diff options
| author | Nick Bofferding <bofferdn@us.ibm.com> | 2019-03-28 09:15:07 -0500 |
|---|---|---|
| committer | William G. Hoffa <wghoffa@us.ibm.com> | 2019-04-01 17:05:19 -0500 |
| commit | ca03643dd8935f9c839cf8dfd4971c519476f4a1 (patch) | |
| tree | 979a950125dbd7adc734b17979e3085a59f19e4d | |
| parent | de2312a44b13b46a9dded3e60aeca6a13f8662de (diff) | |
| download | talos-hostboot-ca03643dd8935f9c839cf8dfd4971c519476f4a1.tar.gz talos-hostboot-ca03643dd8935f9c839cf8dfd4971c519476f4a1.zip | |
Initialize backup TPM in MPIPL
Update the boot flow to call the istep to initialize the backup TPM during an
MPIPL and carry over the backup present/functional state as they were from
runtime, prior to the MPIPL.
Change-Id: Ic402e37cf2f465686770ff22d4f2296332b0f3f7
CQ: SW456951
Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/75163
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Ilya Smirnov <ismirno@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Matthew Raybuck <matthew.raybuck@ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
| -rw-r--r-- | src/include/usr/isteps/istep10list.H | 2 | ||||
| -rw-r--r-- | src/usr/secureboot/trusted/base/trustedboot_base.C | 18 | ||||
| -rw-r--r-- | src/usr/secureboot/trusted/trustedboot.C | 83 |
3 files changed, 54 insertions, 49 deletions
diff --git a/src/include/usr/isteps/istep10list.H b/src/include/usr/isteps/istep10list.H index 8bc6245c4..642fcd0ee 100644 --- a/src/include/usr/isteps/istep10list.H +++ b/src/include/usr/isteps/istep10list.H @@ -292,7 +292,7 @@ const TaskInfo g_istep10[] = { { ISTEPNAME(10,14,"host_update_redundant_tpm"), ISTEP_10::call_host_update_redundant_tpm, - { START_FN, EXT_IMAGE, NORMAL_IPL_OP, true } + { START_FN, EXT_IMAGE, NORMAL_IPL_OP | MPIPL_OP, true } }, }; diff --git a/src/usr/secureboot/trusted/base/trustedboot_base.C b/src/usr/secureboot/trusted/base/trustedboot_base.C index 9e78e08f5..7cb73b8bf 100644 --- a/src/usr/secureboot/trusted/base/trustedboot_base.C +++ b/src/usr/secureboot/trusted/base/trustedboot_base.C @@ -88,6 +88,24 @@ void getTPMs( TARGETING::TYPE_TPM, (i_filter == TPM_FILTER::ALL_IN_BLUEPRINT) ? false : true); + if(i_filter == TPM_FILTER::ALL_FUNCTIONAL) + { + // From functional TPMs, remove any TPMs that are not actually + // initialized. This prevents Hostboot from using the backup TPM + // in an MPIPL when it's considered "functional" but hasn't been + // initialized yet. + o_tpmList.erase( + std::remove_if( + o_tpmList.begin(), + o_tpmList.end(), + [](TARGETING::Target* i_pTpm) + { + return !i_pTpm->getAttr< + TARGETING::ATTR_HB_TPM_INIT_ATTEMPTED>(); + }), + o_tpmList.end()); + } + TRACUCOMP(g_trac_trustedboot,EXIT_MRK "getTPMs(): Found %d TPMs", o_tpmList.size()); } diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C index 66c3a8664..6046a76df 100644 --- a/src/usr/secureboot/trusted/trustedboot.C +++ b/src/usr/secureboot/trusted/trustedboot.C @@ -406,39 +406,6 @@ void* host_update_master_tpm( void *io_pArgs ) "Backup TPM unavailable " "since it's not in the system blueprint."); } - else - { - auto l_backupHwasState = pBackupTpm->getAttr< - TARGETING::ATTR_HWAS_STATE>(); - TPMDD::tpm_info_t tpmInfo; - memset(&tpmInfo, 0, sizeof(tpmInfo)); - errlHndl_t tmpErr = TPMDD::tpmReadAttributes( - pBackupTpm, - tpmInfo, - TPM_LOCALITY_0); - if (nullptr != tmpErr || !tpmInfo.tpmEnabled || - (l_backupHwasState.functional && l_backupHwasState.present)) - // If the backup state is functional and present then we are - // in MPIPL scenario and we need to reset the states - { - TRACFCOMP( g_trac_trustedboot,INFO_MRK - "host_update_master_tpm() " - "Marking backup TPM unavailable until " - "powerbus is available."); - - l_backupHwasState.present = false; - l_backupHwasState.functional = false; - pBackupTpm->setAttr< - TARGETING::ATTR_HWAS_STATE>(l_backupHwasState); - - if (nullptr != tmpErr) - { - // Ignore attribute read failure - delete tmpErr; - tmpErr = nullptr; - } - } - } } while ( 0 ); @@ -1411,26 +1378,46 @@ void doInitBackupTpm() TARGETING::ATTR_HWAS_STATE>(); // Presence-detect the secondary TPM TARGETING::TargetHandleList l_targetList; - l_targetList.push_back(l_backupTpm); - l_errl = HWAS::platPresenceDetect(l_targetList); - if(l_errl) - { - errlCommit(l_errl, SECURE_COMP_ID); - break; - } - // The TPM target would have been deleted from the list if it's - // not present. - if(l_targetList.size()) + TARGETING::Target* pSysTarget = nullptr; + TARGETING::targetService().getTopLevelTarget(pSysTarget); + assert(pSysTarget, "doInitBackupTpm(): System target was nullptr"); + const auto mpipl = pSysTarget->getAttr< + TARGETING::ATTR_IS_MPIPL_HB>(); + if(mpipl) { - l_backupHwasState.present = true; - l_backupTpm->setAttr<TARGETING::ATTR_HWAS_STATE>(l_backupHwasState); + // If previously determined not to be available, nothing to do + if( (!l_backupHwasState.present) + || (!l_backupHwasState.functional) ) + { + break; + } } else { - l_backupHwasState.present = false; - l_backupTpm->setAttr<TARGETING::ATTR_HWAS_STATE>(l_backupHwasState); - break; + l_targetList.push_back(l_backupTpm); + l_errl = HWAS::platPresenceDetect(l_targetList); + if(l_errl) + { + errlCommit(l_errl, SECURE_COMP_ID); + break; + } + + // The TPM target would have been deleted from the list if it's + // not present. + if(l_targetList.size()) + { + l_backupHwasState.present = true; + l_backupTpm->setAttr<TARGETING::ATTR_HWAS_STATE>( + l_backupHwasState); + } + else + { + l_backupHwasState.present = false; + l_backupTpm->setAttr<TARGETING::ATTR_HWAS_STATE>( + l_backupHwasState); + break; + } } mutex_lock(l_backupTpm->getHbMutexAttr<TARGETING::ATTR_HB_TPM_MUTEX>()); |
