diff options
| author | Mike Baiocchi <mbaiocch@us.ibm.com> | 2017-05-22 17:14:12 -0500 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-06-08 10:08:59 -0400 |
| commit | 4c586e2298ffafed3c1979784e1626868bd46f58 (patch) | |
| tree | b2aab45ecab8d4023ed0f045ddd5370a2fec7320 | |
| parent | 72a32a1058877dd616c72777c6f7545c55117bed (diff) | |
| download | talos-hostboot-4c586e2298ffafed3c1979784e1626868bd46f58.tar.gz talos-hostboot-4c586e2298ffafed3c1979784e1626868bd46f58.zip | |
Disable Ring Overrides in Secure Mode
This commit disables ring overrides during the IPL and at Runtime
when the system has security enabled.
Change-Id: Ic3b0db92994a61d4ba6e28858bcd6fde59be6a23
RTC: 163094
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/40818
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
| -rw-r--r-- | src/usr/isteps/pm/pm_common.C | 12 | ||||
| -rw-r--r-- | src/usr/pnor/pnor_common.C | 3 | ||||
| -rw-r--r-- | src/usr/pnor/pnorrp.C | 8 | ||||
| -rw-r--r-- | src/usr/pnor/test/pnorrptest.H | 12 | ||||
| -rw-r--r-- | src/usr/sbe/sbe_update.C | 4 |
5 files changed, 23 insertions, 16 deletions
diff --git a/src/usr/isteps/pm/pm_common.C b/src/usr/isteps/pm/pm_common.C index 0335ebec4..5b0c9372d 100644 --- a/src/usr/isteps/pm/pm_common.C +++ b/src/usr/isteps/pm/pm_common.C @@ -1056,14 +1056,6 @@ namespace HBPM break; #endif - // No overrides in secure mode - if( SECUREBOOT::enabled() ) - { - TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace, - INFO_MRK"getRingOvd(): No overrides in secure mode"); - break; - } - PNOR::SectionInfo_t l_pnorRingOvd; l_err = PNOR::getSectionInfo(PNOR::RINGOVD, l_pnorRingOvd); if(l_err) @@ -1071,8 +1063,8 @@ namespace HBPM delete l_err; l_err = NULL; TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace, - INFO_MRK"getRingOvd(): RINGOVD section not found, " - "it is optional"); + INFO_MRK"getRingOvd(): RINGOVD section not found or " + "is blocked in secure mode. it is optional"); break; } if(l_pnorRingOvd.size == 0) diff --git a/src/usr/pnor/pnor_common.C b/src/usr/pnor/pnor_common.C index 2c491d990..2eb710a16 100644 --- a/src/usr/pnor/pnor_common.C +++ b/src/usr/pnor/pnor_common.C @@ -387,7 +387,8 @@ bool PNOR::isInhibitedSection(const uint32_t i_section) { #ifdef CONFIG_SECUREBOOT return (i_section == ATTR_PERM || - i_section == ATTR_TMP) && + i_section == ATTR_TMP || + i_section == RINGOVD ) && SECUREBOOT::enabled(); #else return false; diff --git a/src/usr/pnor/pnorrp.C b/src/usr/pnor/pnorrp.C index 0326bb1e1..bd8609416 100644 --- a/src/usr/pnor/pnorrp.C +++ b/src/usr/pnor/pnorrp.C @@ -509,17 +509,17 @@ errlHndl_t PnorRP::getSectionInfo( PNOR::SectionId i_section, || l_inhibited ) { - TRACFCOMP( g_trac_pnor, "PnorRP::getSectionInfo> Invalid Section Requested : i_section=%d", i_section ); + TRACFCOMP( g_trac_pnor, "PnorRP::getSectionInfo> Invalid Section Requested : i_section=%d (%s)", i_section, SectionIdToString(id)); #ifdef CONFIG_SECUREBOOT if (l_inhibited) { TRACFCOMP( g_trac_pnor, "PnorRP::getSectionInfo> " - "attribute override inhibited by secureboot"); + "attribute overrides inhibited by secureboot"); } #endif uint64_t size = iv_TOC[i_section].size; - TRACFCOMP(g_trac_pnor, "o_info={ id=%d, size=%d }", - iv_TOC[i_section].id, size ); + TRACFCOMP(g_trac_pnor, "o_info={ id=%d, size=%d , name=%s}", + iv_TOC[i_section].id, size, SectionIdToString(id) ); /*@ * @errortype * @moduleid PNOR::MOD_PNORRP_GETSECTIONINFO diff --git a/src/usr/pnor/test/pnorrptest.H b/src/usr/pnor/test/pnorrptest.H index f3d94ef99..d42ce93a5 100644 --- a/src/usr/pnor/test/pnorrptest.H +++ b/src/usr/pnor/test/pnorrptest.H @@ -41,6 +41,7 @@ #include <sys/mm.h> #include <targeting/common/targetservice.H> #include <devicefw/userif.H> +#include <config.h> #include <pnor/ecc.H> #include "../pnorrp.H" #include "../pnor_common.H" @@ -78,7 +79,18 @@ class PnorRpTest : public CxxTest::TestSuite for( uint64_t idx = 0; idx < numSections; idx++) { + // RINGOVD is not supported when secureboot is enabled, but rather + // than looking for the expected fail like non-test code does, just + // skip testing RINGOVD in this scenario + if ( ( testSections[idx] == PNOR::RINGOVD ) && + ( SECUREBOOT::enabled() ) ) + { + TRACFCOMP(g_trac_pnor, "PnorRpTest::test_sectionInfo> Skipping RINGOVD since Security is enabled"); + continue; + } + total++; + errhdl = PNOR::getSectionInfo( testSections[idx], info ); if( errhdl ) { diff --git a/src/usr/sbe/sbe_update.C b/src/usr/sbe/sbe_update.C index 1babff13d..d86fad7a2 100644 --- a/src/usr/sbe/sbe_update.C +++ b/src/usr/sbe/sbe_update.C @@ -896,6 +896,7 @@ namespace SBE PNOR::SectionInfo_t l_pnorRingOvd; do { + l_err = PNOR::getSectionInfo(PNOR::RINGOVD, l_pnorRingOvd); if(l_err) { @@ -903,7 +904,8 @@ namespace SBE l_err = NULL; TRACFCOMP( g_trac_sbe, ERR_MRK"ringOvd():Error trying to read RINGOVD " - "from PNOR. It is optional, continuing"); + "from PNOR. Could be blocked in secure mode. " + "It is optional, continuing"); io_ovdImgSize = 0; break; } |
