Remove dependency on ATTR_NVDIMM_ENCRYPTION_ENABLE for unlock

An eflash will set ATTR_NVDIMM_ENCRYPTION_ENABLE = 0, so only
use HW encryption enabled to decide whether to unlock.
Also need to unlock whenever the nvdimm controller is reset.

Change-Id: I1505573283da5611354dcfb296b1cf488fa8aef9
CQ:SW469014
Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/79674
Reviewed-by: Roland Veloz <rveloz@us.ibm.com>
Reviewed-by: Matt Derksen <mderkse1@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>

5 files changed, 69 insertions, 69 deletions

diff --git a/src/include/usr/isteps/nvdimm/nvdimm.H b/src/include/usr/isteps/nvdimm/nvdimm.H
index 0bcd51bca..68f1b1c13 100644
--- a/src/include/usr/isteps/nvdimm/nvdimm.H
+++ b/src/include/usr/isteps/nvdimm/nvdimm.H
@@ -71,6 +71,9 @@ void nvdimm_restore(TARGETING::TargetHandleList &i_nvdimmList);
 bool nvdimm_update(TARGETING::TargetHandleList &i_nvdimmList);
 
 
+#endif
+
+
 /**
  * @brief Entry function to NVDIMM unlock encryption
  *
@@ -81,8 +84,6 @@ bool nvdimm_update(TARGETING::TargetHandleList &i_nvdimmList);
 bool nvdimm_encrypt_unlock(TARGETING::TargetHandleList &i_nvdimmList);
 
 
-#endif
-
 /**
  * @brief Entry function to NVDIMM generate keys
  *        Generate encryption keys and set the FW key attribute
diff --git a/src/usr/isteps/nvdimm/nvdimm.C b/src/usr/isteps/nvdimm/nvdimm.C
index 9482b02d3..97fa001ce 100644
--- a/src/usr/isteps/nvdimm/nvdimm.C
+++ b/src/usr/isteps/nvdimm/nvdimm.C
@@ -513,6 +513,11 @@ errlHndl_t nvdimmResetController(Target *i_nvdimm)
 
     }while(0);
 
+    // Reset will lock encryption so unlock again
+    TargetHandleList l_nvdimmTargetList;
+    l_nvdimmTargetList.push_back(i_nvdimm);
+    nvdimm_encrypt_unlock(l_nvdimmTargetList);
+
     TRACUCOMP(g_trac_nvdimm, EXIT_MRK"nvdimmResetController() HUID[%X]",get_huid(i_nvdimm));
 
     return l_err;
@@ -1746,6 +1751,9 @@ errlHndl_t nvdimm_getTPM(Target*& o_tpm)
 }
 
 
+#endif
+
+
 bool nvdimm_encrypt_unlock(TargetHandleList &i_nvdimmList)
 {
     TRACFCOMP(g_trac_nvdimm, ENTER_MRK"nvdimm_encrypt_unlock()");
@@ -1754,18 +1762,15 @@ bool nvdimm_encrypt_unlock(TargetHandleList &i_nvdimmList)
 
     do
     {
+        // Do not check ATTR_NVDIMM_ENCRYPTION_ENABLE
+        // The attribute could have been reset by flashing the FSP
+        // Unlock if the keys are valid and NVDIMM hw encryption is enabled
+
         // Get the sys pointer, attribute keys are system level
         Target* l_sys = nullptr;
         targetService().getTopLevelTarget( l_sys );
         assert(l_sys, "nvdimm_encrypt_unlock() no TopLevelTarget");
 
-        // Exit if encryption is not enabled via the attribute
-        if (!l_sys->getAttr<ATTR_NVDIMM_ENCRYPTION_ENABLE>())
-        {
-            TRACFCOMP(g_trac_nvdimm,"ATTR_NVDIMM_ENCRYPTION_ENABLE=0");
-            break;
-        }
-
         // Get the FW key attributes
         auto l_attrKeysFw =
             l_sys->getAttrAsStdArr<ATTR_NVDIMM_ENCRYPTION_KEYS_FW>();
@@ -1774,22 +1779,14 @@ bool nvdimm_encrypt_unlock(TargetHandleList &i_nvdimmList)
         nvdimmKeyData_t* l_keysFw =
                 reinterpret_cast<nvdimmKeyData_t*>(&l_attrKeysFw);
 
