Consume Secure Access Bit from SBE HB communication area

Disable verification in bootloader if SAB not set

Change-Id: If5f1adcbe0277f2a4223d8cea6a5e2048019871d
RTC: 167741
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/37214
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>

3 files changed, 23 insertions, 4 deletions

diff --git a/src/bootloader/bl_start.S b/src/bootloader/bl_start.S
index 4af665523..ba3eb8f90 100644
--- a/src/bootloader/bl_start.S
+++ b/src/bootloader/bl_start.S
@@ -30,6 +30,7 @@
 .set SBE_HB_PNORBOOTSIDE, sbe_hb_structures+5  ;// uint8_t
 .set SBE_HB_PNORSIZEMB,   sbe_hb_structures+6  ;// uint16_t
 .set SBE_HB_BLLOADSIZE,   sbe_hb_structures+8  ;// uint64_t
+.set SBE_HB_SECUREACCESSBIT, sbe_hb_structures+16  ;// uint8_t
 .set HBBL_BASE_ADDRESS,   base_load_address
 .set HBBL_END_ADDRESS,    end_load_address
 .set HBBL_system_reset,          0x100
@@ -224,8 +225,8 @@ _main:
 
     ;// Do dcbz from end of Bootloader load to end of HBB ECC working space
 _dcbz_after_bl:
-    lis r5, SBE_HB_BLLOADSIZE@h
-    ori r5, r5, SBE_HB_BLLOADSIZE@l
+    lis r5, SBE_HB_SECUREACCESSBIT@h
+    ori r5, r5, SBE_HB_SECUREACCESSBIT@l
     ld r5, 0(r5)       ;// get ending EA from SBE HB structure
     lis r6, 0
     addis r6, r6, 32   ;// 2M (32 * 0x10000)
diff --git a/src/bootloader/bootloader.C b/src/bootloader/bootloader.C
index 3091e018c..be2c2f748 100644
--- a/src/bootloader/bootloader.C
+++ b/src/bootloader/bootloader.C
@@ -45,6 +45,7 @@
 #include <securerom/ROM.H>
 #include <config.h>
 #include <secureboot/secure_reasoncodes.H>
+#include <p9_sbe_hb_structures.H>
 
 extern uint64_t kernel_other_thread_spinlock;
 extern PNOR::SectionData_t bootloader_hbbSection;
@@ -76,6 +77,16 @@ namespace Bootloader{
      */
     void setSecureData(const void * i_pHbbSrc)
     {
+        // Read SBE HB shared data.
+        const auto l_blConfigData = reinterpret_cast<BootloaderConfigData_t *>(
+                                                              SBE_HB_COMM_ADDR);
+        // Set secure Access Bit
+        // Ensure SBE to Bootloader structure has the SAB member
+        if (l_blConfigData->version >= SAB_ADDED)
+        {
+            g_blToHbData.secureAccessBit = l_blConfigData->secureAccessBit;
+        }
+
         // Find secure ROM addr
         // Get starting address of ROM size and code which is the next 8 byte
         // aligned address after the bootloader end.
@@ -105,7 +116,7 @@ namespace Bootloader{
             g_secureRomValid = true;
 
             g_blToHbData.eyeCatch = BLTOHB_EYECATCHER;
-            g_blToHbData.version = BLTOHB_INIT;
+            g_blToHbData.version = BLTOHB_SAB;
             g_blToHbData.branchtableOffset = l_pSecRomInfo->branchtableOffset;
             g_blToHbData.secureRom = l_pRomStart;
 
@@ -156,9 +167,14 @@ namespace Bootloader{
 
         uint64_t l_rc = 0;
 
+        // Check if Secure Access Bit is set
+        if (!g_blToHbData.secureAccessBit)
+        {
+            BOOTLOADER_TRACE(BTLDR_TRC_MAIN_VERIFY_SAB_UNSET);
+        }
         // # @TODO RTC:170136 terminate in this case
         // Ensure SecureRom is actually present
-        if ( !g_secureRomValid )
+        else if ( !g_secureRomValid )
         {
             BOOTLOADER_TRACE(BTLDR_TRC_MAIN_VERIFY_NO_EYECATCH);
         }
diff --git a/src/bootloader/makefile b/src/bootloader/makefile
index ee1688774..c90908a52 100644
--- a/src/bootloader/makefile
+++ b/src/bootloader/makefile
@@ -32,6 +32,8 @@ EXTRAINCDIR += ${ROOTPATH}/src/include/usr/lpc/
 
 COMMONFLAGS += -DBOOTLOADER
 
+EXTRAINCDIR += ${ROOTPATH}/src/import/chips/p9/procedures/hwp/nest/
+
 OBJS += bl_start.o
 OBJS += bootloader.o
 OBJS += bl_pnorAccess.o