summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJaymes Wilks <mjwilks@us.ibm.com>2017-08-17 13:37:10 -0500
committerDaniel M. Crowell <dcrowell@us.ibm.com>2017-08-25 23:19:40 -0400
commit762243b4a659f79dcf5c405910c02bb997b602f4 (patch)
tree128b20a749566374c5eac1ce351ea54b7557059a
parentcefc4c2c1bf3a43a993f2091813ee181779ddee4 (diff)
downloadtalos-hostboot-762243b4a659f79dcf5c405910c02bb997b602f4.tar.gz
talos-hostboot-762243b4a659f79dcf5c405910c02bb997b602f4.zip
Move SUL enforcement back to after SBE update step
Through the course of adding to hostboot, the SUL enforcement step has slid later into istep 10. This commit moves the SUL enforcement back to immediately after the SBE update step for maximum security. Change-Id: I92d68a6328a834762b7b39eefb62161b9b1ad2c4 RTC:178471 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/44749 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat
-rw-r--r--src/usr/isteps/istep10/call_host_set_voltages.C734
-rw-r--r--src/usr/isteps/istep10/call_host_update_redundant_tpm.C688
2 files changed, 734 insertions, 688 deletions
diff --git a/src/usr/isteps/istep10/call_host_set_voltages.C b/src/usr/isteps/istep10/call_host_set_voltages.C
index d0a8dbd8c..22fe8faf0 100644
--- a/src/usr/isteps/istep10/call_host_set_voltages.C
+++ b/src/usr/isteps/istep10/call_host_set_voltages.C
@@ -43,6 +43,51 @@
#include <hbToHwsvVoltageMsg.H>
+// Note: The following secureboot-related includes will be kept separate from
+// any other includes in this file in spite of the resulting duplicate includes.
+// This will make it easier going forward to relocate the code that requires
+// these includes. In the past isteps have been moved around, causing the
+// security code below to slip farther away from the SBE update step. For
+// maximal security, we want the secure boot code to happen immediately after
+// SBE update and keeping the code relocateable facilitates this.
+
+// begin includes for post sbe secureboot steps
+#include <errl/errlentry.H>
+#include <errl/errlmanager.H>
+#include <isteps/istep_reasoncodes.H>
+#include <initservice/initserviceif.H>
+
+// targeting support
+#include <targeting/common/target.H>
+#include <targeting/common/commontargeting.H>
+#include <targeting/common/utilFilter.H>
+#include <errl/errludtarget.H>
+#include <attributetraits.H>
+
+#include <config.h>
+#include <util/align.H>
+#include <util/algorithm.H>
+
+// Fapi Support
+#include <fapi2.H>
+#include <target_types.H>
+#include <plat_hwp_invoker.H>
+#include <attributeenums.H>
+#include <istepHelperFuncs.H>
+
+//HWP
+#include <p9_update_security_ctrl.H>
+
+// secureboot
+#include <secureboot/service.H>
+#include <secureboot/settings.H>
+#include <i2c/eepromif.H>
+#include <sbe/sbeif.H>
+#include "../../secureboot/common/errlud_secure.H"
+#include <sbe/sbe_update.H>
+
+// end includes for post sbe secureboot steps
+
using namespace TARGETING;
using namespace ERRORLOG;
using namespace ISTEP_ERROR;
@@ -50,6 +95,693 @@ using namespace ISTEP_ERROR;
namespace ISTEP_10
{
+#ifdef CONFIG_SECUREBOOT
+/**
+ * @brief This structure associates SBE HW keys' hashes with names and SBE sides
+ */
+struct HashNode
+{
+ uint8_t* hash; /** SBE HW keys' hash for the named side */
+ const char* name; /** Name of the side: either primary or backup */
+ uint8_t side; /** A uint8_t value of 0 for primary or 1 for backup */
+ HashNode(uint8_t* i_hash,
+ const char* i_name,
+ uint8_t i_side) : hash(i_hash), name(i_name), side(i_side)
+ {
+ }
+};
+
+/**
+ * @brief This union simplifies bitwise operations for tracking the four
+ * conditions of mismatch when matching security settings of a slave processor
+ * with that of the master processor.
+ */
+union Mismatches
+{
+ uint8_t val;
+ struct {
+ uint8_t reserved : 4; /** unused */
+ uint8_t sabmis : 1; /** Value of 1 indicates the SAB bit didn't match,
+ * 0 otherwise.
+ */
+ uint8_t smdmis : 1; /** Value of 1 indicates the SMD bit did not match,
+ * 0 otherwise.
+ */
+ uint8_t primis : 1; /** Value of 1 indicates the primary SBE HW key's
+ * did not match, 0 otherwise.
+ */
+ uint8_t bacmis : 1; /** Value of 1 indicates the backup SBE HW key's
+ * did not match, 0 otherwise.
+ */
+ };
+};
+
+/** @brief Handle a processor security error.
+ * @par Detailed Description:
+ * Puts all the error handling for mismatched processor security
+ * settings in one place in order to minimize code footprint. This
+ * highly-specialized function is not intended for public consumption.
+ * @param[in] i_pProc The target processor whose secure processor settings are
+ * exhibiting a problem. Must not be null.
+ * @param[in] i_rc The reason code of the error to be handled.
+ * @param[in] i_hashes A vector containing hash/string/side triples, where
+ * the string indicates the name of the hash, and the side refers to the
+ * SBE side that the hash was taken from.
+ * @param[in] i_plid If non zero this plid from a previous error will be linked
+ * To the error created by this function, ignored otherwise.
+ * @param[in] i_continue A boolean indicating whether hostboot should continue
+ * booting (and deconfigure the processor) or stop the IPL.
+ * @param[in] i_mismatches A bitstring of mismatch bits of type Mismatches
+ * corresponding to a mismatch of the SAB or SMD register or primary or
+ * secondary SBE HW Keys' Hash between the supplied target and the master
+ * processor. Optional parameter is for the RC_PROC_SECURITY_STATE_MISMATCH
+ * case only and must be left as default (value of 0) for all other cases.
