Secure Boot: Secure Centaurs in istep 14.5

If secureboot is enabled, call HWP in istep 14.5 to secure the Centaurs. The HWP will set protection bits in the Centaur that cannot be reversed without a full re-init of the chip. Change-Id: I8f72a11b3b79df4bd9dbd6869f525d8271d36887 RTC: 187288 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/55951 Reviewed-by: ILYA SMIRNOV <ismirno@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Nick Bofferding <bofferdn@us.ibm.com> 2018-03-15 21:47:37 -0500
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2018-05-07 16:23:23 -0400
commit: b783b0264c7f8c975f2a84218ba79a3ce3b458b1 (patch)
tree: 324971bd66937cf02050adade647137cb370602b
parent: ad4b745046741aba48b11a92dde21e396f517f60 (diff)
download: talos-hostboot-b783b0264c7f8c975f2a84218ba79a3ce3b458b1.tar.gz
talos-hostboot-b783b0264c7f8c975f2a84218ba79a3ce3b458b1.zip
2 files changed, 65 insertions, 1 deletions
diff --git a/src/usr/isteps/istep14/call_proc_setup_bars.C b/src/usr/isteps/istep14/call_proc_setup_bars.C
index 7b6843346..e42ba9a07 100644
--- a/src/usr/isteps/istep14/call_proc_setup_bars.C
+++ b/src/usr/isteps/istep14/call_proc_setup_bars.C
@@ -27,6 +27,7 @@
 #include <initservice/isteps_trace.H>
 #include <errl/errlmanager.H>
 #include <errl/errludtarget.H>
+#include <secureboot/service.H>
 
 //  targeting support
 #include <targeting/common/commontargeting.H>
@@ -36,6 +37,7 @@
 
 #include <p9_setup_bars.H>
 #include <p9_mss_setup_bars.H>
+#include <p9c_mss_secure_boot.H>
 
 // TODO: RTC 184860 Remove MCS acker workaround
 #include <initservice/initserviceif.H>
@@ -100,7 +102,7 @@ void* call_proc_setup_bars (void *io_pArgs)
     // *******************************
 
 
-    // Get all Centaur targets
+    // Get all processor targets
     TARGETING::TargetHandleList l_cpuTargetList;
     getAllChips(l_cpuTargetList, TARGETING::TYPE_PROC );
 
@@ -186,6 +188,67 @@ void* call_proc_setup_bars (void *io_pArgs)
 
     }   // end if !l_errl
 
+    // Assuming no errors, secure any Centaurs
+    if ( l_stepError.isNull() )
+    {
+        bool secureCentaurs = false;
+
+        if(SECUREBOOT::enabled())
+        {
+            secureCentaurs = true;
+        }
+
+        // Any feature that would add [force disable|force enable|no force]
+        // behavior would naturally go here
+
+        if(secureCentaurs)
+        {
+            TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+                "call_proc_setup_bars: Securing node's functional Centaurs");
+
+            TARGETING::TargetHandleList functionalCentaurs;
+            getAllChips(functionalCentaurs, TARGETING::TYPE_MEMBUF);
+            for (const auto & pCentaur: functionalCentaurs)
+            {
+                if(   pCentaur->getAttr<TARGETING::ATTR_MODEL>()
+                   != TARGETING::MODEL_CENTAUR)
+                {
+                    continue;
+                }
+
+                const fapi2::Target<fapi2::TARGET_TYPE_MEMBUF_CHIP>
+                    fapiCentaurTarget(pCentaur);
+
+                TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+                    "call_proc_setup_bars: Invoking p9c_mss_secure_boot on "
+                    "Centaur with HUID of 0x%08X",
+                    TARGETING::get_huid(pCentaur));
+
+                FAPI_INVOKE_HWP(l_errl,
+                                p9c_mss_secure_boot,
+                                fapiCentaurTarget);
+                if (l_errl)
+                {
+                    TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+                              "ERROR : p9c_mss_secure_boot failure for "
+                              "Centaur with HUID of 0x%08X",
+                              TARGETING::get_huid(pCentaur));
+
+                    ErrlUserDetailsTarget(pCentaur).addToLog(l_errl);
+                    l_stepError.addErrorDetails(l_errl);
+                    errlCommit(l_errl, HWPF_COMP_ID);
+                }
+                else
+                {
+                    TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace,
+                              "SUCCESS : p9c_mss_secure_boot succeeded for "
+                              "Centaur with HUID of 0x%08X",
+                              TARGETING::get_huid(pCentaur));
+                }
+            }
+        }
+    }
+
     if ( l_errl )
     {
 
diff --git a/src/usr/isteps/istep14/makefile b/src/usr/isteps/istep14/makefile
index ab9faff82..02dc3a39c 100644
--- a/src/usr/isteps/istep14/makefile
+++ b/src/usr/isteps/istep14/makefile
@@ -59,6 +59,7 @@ OBJS += call_host_mpipl_service.o
 include ${ROOTPATH}/procedure.rules.mk
 include ${PROCEDURE_PATH}/hwp/nest/p9_exit_cache_contained.mk
 include ${PROCEDURE_PATH}/hwp/nest/p9_mss_setup_bars.mk
+include ${CEN_PROC_PATH}/hwp/memory/p9c_mss_secure_boot.mk
 
 # TODO: RTC 159164: Multiple definition linker errors on HWPs that include the
 # same *.o file in their *.mk files
author	Nick Bofferding <bofferdn@us.ibm.com>	2018-03-15 21:47:37 -0500
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2018-05-07 16:23:23 -0400
commit	b783b0264c7f8c975f2a84218ba79a3ce3b458b1 (patch)
tree	324971bd66937cf02050adade647137cb370602b
parent	ad4b745046741aba48b11a92dde21e396f517f60 (diff)
download	talos-hostboot-b783b0264c7f8c975f2a84218ba79a3ce3b458b1.tar.gz talos-hostboot-b783b0264c7f8c975f2a84218ba79a3ce3b458b1.zip