-        // Check for valid key attribute data
-        l_err = nvdimm_checkValidAttrKeys(l_keysFw);
-        if (l_err)
-        {
-            break;
-        }
-
         // Check encryption unlock for all nvdimms
         for (const auto & l_nvdimm : i_nvdimmList)
         {
             // Get encryption state in the config/status reg
-            encryption_config_status_t l_encStatus;
-            l_encStatus.whole = 0;
+            encryption_config_status_t l_encStatus = {0};
             l_err = nvdimmReadReg(l_nvdimm,
-                                ENCRYPTION_CONFIG_STATUS,
-                                l_encStatus.whole);
+                                  ENCRYPTION_CONFIG_STATUS,
+                                  l_encStatus.whole);
             if (l_err)
             {
                 TRACFCOMP(g_trac_nvdimm, ERR_MRK"nvdimm_encrypt_unlock() nvdimm[%X] error reading ENCRYPTION_CONFIG_STATUS",get_huid(l_nvdimm));
@@ -1806,6 +1803,16 @@ bool nvdimm_encrypt_unlock(TargetHandleList &i_nvdimmList)
                 break;
             }
 
+            // Check for valid key attribute data
+            l_err = nvdimm_checkValidAttrKeys(l_keysFw);
+            if (l_err)
+            {
+                errlCommit( l_err, NVDIMM_COMP_ID );
+                nvdimmSetEncryptionError(l_nvdimm);
+                l_success = false;
+                break;
+            }
+
             // Else encryption is enabled but needs unlock
             TRACFCOMP(g_trac_nvdimm, "nvdimm_encrypt_unlock() nvdimm[%X] enabled, unlocking...",get_huid(l_nvdimm));
 
@@ -1878,9 +1885,6 @@ bool nvdimm_encrypt_unlock(TargetHandleList &i_nvdimmList)
 }
 
 
-#endif
-
-
 void nvdimmSetEncryptionError(Target *i_nvdimm)
 {
     ATTR_NVDIMM_ARMED_type l_armed_state = {};
@@ -2016,6 +2020,31 @@ errlHndl_t nvdimm_handleConflictingKeys(
     nvdimm_getNvdimmList(l_nvdimmTargetList);
     for (const auto & l_nvdimm : l_nvdimmTargetList)
     {
+        // Check encryption state in the config/status reg
+        encryption_config_status_t l_encStatus = {0};
+        l_err = nvdimmReadReg(l_nvdimm,
+                              ENCRYPTION_CONFIG_STATUS,
+                              l_encStatus.whole);
+        if (l_err)
+        {
+            TRACFCOMP(g_trac_nvdimm, ERR_MRK"nvdimm_handleConflictingKeys() nvdimm[%X] error reading ENCRYPTION_CONFIG_STATUS",get_huid(l_nvdimm));
+            errlCommit( l_err, NVDIMM_COMP_ID );
+            nvdimmSetEncryptionError(l_nvdimm);
+            continue;
+        }
+
+        // Encryption is not enabled
+        // Keys are not in use so could use either set of keys
+        // Use the ANCHOR card keys
+        if (!l_encStatus.encryption_enabled)
+        {
+            TRACFCOMP(g_trac_nvdimm, "nvdimm_handleConflictingKeys() nvdimm[%X] copying ANCHOR keys to FW",get_huid(l_nvdimm));
+            l_validKeyFound = true;
+            set_ATTR_NVDIMM_ENCRYPTION_KEYS_FW(i_attrKeysAnchor);
+            continue;
+        }
+
+        // Encryption is enabled, test the keys
         // Write the EK test reg with the FW attr value
         l_err = nvdimm_setKeyReg(l_nvdimm,
                                  l_keysFw->ek,
@@ -2041,6 +2070,8 @@ errlHndl_t nvdimm_handleConflictingKeys(
         {
             TRACFCOMP(g_trac_nvdimm, ERR_MRK"nvdimm_handleConflictingKeys() nvdimm[%X] ATTR_NVDIMM_ENCRYPTION_KEYS_FW valid",get_huid(l_nvdimm));
             l_validKeyFound = true;
+            // Re-write the FW keys, this will also update the ANCHOR keys
+            set_ATTR_NVDIMM_ENCRYPTION_KEYS_FW(i_attrKeysFw);
             break;
         }
 
@@ -2132,13 +2163,6 @@ bool nvdimm_gen_keys(void)
         targetService().getTopLevelTarget( l_sys );
         assert(l_sys, "nvdimm_gen_keys: no TopLevelTarget");
 