+ */
+void handleProcessorSecurityError(TARGETING::Target* i_pProc,
+ ISTEP::istepReasonCode i_rc,
+ const std::vector<HashNode>& i_hashes,
+ uint16_t i_plid,
+ bool i_continue,
+ Mismatches i_mismatches={0})
+{
+ using namespace ISTEP;
+
+ // stop the caller from passing a null target
+ assert(i_pProc != nullptr, "Bug! Target pointer must not be null");
+
+ // make sure that caller is using the Mismatches parameter at the right time
+ assert( (i_rc!=RC_PROC_SECURITY_STATE_MISMATCH && !i_mismatches.val) ||
+ (i_rc==RC_PROC_SECURITY_STATE_MISMATCH && i_mismatches.val),
+ "Mismatches parameter is for RC_PROC_SECURITY_STATE_MISMATCH only");
+
+ ERRORLOG::errlSeverity_t l_severity = ERRORLOG::ERRL_SEV_UNRECOVERABLE;
+
+ if (i_rc==RC_MASTER_PROC_SBE_KEYS_HASH_MISMATCH ||
+ i_rc==RC_PROC_SECURITY_STATE_MISMATCH)
+ {
+ if (i_rc==RC_PROC_SECURITY_STATE_MISMATCH)
+ {
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ ERR_MRK"call_host_set_voltages - handleProcessorSecurityError processor state does match master for processor tgt=0x%X",
+ TARGETING::get_huid(i_pProc));
+
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ "SMD is a %smatch", i_mismatches.smdmis? "mis": "");
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ "SAB is a %smatch", i_mismatches.sabmis? "mis": "");
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ "Primary SBE hash is a %smatch",
+ i_mismatches.primis? "mis": "");
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ "Backup SBE hash is a %smatch",
+ i_mismatches.bacmis? "mis": "");
+ }
+ else // master proc sbe keys' hash mismatch
+ {
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ ERR_MRK"call_host_set_voltages - handleProcessorSecurityError: Master processor sbe keys' hash doesn't match master backup sbe key's hash");
+ }
+
+ // Log as informational if secure boot is disabled
+ if (!SECUREBOOT::enabled())
+ {
+ l_severity = ERRORLOG::ERRL_SEV_INFORMATIONAL;
+ }
+ }
+ else
+ {
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ "call_host_set_voltages - handleProcessorSecurityError: Istep error occurred, reason code 0x%X"
+ ,i_rc);
+ TRACDCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ ERR_MRK"call_host_set_voltages - handleProcessorSecurityError: %s fail",
+ i_rc==RC_MASTER_PROC_PRIMARY_HASH_READ_FAIL?"Master primary hash read":
+ i_rc==RC_MASTER_PROC_BACKUP_HASH_READ_FAIL?"Master backup hash read":
+ i_rc==RC_MASTER_PROC_CBS_CONTROL_READ_FAIL?"Master CBS control read":
+ i_rc==RC_SLAVE_PROC_PRIMARY_HASH_READ_FAIL?"Slave primary hash read":
+ i_rc==RC_SLAVE_PROC_BACKUP_HASH_READ_FAIL?"Slave backup hash read":
+ i_rc==RC_SLAVE_PROC_CBS_CONTROL_READ_FAIL?"Slave CBS control read":
+ "unknown");
+ }
+
+ auto err = new ERRORLOG::ErrlEntry(l_severity,
+ ISTEP::MOD_UPDATE_REDUNDANT_TPM,
+ i_rc,
+ TARGETING::get_huid(i_pProc),
+ TO_UINT64(i_mismatches.val),
+ true);
+
+ // if a plid was given, link it to the new error.
+ if (i_plid)
+ {
+ err->plid(i_plid);
+ }
+
+ err->collectTrace(ISTEP_COMP_NAME);
+
+ ERRORLOG::ErrlUserDetailsTarget(i_pProc).addToLog(err);
+
+ // Add Security related user details
+ SECUREBOOT::addSecureUserDetailsToErrolog(err);
+
+ // add hashes to log and traces
+ for(auto& hsh : i_hashes)
+ {
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace, ERR_MRK"call_host_set_voltages - handleProcessorSecurityError - %s hash: ", hsh.name);
+ TRACFBIN(ISTEPS_TRACE::g_trac_isteps_trace,
+ "Data = ",
+ reinterpret_cast<void*>(hsh.hash),
+ SHA512_DIGEST_LENGTH);
+ SECUREBOOT::UdTargetHwKeyHash(
+ i_pProc,
+ hsh.side,
+ hsh.hash).addToLog(err);
+ }
+
+ if (i_continue)
+ {
+ err->addHwCallout(i_pProc,
+ HWAS::SRCI_PRIORITY_LOW,
+ i_mismatches.val && // for any mismatch
+ !RC_MASTER_PROC_SBE_KEYS_HASH_MISMATCH?
+ HWAS::NO_DECONFIG: // don't deconfig the processor
+ HWAS::DELAYED_DECONFIG,
+ HWAS::GARD_NULL);
+ }
+
+ // save off reason code before committing
+ auto l_reason = err->reasonCode();
+
+ ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
+
+ if (!i_continue)
+ {
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ "Terminating because future security cannot be guaranteed.");
+ INITSERVICE::doShutdown(l_reason);
+ }
+}
+#endif
+
+//*****************************************************************************
+// validateSecuritySettings()
+//*****************************************************************************
+/*
+ * @brief Lock the SUL bit and enforce synchronized processor security states
+ */
+void validateSecuritySettings()
+{
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ ENTER_MRK"validateSecuritySettings");
+
+ errlHndl_t err = nullptr;
+
+ // Before update procedure, trace security settings
+ err = SECUREBOOT::traceSecuritySettings();
+ if (err)
+ {
+ TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace,
+ "validateSecuritySettings: Error back from "
+ "SECUREBOOT::traceSecuritySettings: rc=0x%X, plid=0x%X",
+ ERRL_GETRC_SAFE(err), ERRL_GETPLID_SAFE(err));
+
+ // Commit log, but continue
+ ERRORLOG::errlCommit( err, SECURE_COMP_ID );
+ }
+
+ // Start of update procedure
+ #ifdef CONFIG_SECUREBOOT
+
+ bool l_force = false;
+
+ TARGETING::TargetHandleList l_procList;
+ getAllChips(l_procList,TARGETING::TYPE_PROC,true);
+
+ // call p9_update_security_ctrl.C HWP
+ do {
+
+ if (!SECUREBOOT::enabled() && !l_force)
+ {
+ break;
+ }
+
+ TARGETING::TargetHandleList l_tpmList;
+ getAllChips(l_tpmList,TARGETING::TYPE_TPM,false);
+
+ // loop through the processors
+ auto pProcItr = l_procList.begin();
