as WRITABLE in the code. This change modifies the permissions to be READ_ONLY and adds unit tests to test the read only functionality. Change-Id: I8c1f23fd7e30edc38ff882c59716ab63a4f310e6 CQ: SW423350 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/56771 CI-Ready: ILYA SMIRNOV Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Reviewed-by: Nicholas E. Bofferding Reviewed-by: Daniel M. Crowell Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/57066 Tested-by: FSP CI Jenkins

Secure Boot: Support Phyp debug flag in HDAT

2018-04-09T20:29:14+00:00

PHYP needs a way to know if SBE security backdoor is enabled for debug purposes. This change creates a flag in TPM instance data structure to indicate whether the backdoor is enabled. This flag is passed by SBE to the hb bootloader; also added the flag to indicate whether PCR is poisoned (default of 0). The population of this flag will be implemented on Fleetwood. Change-Id: I22305dbc9651134ba7dfe3b0bd3c760fe53c2c85 RTC: 188961 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/56045 Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Tested-by: FSP CI Jenkins Reviewed-by: Nicholas E. Bofferding Reviewed-by: Michael Baiocchi CI-Ready: Daniel M. Crowell Reviewed-by: Daniel M. Crowell

Verify ComponentID and Extend PAYLOAD

2018-02-01T22:59:52+00:00

While verifying the PAYLOAD in memory before moving it to its final location, this commit parses the PAYLOAD's header and verifies that it has the correct componentId. It also extends the PAYLOAD information to the TPM. Change-Id: Ie333d1ba5919b36919b207f25ad60806359ed710 RTC:168745 Backport: release-fips910 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/52837 Reviewed-by: Nicholas E. Bofferding Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Reviewed-by: Stephen M. Cprek Tested-by: FSP CI Jenkins Reviewed-by: Daniel M. Crowell

Collect better FFDC on ROM verification errors

2018-01-31T16:09:11+00:00

Collect both the UTIL and RUNTIME component traces on a ROM verify failure Added a new Errlog User Details sections "Verify Info" containing the component name, ID(s), measured, and expected hashes Change-Id: I0d0408128e05807bb906be5ee365d56d1416693f CQ:SW413889 Backport:release-fips910 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/52593 Reviewed-by: Michael Baiocchi Reviewed-by: Nicholas E. Bofferding Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Tested-by: FSP CI Jenkins Reviewed-by: Marshall J. Wilks Reviewed-by: Daniel M. Crowell