diff options
author | Nick Bofferding <bofferdn@us.ibm.com> | 2017-01-30 13:52:49 -0600 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-03-03 13:51:19 -0500 |
commit | a9eefaa1086c7a3cc51e374c52a7c04397968fd5 (patch) | |
tree | b0f15275d1fab88785d6efe8c47d3ad6ea3bc377 /src/include/usr/secureboot/service.H | |
parent | a0437b216feaa77f81cfa3738844a0b761a9e99d (diff) | |
download | talos-hostboot-a9eefaa1086c7a3cc51e374c52a7c04397968fd5.tar.gz talos-hostboot-a9eefaa1086c7a3cc51e374c52a7c04397968fd5.zip |
Support DRTM RIT protection
- Added mailbox scratch register 7 definition
- Added DRTM functions
- Added set/clear security switch register functions
- Added additional security switch bit definitions
- Added secureboot extended library to host DRTM functions
- Inhibited TPM start command in DRTM flow
- Added new config options for DRTM and DRTM RIT protection
- Added new DRTM attribute to indicate if DRTM is active
- Added new DRTM attribute to hold DRTM payload address
- Added new DRTM attribute to initiate DRTM in lieu of loading payload
- Updated target service init to determine DRTM settings
- Updated host start payload step to initiate DRTM if conditions are met
- Updated host MPIPL service to verify DRTM payload and clean up DRTM HW state
- Updated host gard step to verify DRTM HW state
- Rerouted PCR extensions to PCR 17 in DRTM boot
- Use locality 2 for all PCR extensions in DRTM boot
- Inhibit extension logging (for now) in DRTM boot
- Only extend seperator to PCR 17 in DRTM boot
Change-Id: Id52c36c3a64ca002571396d605caa308d9dc0199
RTC: 157140
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/35633
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Timothy R. Block <block@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/include/usr/secureboot/service.H')
-rw-r--r-- | src/include/usr/secureboot/service.H | 55 |
1 files changed, 41 insertions, 14 deletions
diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H index afb3ed934..a328b7337 100644 --- a/src/include/usr/secureboot/service.H +++ b/src/include/usr/secureboot/service.H @@ -48,20 +48,6 @@ typedef uint8_t PAGE_TABLE_ENTRY_t[HASH_PAGE_TABLE_ENTRY_SIZE]; namespace SECUREBOOT { - // these constants represent the scom addresses and masks we need - // to obtain secure boot settings from the system - enum class ProcSecurity : uint64_t - { - SabBit = 0x8000000000000000ull, - SwitchRegister = 0x00010005ull, - }; - - enum class ProcCbsControl : uint64_t - { - JumperStateBit = 0x0400000000000000ull, - StatusRegister = 0x00050001ull, - }; - /** @brief Perform initialization of Secureboot for the Base image. * * - Copy secure header from original location. @@ -107,6 +93,47 @@ namespace SECUREBOOT TARGETING::Target* i_targ = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL); + /** + * @brief Clear specified bits in the processor security switch register + * + * @par Detailed Description: + * Clears the specified bits in the processor security switch register. + * + * @param[in] i_bits Vector of ProcSecurity (bit) enums + * @param[in] i_pTarget Processor target to write. Must be either + * the master processor target sentinel or valid processor target. + * Must not be NULL. + * + * @return errHndl_t Error log handle indicating success or failure + * @retval nullptr Cleared specified security switch register bits + * successfully + * @retval !nullptr Error log providing failure details + */ + errlHndl_t clearSecuritySwitchBits( + const std::vector<SECUREBOOT::ProcSecurity>& i_bits, + TARGETING::Target* i_pTarget = + TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL); + + /** + * @brief Set specified bits in the processor security switch register + * + * @par Detailed Description: + * Sets the specified bits in the processor security switch register. + * + * @param[in] i_bits Vector of ProcSecurity (bit) enums + * @param[in] i_pTarget Processor target to write. Must be either + * the master processor target sentinel or valid processor target. + * Must not be NULL. + * + * @return errHndl_t Error log handle indicating success or failure + * @retval nullptr Set specified security switch register bits + * successfully + * @retval !nullptr Error log providing failure details + */ + errlHndl_t setSecuritySwitchBits( + const std::vector<SECUREBOOT::ProcSecurity>& i_bits, + TARGETING::Target* i_pTarget = + TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL); /** @brief Returns the state of the secure jumper as reported by the * given processor. |