+ while (pProcItr != l_procList.end())
+ {
+ bool l_notInMrw = true;
+ TARGETING::Target* l_tpm = nullptr;
+
+ // check if processor has a TPM according to the mrw
+
+ // for each TPM in the list compare i2c master path with
+ // the path of the current processor
+ for (auto itpm : l_tpmList)
+ {
+ auto l_physPath = (*pProcItr)->getAttr<TARGETING::ATTR_PHYS_PATH>();
+
+ auto l_tpmInfo = itpm->getAttr<TARGETING::ATTR_TPM_INFO>();
+
+ if (l_tpmInfo.i2cMasterPath == l_physPath)
+ {
+ l_notInMrw = false;
+ l_tpm = itpm;
+ break;
+ }
+ }
+
+ if (l_notInMrw)
+ {
+ uint8_t l_protectTpm = 1;
+ (*pProcItr)->setAttr<
+ TARGETING::ATTR_SECUREBOOT_PROTECT_DECONFIGURED_TPM
+ >(l_protectTpm);
+ }
+
+ const fapi2::Target<fapi2::TARGET_TYPE_PROC_CHIP> l_fapiTarg(*pProcItr);
+
+ FAPI_INVOKE_HWP(err, p9_update_security_ctrl, l_fapiTarg);
+
+ if (err)
+ {
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ ERR_MRK"validateSecuritySettings - "
+ "p9_update_security_ctrl failed for processor tgt=0x%X, "
+ "TPM tgt=0x%X. Deconfiguring processor because future "
+ "security cannot be guaranteed.",
+ TARGETING::get_huid(*pProcItr),
+ TARGETING::get_huid(l_tpm));
+
+ // save the plid from the error before commiting
+ auto plid = err->plid();
+
+ ERRORLOG::ErrlUserDetailsTarget(*pProcItr).addToLog(err);
+
+ // commit this error log first before creating the new one
+ ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
+
+ /*@
+ * @errortype
+ * @reasoncode ISTEP::RC_UPDATE_SECURITY_CTRL_HWP_FAIL
+ * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
+ * @severity ERRL_SEV_UNRECOVERABLE
+ * @userdata1 Processor Target
+ * @userdata2 TPM Target
+ * @devdesc Failed to set SEEPROM lock and/or TPM deconfig
+ * protection for this processor, so we cannot
+ * guarrantee platform secuirty for this processor
+ * @custdesc Platform security problem detected
+ */
+ err = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_UNRECOVERABLE,
+ ISTEP::MOD_UPDATE_REDUNDANT_TPM,
+ ISTEP::RC_UPDATE_SECURITY_CTRL_HWP_FAIL,
+ TARGETING::get_huid(*pProcItr),
+ TARGETING::get_huid(l_tpm),
+ true);
+
+ err->addHwCallout(*pProcItr,
+ HWAS::SRCI_PRIORITY_LOW,
+ HWAS::DELAYED_DECONFIG,
+ HWAS::GARD_NULL);
+
+ err->collectTrace(ISTEP_COMP_NAME);
+
+ // pass on the plid from the previous error log to the new one
+ err->plid(plid);
+
+ ERRORLOG::ErrlUserDetailsTarget(*pProcItr).addToLog(err);
+
+ ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
+
+ // remove the deconfigured processor from the list so that we can
+ // reuse this list later to enforce processor security state below
+ pProcItr = l_procList.erase(pProcItr);
+
+ // we don't break here. we need to continue on to the next
+ // processor and run the HWP on that one
+ }
+ else
+ {
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ "p9_update_security_ctrl successful for proc: 0x%X tpm: 0x%X",
+ TARGETING::get_huid(*pProcItr),
+ TARGETING::get_huid(l_tpm));
+ // only move on to the next processor if we didn't erase the
+ // current one, since erasing the current one automatically gives us
+ // the next one
+ ++pProcItr;
+ }
+ }
+
+ } while(0);
+ // end of p9_update_security_ctrl procedure
+
+ // Enforce Synchronized Proc Security State
+ do {
+
+ uint64_t l_mainCbs = 0;
+
+ // a list of hashes we will be using to match primary to backups and
+ // masters to slaves
+ std::vector<HashNode> l_hashes;
+
+ // master processor primary hash
+ SHA512_t l_masterHash = {0};
+
+ // master processor backup hash
+ SHA512_t l_backupHash = {0};
+
+ // slave processor primary hash (reset each time through the loop)
+ SHA512_t l_slaveHashPri = {0};
+
+ // slave processor backup hash (reset each time through the loop)
+ SHA512_t l_slaveHashBac = {0};
+
+ // nodes for the hashes vector only to be added to vector as needed
+ auto l_master = HashNode(l_masterHash, "master primary", SBE::SBE_SEEPROM0);
+ auto l_backup = HashNode(l_backupHash, "master backup", SBE::SBE_SEEPROM1);
+ auto l_slave = HashNode(l_slaveHashPri, "slave primary", SBE::SBE_SEEPROM0);
+ auto l_slaveb = HashNode(l_slaveHashBac, "slave backup", SBE::SBE_SEEPROM1);
+ // obtain the master processor target
+ TARGETING::Target* mProc = nullptr;
+ err = TARGETING::targetService().queryMasterProcChipTargetHandle(mProc);
+ if (err)
+ {
+ // if this happens we are in big trouble
+ auto rc = err->reasonCode();
+ ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ "Terminating because future security cannot be guaranteed.");
+ INITSERVICE::doShutdown(rc);
+ break;
+ }
+
+ // read the CBS control register of the main processor
+ // (has SAB/SMD bits)
+ err = SECUREBOOT::getProcCbsControlRegister(l_mainCbs, mProc);
+ if (err)
+ {
+ auto plid = err->plid();
+ ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
+
+ /*@
+ * @errortype
+ * @reasoncode ISTEP::RC_MASTER_PROC_CBS_CONTROL_READ_FAIL
+ * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
+ * @userdata1 Master Processor Target
+ * @devdesc Unable to read the master processor CBS control
+ * register
+ * @custdesc Platform security problem detected
+ */
+ handleProcessorSecurityError(mProc,
+ ISTEP::RC_MASTER_PROC_CBS_CONTROL_READ_FAIL,
+ l_hashes,
+ plid,
+ false); // stop IPL and deconfig processor
+ break;
+ }
+
+ // read the primary sbe HW keys' hash for the master processor
+ err = SBE::getHwKeyHashFromSbeImage(
+ mProc,
+ EEPROM::SBE_PRIMARY,
+ l_masterHash);
+ if (err)
+ {
+ auto plid = err->plid();
+ ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
+
+ /*@
+ * @errortype