-        // Exit if encryption is not enabled via the attribute
-        if (!l_sys->getAttr<ATTR_NVDIMM_ENCRYPTION_ENABLE>())
-        {
-            TRACFCOMP(g_trac_nvdimm,"ATTR_NVDIMM_ENCRYPTION_ENABLE=0");
-            break;
-        }
-
         // Key size must be less that max TPM random generator size
         static_assert(ENC_KEY_SIZE <= MAX_TPM_SIZE,
             "nvdimm_gen_keys() ENC_KEY_SIZE is greater than MAX_TPM_SIZE");
@@ -2419,8 +2443,7 @@ bool nvdimm_encrypt_enable(TargetHandleList &i_nvdimmList)
         for (const auto & l_nvdimm : i_nvdimmList)
         {
             // Check encryption state in the config/status reg
-            encryption_config_status_t l_encStatus;
-            l_encStatus.whole = 0;
+            encryption_config_status_t l_encStatus = {0};
             l_err = nvdimmReadReg(l_nvdimm,
                                 ENCRYPTION_CONFIG_STATUS,
                                 l_encStatus.whole);
diff --git a/src/usr/isteps/nvdimm/nvdimm.H b/src/usr/isteps/nvdimm/nvdimm.H
index df1487974..1eb9f89dc 100644
--- a/src/usr/isteps/nvdimm/nvdimm.H
+++ b/src/usr/isteps/nvdimm/nvdimm.H
@@ -572,6 +572,17 @@ bool nvdimm_validRandomNumber(uint8_t* i_genData);
 void nvdimmSetEncryptionError(TARGETING::Target *i_nvdimm);
 
 
+/**
+ * @brief Helper function to reset the NVDIMM controller
+ *
+ * @param[in] i_nvdimm - nvdimm target
+ *
+ * @return errlHndl_t - Null if successful, otherwise a pointer to
+ *                      the error log
+ */
+errlHndl_t nvdimmResetController(TARGETING::Target *i_nvdimm);
+
+
 #ifndef __HOSTBOOT_RUNTIME
 
 /**
diff --git a/src/usr/isteps/nvdimm/nvdimm_update.C b/src/usr/isteps/nvdimm/nvdimm_update.C
index 0a319360b..e7fbad4a8 100644
--- a/src/usr/isteps/nvdimm/nvdimm_update.C
+++ b/src/usr/isteps/nvdimm/nvdimm_update.C
@@ -668,7 +668,7 @@ errlHndl_t NvdimmInstalledImage::updateImage(NvdimmLidImage * i_lidImage)
 
         // Reset controller to activate new firmware
         TRACUCOMP(g_trac_nvdimm_upd, "updateImage: resetController");
-        l_err = resetController();
+        l_err = nvdimmResetController(iv_dimm);
         if (l_err)
         {
             TRACFCOMP(g_trac_nvdimm_upd, ERR_MRK "updateImage:  "
@@ -1699,34 +1699,6 @@ errlHndl_t NvdimmInstalledImage::validateFwImage()
     return l_err;
 }
 
-errlHndl_t NvdimmInstalledImage::resetController()
-{
-    errlHndl_t l_err = nullptr;
-
-    // If bit 0 is set, the module shall start a Reset Controller operation
-    l_err = nvdimmWriteReg(iv_dimm, NVDIMM_MGT_CMD0, 0x01);
-    if (l_err)
-    {
-        TRACFCOMP(g_trac_nvdimm_upd,ERR_MRK"resetController: NVDIMM 0x%.8X "
-            "write of 0x01 to NVDIMM_MGT_CMD0 register failed",
-            TARGETING::get_huid(iv_dimm));
-    }
-    else
-    {
-        // Now wait until NV controller is ready again after reset
-        // nvdimmReady will retry NACK calls
-        l_err = nvdimmReady(iv_dimm);
-        if (l_err)
-        {
-            TRACFCOMP(g_trac_nvdimm_upd,ERR_MRK"resetController: NV controller for "
-                "NVDIMM 0x%.8X is not reporting as ready after reset",
-                TARGETING::get_huid(iv_dimm));
-
-        }
-    }
-    return l_err;
-}
-
 uint16_t NvdimmInstalledImage::crc16(const uint8_t * i_data, int i_data_size)
 {
     // From JEDEC JESD245B.01 document
diff --git a/src/usr/isteps/nvdimm/nvdimm_update.H b/src/usr/isteps/nvdimm/nvdimm_update.H
index 37153b9c2..ea606d89d 100644
--- a/src/usr/isteps/nvdimm/nvdimm_update.H
+++ b/src/usr/isteps/nvdimm/nvdimm_update.H
@@ -5,7 +5,7 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* Contributors Listed Below - COPYRIGHT 2018                             */
+/* Contributors Listed Below - COPYRIGHT 2018,2019                        */
 /* [+] International Business Machines Corp.                              */
 /*                                                                        */
 /*                                                                        */
@@ -318,13 +318,6 @@ class NvdimmInstalledImage
       errlHndl_t isFwOpsSuccess(bool & o_success);
 
       /**
-       * @brief Reset NV controller. Resets controller and waits for it to
-       *        come back online
-       * @return error if reset failed, else nullptr
-       */
-      errlHndl_t resetController();
-
-      /**
        * @brief Updates the NV controller with the lid's image data
        *        (minus header and signature)
        * @param i_lidImage - lid object with image data