+ * @reasoncode ISTEP::RC_MASTER_PROC_PRIMARY_HASH_READ_FAIL
+ * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
+ * @userdata1 Master Processor Target
+ * @devdesc Unable to read the master processor primary hash
+ * from the SBE
+ * @custdesc Platform security problem detected
+ */
+ handleProcessorSecurityError(mProc,
+ ISTEP::RC_MASTER_PROC_PRIMARY_HASH_READ_FAIL,
+ l_hashes,
+ plid,
+ false); // stop IPL and deconfig processor
+ }
+
+ // read the backup sbe HW keys' hash for the master processor
+ err = SBE::getHwKeyHashFromSbeImage(
+ mProc,
+ EEPROM::SBE_BACKUP,
+ l_backupHash);
+ if (err)
+ {
+ auto plid = err->plid();
+ ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
+
+ /*@
+ * @errortype
+ * @reasoncode ISTEP::RC_MASTER_PROC_BACKUP_HASH_READ_FAIL
+ * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
+ * @userdata1 Processor Target
+ * @devdesc Unable to read the master processor backup hash
+ * from the SBE
+ * @custdesc Platform security problem detected
+ */
+ handleProcessorSecurityError(mProc,
+ ISTEP::RC_MASTER_PROC_BACKUP_HASH_READ_FAIL,
+ l_hashes,
+ plid,
+ false); // stop IPL and deconfig processor
+ break;
+ }
+
+ // make sure the master processor primary and backup SBE HW keys' hashes
+ // match each other
+ if (memcmp(l_masterHash,l_backupHash, SHA512_DIGEST_LENGTH)!=0)
+ {
+ // add only the hashes relevant to the error to hashes vector
+ l_hashes.push_back(l_master);
+ l_hashes.push_back(l_backup);
+
+ bool l_continue = !SECUREBOOT::enabled();
+ /*@
+ * @errortype
+ * @reasoncode ISTEP::RC_MASTER_PROC_SBE_KEYS_HASH_MISMATCH
+ * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
+ * @severity ERRL_SEV_UNRECOVERABLE
+ * @userdata1 Master Processor Target
+ * @devdesc The primary SBE HW Keys' hash does not match the
+ * the backup SBE HW Keys' hash, so we cannot
+ * guarrantee platform security for the system
+ * @custdesc Platform security problem detected
+ */
+ handleProcessorSecurityError(mProc,
+ ISTEP::RC_MASTER_PROC_SBE_KEYS_HASH_MISMATCH,
+ l_hashes,
+ 0,
+ l_continue); // stop IPL if secureboot enabled
+
+ break;
+ }
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ "Master Primary SBE HW keys' hash successfully matches backup.");
+
+ for(auto pProc : l_procList)
+ {
+ uint64_t l_procCbs = 0;
+
+ if (mProc == pProc)
+ {
+ // skip the master processor
+ continue;
+ }
+
+ // start with empty slave hashes each time through the loop
+ memset(l_slaveHashPri,0,SHA512_DIGEST_LENGTH);
+ memset(l_slaveHashBac,0,SHA512_DIGEST_LENGTH);
+
+ // read the CBS control register of the current processor
+ err = SECUREBOOT::getProcCbsControlRegister(l_procCbs, pProc);
+ if (err)
+ {
+ auto plid = err->plid();
+ ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
+
+ /*@
+ * @errortype
+ * @reasoncode ISTEP::RC_SLAVE_PROC_CBS_CONTROL_READ_FAIL
+ * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
+ * @userdata1 Slave Processor Target
+ * @devdesc Unable to read the slave processor CBS control
+ * register
+ *
+ * @custdesc Platform security problem detected
+ */
+ handleProcessorSecurityError(pProc,
+ ISTEP::RC_SLAVE_PROC_CBS_CONTROL_READ_FAIL,
+ l_hashes,
+ plid,
+ true); // deconfigure proc and move on
+ continue;
+ }
+
+ // read the primary sbe HW keys' hash for the current processor
+ err = SBE::getHwKeyHashFromSbeImage(
+ pProc,
+ EEPROM::SBE_PRIMARY,
+ l_slaveHashPri);
+ if (err)
+ {
+ auto plid = err->plid();
+ ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
+
+ /*@
+ * @errortype
+ * @reasoncode ISTEP::RC_SLAVE_PROC_PRIMARY_HASH_READ_FAIL
+ * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
+ * @userdata1 Slave Processor Target
+ * @devdesc Unable to read the slave processor primary
+ * hash from the SBE
+ * @custdesc Platform security problem detected
+ */
+ handleProcessorSecurityError(pProc,
+ ISTEP::RC_SLAVE_PROC_PRIMARY_HASH_READ_FAIL,
+ l_hashes,
+ plid,
+ true); // deconfigure proc and move on
+ continue;
+ }
+
+ // read the backup sbe HW keys' hash for the current processor
+ err = SBE::getHwKeyHashFromSbeImage(
+ pProc,
+ EEPROM::SBE_BACKUP,
+ l_slaveHashBac);
+ if (err)
+ {
+ auto plid = err->plid();
+ ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
+
+ /*@
+ * @errortype
+ * @reasoncode ISTEP::RC_SLAVE_PROC_BACKUP_HASH_READ_FAIL
+ * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
+ * @userdata1 Slave Processor Target
+ * @devdesc Unable to read the slave processor backup
+ * hash from the SBE
+ * @custdesc Platform security problem detected
+ */
+ handleProcessorSecurityError(pProc,
+ ISTEP::RC_SLAVE_PROC_BACKUP_HASH_READ_FAIL,
+ l_hashes,
+ plid,
+ true); // deconfigure proc and move on
+
+ continue;
+ }
+
+ // If the current processor has a key or SAB mismatch
+ // then throw a terminate error. For SMD mismatch we throw
+ // an informational error
+ Mismatches l_mismatches = {0};
+
+ // SAB bit mismatch
+ l_mismatches.sabmis =
+ (SECUREBOOT::ProcCbsControl::SabBit & l_mainCbs) !=
+ (SECUREBOOT::ProcCbsControl::SabBit & l_procCbs);
+
+ // Jumper state mismatch
+ l_mismatches.smdmis =
+ (SECUREBOOT::ProcCbsControl::JumperStateBit & l_mainCbs) !=
+ (SECUREBOOT::ProcCbsControl::JumperStateBit & l_procCbs);
+
+ // primary sbe hash mismatch
+ l_mismatches.primis = memcmp(l_slaveHashPri,
+ l_masterHash,
+ SHA512_DIGEST_LENGTH) != 0;
+
+ // backup sbe hash mismatch
+ l_mismatches.bacmis = memcmp(l_slaveHashBac,
+ l_masterHash,
+ SHA512_DIGEST_LENGTH) != 0;
+
+ // only provide the relevant hashes for error handling cases
+ if(l_mismatches.primis || l_mismatches.bacmis)
+ {
+ l_hashes.push_back(l_master);
+ }
+ if(l_mismatches.primis)
+ {
+ l_hashes.push_back(l_slave);
+ }
+ if(l_mismatches.bacmis)
+ {
+ l_hashes.push_back(l_slaveb);
+ }
+
+ // if there was any mismatch
+ if (l_mismatches.val)
+ {
+ auto l_continue = true;
+ // do not continue booting if there is a SAB mismatch under any
+ // circumstance
+ if (l_mismatches.sabmis)
+ {
+ l_continue = false;
+ }
+ // In secure mode, do not continue booting when SBE HW keys' hashes
+ // are mismatched
+ if ((l_mismatches.primis || l_mismatches.bacmis)
+ && SECUREBOOT::enabled())
+ {
+ l_continue = false;
+ }
+
+ /*@
+ * @errortype
+ * @reasoncode ISTEP::RC_PROC_SECURITY_STATE_MISMATCH
+ * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
+ * @userdata1 Processor Target
+ * @userdata2[60:60] SAB bit mismatch
+ * @userdata2[61:61] Jumper (SMD) bit mismatch
+ * @userdata2[62:62] Primary SBE hash mismatch
+ * @userdata2[63:63] Backup SBE hash mismatch
+ * @devdesc Mismatch processor state was detected for this
+ * processor, so we cannot guarrantee platform
+ * security for the system
+ * @custdesc Platform security problem detected
+ */
+ handleProcessorSecurityError(pProc,
+ ISTEP::RC_PROC_SECURITY_STATE_MISMATCH,
+ l_hashes,
+ 0,
+ l_continue,
+ l_mismatches);
+
+ // In non-secure mode, look for other inconsistencies and log the
+ // issues
+ if (l_continue)
+ {
+ continue;
+ }
+ // In secure mode, stop checking for proc security state mismatches
+ // as soon as a mismatch has been found
+ break;
+ }
+
+ }
+
+ } while(0);
+
+ #endif // CONFIG_SECUREBOOT
+
+ TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+ EXIT_MRK"validateSecuritySettings");
+}
+
+
//*****************************************************************************
// call_host_set_voltages()
//*****************************************************************************
@@ -58,6 +790,8 @@ void* call_host_set_voltages(void *io_pArgs)
TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
"call_host_set_voltages enter");
+ validateSecuritySettings();
+
errlHndl_t l_err = NULL;
TargetHandleList l_procList;
IStepError l_stepError;
diff --git a/src/usr/isteps/istep10/call_host_update_redundant_tpm.C b/src/usr/isteps/istep10/call_host_update_redundant_tpm.C
index d91e723f8..af6030891 100644
--- a/src/usr/isteps/istep10/call_host_update_redundant_tpm.C
+++ b/src/usr/isteps/istep10/call_host_update_redundant_tpm.C
@@ -37,704 +37,16 @@
#include <config.h>
#include <util/align.H>
#include <util/algorithm.H>
-
-// Fapi Support
-#include <fapi2.H>
-#include <target_types.H>
-#include <plat_hwp_invoker.H>
-#include <attributeenums.H>
#include <istepHelperFuncs.H>
-// HWP
-#include <p9_update_security_ctrl.H>
-
-// secure boot
-#include <secureboot/service.H>
-#include <secureboot/settings.H>
-#include <i2c/eepromif.H>
-#include <sbe/sbeif.H>
-#include "../../secureboot/common/errlud_secure.H"
-#include <sbe/sbe_update.H>
-
namespace ISTEP_10
{
-#ifdef CONFIG_SECUREBOOT
-/**
- * @brief This structure associates SBE HW keys' hashes with names and SBE sides
- */
-struct HashNode
-{
- uint8_t* hash; /** SBE HW keys' hash for the named side */
- const char* name; /** Name of the side: either primary or backup */
- uint8_t side; /** A uint8_t value of 0 for primary or 1 for backup */
- HashNode(uint8_t* i_hash,
- const char* i_name,
- uint8_t i_side) : hash(i_hash), name(i_name), side(i_side)
- {
- }
-};
-
-/**
- * @brief This union simplifies bitwise operations for tracking the four
- * conditions of mismatch when matching security settings of a slave processor
- * with that of the master processor.
- */
-union Mismatches
-{
- uint8_t val;
- struct {
- uint8_t reserved : 4; /** unused */
- uint8_t sabmis : 1; /** Value of 1 indicates the SAB bit didn't match,
- * 0 otherwise.
- */
- uint8_t smdmis : 1; /** Value of 1 indicates the SMD bit did not match,
- * 0 otherwise.
- */
- uint8_t primis : 1; /** Value of 1 indicates the primary SBE HW key's
- * did not match, 0 otherwise.
- */
- uint8_t bacmis : 1; /** Value of 1 indicates the backup SBE HW key's
- * did not match, 0 otherwise.
- */
- };
-};
-
-/** @brief Handle a processor security error.
- * @par Detailed Description:
- * Puts all the error handling for mismatched processor security
- * settings in one place in order to minimize code footprint. This
- * highly-specialized function is not intended for public consumption.
- * @param[in] i_pProc The target processor whose secure processor settings are
- * exhibiting a problem. Must not be null.
- * @param[in] i_rc The reason code of the error to be handled.
- * @param[in] i_hashes A vector containing hash/string/side triples, where
- * the string indicates the name of the hash, and the side refers to the
- * SBE side that the hash was taken from.
- * @param[in] i_plid If non zero this plid from a previous error will be linked
- * To the error created by this function, ignored otherwise.
- * @param[in] i_continue A boolean indicating whether hostboot should continue
- * booting (and deconfigure the processor) or stop the IPL.
- * @param[in] i_mismatches A bitstring of mismatch bits of type Mismatches
- * corresponding to a mismatch of the SAB or SMD register or primary or
- * secondary SBE HW Keys' Hash between the supplied target and the master
- * processor. Optional parameter is for the RC_PROC_SECURITY_STATE_MISMATCH
- * case only and must be left as default (value of 0) for all other cases.
- */
-void handleProcessorSecurityError(TARGETING::Target* i_pProc,
- ISTEP::istepReasonCode i_rc,
- const std::vector<HashNode>& i_hashes,
- uint16_t i_plid,
- bool i_continue,
- Mismatches i_mismatches={0})
-{
- using namespace ISTEP;
-
- // stop the caller from passing a null target
- assert(i_pProc != nullptr, "Bug! Target pointer must not be null");
-
- // make sure that caller is using the Mismatches parameter at the right time
- assert( (i_rc!=RC_PROC_SECURITY_STATE_MISMATCH && !i_mismatches.val) ||
- (i_rc==RC_PROC_SECURITY_STATE_MISMATCH && i_mismatches.val),
- "Mismatches parameter is for RC_PROC_SECURITY_STATE_MISMATCH only");
-
- ERRORLOG::errlSeverity_t l_severity = ERRORLOG::ERRL_SEV_UNRECOVERABLE;
-
- if (i_rc==RC_MASTER_PROC_SBE_KEYS_HASH_MISMATCH ||
- i_rc==RC_PROC_SECURITY_STATE_MISMATCH)
- {
- if (i_rc==RC_PROC_SECURITY_STATE_MISMATCH)
- {
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- ERR_MRK"call_host_update_redundant_tpm - handleProcessorSecurityError processor state does match master for processor tgt=0x%X",
- TARGETING::get_huid(i_pProc));
-
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- "SMD is a %smatch", i_mismatches.smdmis? "mis": "");
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- "SAB is a %smatch", i_mismatches.sabmis? "mis": "");
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- "Primary SBE hash is a %smatch",
- i_mismatches.primis? "mis": "");
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- "Backup SBE hash is a %smatch",
- i_mismatches.bacmis? "mis": "");
- }
- else // master proc sbe keys' hash mismatch
- {
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- ERR_MRK"call_host_update_redundant_tpm - handleProcessorSecurityError: Master processor sbe keys' hash doesn't match master backup sbe key's hash");
- }
-
- // Log as informational if secure boot is disabled
- if (!SECUREBOOT::enabled())
- {
- l_severity = ERRORLOG::ERRL_SEV_INFORMATIONAL;
- }
- }
- else
- {
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- "call_host_update_redundant_tpm - handleProcessorSecurityError: Istep error occurred, reason code 0x%X"
- ,i_rc);
- TRACDCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- ERR_MRK"call_host_update_redundant_tpm - handleProcessorSecurityError: %s fail",
- i_rc==RC_MASTER_PROC_PRIMARY_HASH_READ_FAIL?"Master primary hash read":
- i_rc==RC_MASTER_PROC_BACKUP_HASH_READ_FAIL?"Master backup hash read":
- i_rc==RC_MASTER_PROC_CBS_CONTROL_READ_FAIL?"Master CBS control read":
- i_rc==RC_SLAVE_PROC_PRIMARY_HASH_READ_FAIL?"Slave primary hash read":
- i_rc==RC_SLAVE_PROC_BACKUP_HASH_READ_FAIL?"Slave backup hash read":
- i_rc==RC_SLAVE_PROC_CBS_CONTROL_READ_FAIL?"Slave CBS control read":
- "unknown");
- }
-
- auto err = new ERRORLOG::ErrlEntry(l_severity,
- ISTEP::MOD_UPDATE_REDUNDANT_TPM,
- i_rc,
- TARGETING::get_huid(i_pProc),
- TO_UINT64(i_mismatches.val),
- true);
-
- // if a plid was given, link it to the new error.
- if (i_plid)
- {
- err->plid(i_plid);
- }
-
- err->collectTrace(ISTEP_COMP_NAME);
-
- ERRORLOG::ErrlUserDetailsTarget(i_pProc).addToLog(err);
-
- // Add Security related user details
- SECUREBOOT::addSecureUserDetailsToErrolog(err);
-
- // add hashes to log and traces
- for(auto& hsh : i_hashes)
- {
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace, ERR_MRK"call_host_update_redundant_tpm - handleProcessorSecurityError - %s hash: ", hsh.name);
- TRACFBIN(ISTEPS_TRACE::g_trac_isteps_trace,
- "Data = ",
- reinterpret_cast<void*>(hsh.hash),
- SHA512_DIGEST_LENGTH);
- SECUREBOOT::UdTargetHwKeyHash(
- i_pProc,
- hsh.side,
- hsh.hash).addToLog(err);
- }
-
- if (i_continue)
- {
- err->addHwCallout(i_pProc,
- HWAS::SRCI_PRIORITY_LOW,
- i_mismatches.val && // for any mismatch
- !RC_MASTER_PROC_SBE_KEYS_HASH_MISMATCH?
- HWAS::NO_DECONFIG: // don't deconfig the processor
- HWAS::DELAYED_DECONFIG,
- HWAS::GARD_NULL);
- }
-
- // save off reason code before committing
- auto l_reason = err->reasonCode();
-
- ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
-
- if (!i_continue)
- {
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- "Terminating because future security cannot be guaranteed.");
- INITSERVICE::doShutdown(l_reason);
- }
-}
-#endif
-
void* call_host_update_redundant_tpm (void *io_pArgs)
{
TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
ENTER_MRK"call_host_update_redundant_tpm");
- errlHndl_t err = nullptr;
-
- // Before update procedure, trace security settings
- err = SECUREBOOT::traceSecuritySettings();
- if (err)
- {
- TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace,
- "call_host_update_redundant_tpm: Error back from "
- "SECUREBOOT::traceSecuritySettings: rc=0x%X, plid=0x%X",
- ERRL_GETRC_SAFE(err), ERRL_GETPLID_SAFE(err));
-
- // Commit log, but continue
- ERRORLOG::errlCommit( err, SECURE_COMP_ID );
- }
-
- // Start of update procedure
- #ifdef CONFIG_SECUREBOOT
-
- bool l_force = false;
-
- TARGETING::TargetHandleList l_procList;
- getAllChips(l_procList,TARGETING::TYPE_PROC,true);
-
- // call p9_update_security_ctrl.C HWP
- do {
-
- if (!SECUREBOOT::enabled() && !l_force)
- {
- break;
- }
-
- TARGETING::TargetHandleList l_tpmList;
- getAllChips(l_tpmList,TARGETING::TYPE_TPM,false);
-
- // loop through the processors
- auto pProcItr = l_procList.begin();
- while (pProcItr != l_procList.end())
- {
- bool l_notInMrw = true;
- TARGETING::Target* l_tpm = nullptr;
-
- // check if processor has a TPM according to the mrw
-
- // for each TPM in the list compare i2c master path with
- // the path of the current processor
- for (auto itpm : l_tpmList)
- {
- auto l_physPath = (*pProcItr)->getAttr<TARGETING::ATTR_PHYS_PATH>();
-
- auto l_tpmInfo = itpm->getAttr<TARGETING::ATTR_TPM_INFO>();
-
- if (l_tpmInfo.i2cMasterPath == l_physPath)
- {
- l_notInMrw = false;
- l_tpm = itpm;
- break;
- }
- }
-
- if (l_notInMrw)
- {
- uint8_t l_protectTpm = 1;
- (*pProcItr)->setAttr<
- TARGETING::ATTR_SECUREBOOT_PROTECT_DECONFIGURED_TPM
- >(l_protectTpm);
- }
-
- const fapi2::Target<fapi2::TARGET_TYPE_PROC_CHIP> l_fapiTarg(*pProcItr);
-
- FAPI_INVOKE_HWP(err, p9_update_security_ctrl, l_fapiTarg);
-
- if (err)
- {
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- ERR_MRK"call_host_update_redundant_tpm - "
- "p9_update_security_ctrl failed for processor tgt=0x%X, "
- "TPM tgt=0x%X. Deconfiguring processor because future "
- "security cannot be guaranteed.",
- TARGETING::get_huid(*pProcItr),
- TARGETING::get_huid(l_tpm));
-
- // save the plid from the error before commiting
- auto plid = err->plid();
-
- ERRORLOG::ErrlUserDetailsTarget(*pProcItr).addToLog(err);
-
- // commit this error log first before creating the new one
- ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
-
- /*@
- * @errortype
- * @reasoncode ISTEP::RC_UPDATE_SECURITY_CTRL_HWP_FAIL
- * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
- * @severity ERRL_SEV_UNRECOVERABLE
- * @userdata1 Processor Target
- * @userdata2 TPM Target
- * @devdesc Failed to set SEEPROM lock and/or TPM deconfig
- * protection for this processor, so we cannot
- * guarrantee platform secuirty for this processor
- * @custdesc Platform security problem detected
- */
- err = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_UNRECOVERABLE,
- ISTEP::MOD_UPDATE_REDUNDANT_TPM,
- ISTEP::RC_UPDATE_SECURITY_CTRL_HWP_FAIL,
- TARGETING::get_huid(*pProcItr),
- TARGETING::get_huid(l_tpm),
- true);
-
- err->addHwCallout(*pProcItr,
- HWAS::SRCI_PRIORITY_LOW,
- HWAS::DELAYED_DECONFIG,
- HWAS::GARD_NULL);
-
- err->collectTrace(ISTEP_COMP_NAME);
-
- // pass on the plid from the previous error log to the new one
- err->plid(plid);
-
- ERRORLOG::ErrlUserDetailsTarget(*pProcItr).addToLog(err);
-
- ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
-
- // remove the deconfigured processor from the list so that we can
- // reuse this list later to enforce processor security state below
- pProcItr = l_procList.erase(pProcItr);
-
- // we don't break here. we need to continue on to the next
- // processor and run the HWP on that one
- }
- else
- {
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- "p9_update_security_ctrl successful for proc: 0x%X tpm: 0x%X",
- TARGETING::get_huid(*pProcItr),
- TARGETING::get_huid(l_tpm));
- // only move on to the next processor if we didn't erase the
- // current one, since erasing the current one automatically gives us
- // the next one
- ++pProcItr;
- }
- }
-
- } while(0);
- // end of p9_update_security_ctrl procedure
-
- // Enforce Synchronized Proc Security State
- do {
-
- uint64_t l_mainCbs = 0;
-
- // a list of hashes we will be using to match primary to backups and
- // masters to slaves
- std::vector<HashNode> l_hashes;
-
- // master processor primary hash
- SHA512_t l_masterHash = {0};
-
- // master processor backup hash
- SHA512_t l_backupHash = {0};
-
- // slave processor primary hash (reset each time through the loop)
- SHA512_t l_slaveHashPri = {0};
-
- // slave processor backup hash (reset each time through the loop)
- SHA512_t l_slaveHashBac = {0};
-
- // nodes for the hashes vector only to be added to vector as needed
- auto l_master = HashNode(l_masterHash, "master primary", SBE::SBE_SEEPROM0);
- auto l_backup = HashNode(l_backupHash, "master backup", SBE::SBE_SEEPROM1);
- auto l_slave = HashNode(l_slaveHashPri, "slave primary", SBE::SBE_SEEPROM0);
- auto l_slaveb = HashNode(l_slaveHashBac, "slave backup", SBE::SBE_SEEPROM1);
- // obtain the master processor target
- TARGETING::Target* mProc = nullptr;
- err = TARGETING::targetService().queryMasterProcChipTargetHandle(mProc);
- if (err)
- {
- // if this happens we are in big trouble
- auto rc = err->reasonCode();
- ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- "Terminating because future security cannot be guaranteed.");
- INITSERVICE::doShutdown(rc);
- break;
- }
-
- // read the CBS control register of the main processor
- // (has SAB/SMD bits)
- err = SECUREBOOT::getProcCbsControlRegister(l_mainCbs, mProc);
- if (err)
- {
- auto plid = err->plid();
- ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
-
- /*@
- * @errortype
- * @reasoncode ISTEP::RC_MASTER_PROC_CBS_CONTROL_READ_FAIL
- * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
- * @userdata1 Master Processor Target
- * @devdesc Unable to read the master processor CBS control
- * register
- * @custdesc Platform security problem detected
- */
- handleProcessorSecurityError(mProc,
- ISTEP::RC_MASTER_PROC_CBS_CONTROL_READ_FAIL,
- l_hashes,
- plid,
- false); // stop IPL and deconfig processor
- break;
- }
-
- // read the primary sbe HW keys' hash for the master processor
- err = SBE::getHwKeyHashFromSbeImage(
- mProc,
- EEPROM::SBE_PRIMARY,
- l_masterHash);
- if (err)
- {
- auto plid = err->plid();
- ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
-
- /*@
- * @errortype
- * @reasoncode ISTEP::RC_MASTER_PROC_PRIMARY_HASH_READ_FAIL
- * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
- * @userdata1 Master Processor Target
- * @devdesc Unable to read the master processor primary hash
- * from the SBE
- * @custdesc Platform security problem detected
- */
- handleProcessorSecurityError(mProc,
- ISTEP::RC_MASTER_PROC_PRIMARY_HASH_READ_FAIL,
- l_hashes,
- plid,
- false); // stop IPL and deconfig processor
- }
-
- // read the backup sbe HW keys' hash for the master processor
- err = SBE::getHwKeyHashFromSbeImage(
- mProc,
- EEPROM::SBE_BACKUP,
- l_backupHash);
- if (err)
- {
- auto plid = err->plid();
- ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
-
- /*@
- * @errortype
- * @reasoncode ISTEP::RC_MASTER_PROC_BACKUP_HASH_READ_FAIL
- * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
- * @userdata1 Processor Target
- * @devdesc Unable to read the master processor backup hash
- * from the SBE
- * @custdesc Platform security problem detected
- */
- handleProcessorSecurityError(mProc,
- ISTEP::RC_MASTER_PROC_BACKUP_HASH_READ_FAIL,
- l_hashes,
- plid,
- false); // stop IPL and deconfig processor
- break;
- }
-
- // make sure the master processor primary and backup SBE HW keys' hashes
- // match each other
- if (memcmp(l_masterHash,l_backupHash, SHA512_DIGEST_LENGTH)!=0)
- {
- // add only the hashes relevant to the error to hashes vector
- l_hashes.push_back(l_master);
- l_hashes.push_back(l_backup);
-
- bool l_continue = !SECUREBOOT::enabled();
- /*@
- * @errortype
- * @reasoncode ISTEP::RC_MASTER_PROC_SBE_KEYS_HASH_MISMATCH
- * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
- * @severity ERRL_SEV_UNRECOVERABLE
- * @userdata1 Master Processor Target
- * @devdesc The primary SBE HW Keys' hash does not match the
- * the backup SBE HW Keys' hash, so we cannot
- * guarrantee platform security for the system
- * @custdesc Platform security problem detected
- */
- handleProcessorSecurityError(mProc,
- ISTEP::RC_MASTER_PROC_SBE_KEYS_HASH_MISMATCH,
- l_hashes,
- 0,
- l_continue); // stop IPL if secureboot enabled
-
- break;
- }
- TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
- "Master Primary SBE HW keys' hash successfully matches backup.");
-
- for(auto pProc : l_procList)
- {
- uint64_t l_procCbs = 0;
-
- if (mProc == pProc)
- {
- // skip the master processor
- continue;
- }
-
- // start with empty slave hashes each time through the loop
- memset(l_slaveHashPri,0,SHA512_DIGEST_LENGTH);
- memset(l_slaveHashBac,0,SHA512_DIGEST_LENGTH);
-
- // read the CBS control register of the current processor
- err = SECUREBOOT::getProcCbsControlRegister(l_procCbs, pProc);
- if (err)
- {
- auto plid = err->plid();
- ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
-
- /*@
- * @errortype
- * @reasoncode ISTEP::RC_SLAVE_PROC_CBS_CONTROL_READ_FAIL
- * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
- * @userdata1 Slave Processor Target
- * @devdesc Unable to read the slave processor CBS control
- * register
- *
- * @custdesc Platform security problem detected
- */
- handleProcessorSecurityError(pProc,
- ISTEP::RC_SLAVE_PROC_CBS_CONTROL_READ_FAIL,
- l_hashes,
- plid,
- true); // deconfigure proc and move on
- continue;
- }
-
- // read the primary sbe HW keys' hash for the current processor
- err = SBE::getHwKeyHashFromSbeImage(
- pProc,
- EEPROM::SBE_PRIMARY,
- l_slaveHashPri);
- if (err)
- {
- auto plid = err->plid();
- ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
-
- /*@
- * @errortype
- * @reasoncode ISTEP::RC_SLAVE_PROC_PRIMARY_HASH_READ_FAIL
- * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
- * @userdata1 Slave Processor Target
- * @devdesc Unable to read the slave processor primary
- * hash from the SBE
- * @custdesc Platform security problem detected
- */
- handleProcessorSecurityError(pProc,
- ISTEP::RC_SLAVE_PROC_PRIMARY_HASH_READ_FAIL,
- l_hashes,
- plid,
- true); // deconfigure proc and move on
- continue;
- }
-
- // read the backup sbe HW keys' hash for the current processor
- err = SBE::getHwKeyHashFromSbeImage(
- pProc,
- EEPROM::SBE_BACKUP,
- l_slaveHashBac);
- if (err)
- {
- auto plid = err->plid();
- ERRORLOG::errlCommit(err, ISTEP_COMP_ID);
-
- /*@
- * @errortype
- * @reasoncode ISTEP::RC_SLAVE_PROC_BACKUP_HASH_READ_FAIL
- * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
- * @userdata1 Slave Processor Target
- * @devdesc Unable to read the slave processor backup
- * hash from the SBE
- * @custdesc Platform security problem detected
- */
- handleProcessorSecurityError(pProc,
- ISTEP::RC_SLAVE_PROC_BACKUP_HASH_READ_FAIL,
- l_hashes,
- plid,
- true); // deconfigure proc and move on
-
- continue;
- }
-
- // If the current processor has a key or SAB mismatch
- // then throw a terminate error. For SMD mismatch we throw
- // an informational error
- Mismatches l_mismatches = {0};
-
- // SAB bit mismatch
- l_mismatches.sabmis =
- (SECUREBOOT::ProcCbsControl::SabBit & l_mainCbs) !=
- (SECUREBOOT::ProcCbsControl::SabBit & l_procCbs);
-
- // Jumper state mismatch
- l_mismatches.smdmis =
- (SECUREBOOT::ProcCbsControl::JumperStateBit & l_mainCbs) !=
- (SECUREBOOT::ProcCbsControl::JumperStateBit & l_procCbs);
-
- // primary sbe hash mismatch
- l_mismatches.primis = memcmp(l_slaveHashPri,
- l_masterHash,
- SHA512_DIGEST_LENGTH) != 0;
-
- // backup sbe hash mismatch
- l_mismatches.bacmis = memcmp(l_slaveHashBac,
- l_masterHash,
- SHA512_DIGEST_LENGTH) != 0;
-
- // only provide the relevant hashes for error handling cases
- if(l_mismatches.primis || l_mismatches.bacmis)
- {
- l_hashes.push_back(l_master);
- }
- if(l_mismatches.primis)
- {
- l_hashes.push_back(l_slave);
- }
- if(l_mismatches.bacmis)
- {
- l_hashes.push_back(l_slaveb);
- }
-
- // if there was any mismatch
- if (l_mismatches.val)
- {
- auto l_continue = true;
- // do not continue booting if there is a SAB mismatch under any
- // circumstance
- if (l_mismatches.sabmis)
- {
- l_continue = false;
- }
- // In secure mode, do not continue booting when SBE HW keys' hashes
- // are mismatched
- if ((l_mismatches.primis || l_mismatches.bacmis)
- && SECUREBOOT::enabled())
- {
- l_continue = false;
- }
-
- /*@
- * @errortype
- * @reasoncode ISTEP::RC_PROC_SECURITY_STATE_MISMATCH
- * @moduleid ISTEP::MOD_UPDATE_REDUNDANT_TPM
- * @userdata1 Processor Target
- * @userdata2[60:60] SAB bit mismatch
- * @userdata2[61:61] Jumper (SMD) bit mismatch
- * @userdata2[62:62] Primary SBE hash mismatch
- * @userdata2[63:63] Backup SBE hash mismatch
- * @devdesc Mismatch processor state was detected for this
- * processor, so we cannot guarrantee platform
- * security for the system
- * @custdesc Platform security problem detected
- */
- handleProcessorSecurityError(pProc,
- ISTEP::RC_PROC_SECURITY_STATE_MISMATCH,
- l_hashes,
- 0,
- l_continue,
- l_mismatches);
-
- // In non-secure mode, look for other inconsistencies and log the
- // issues
- if (l_continue)
- {
- continue;
- }
- // In secure mode, stop checking for proc security state mismatches
- // as soon as a mismatch has been found
- break;
- }
-
- }
-
- } while(0);
-
- #endif // CONFIG_SECUREBOOT
-
TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
EXIT_MRK"call_host_update_redundant_tpm");
OpenPOWER on IntegriCloud