summaryrefslogtreecommitdiffstats
path: root/src/include/usr/secureboot/service.H
diff options
context:
space:
mode:
authorNick Bofferding <bofferdn@us.ibm.com>2017-01-30 13:52:49 -0600
committerDaniel M. Crowell <dcrowell@us.ibm.com>2017-03-03 13:51:19 -0500
commita9eefaa1086c7a3cc51e374c52a7c04397968fd5 (patch)
treeb0f15275d1fab88785d6efe8c47d3ad6ea3bc377 /src/include/usr/secureboot/service.H
parenta0437b216feaa77f81cfa3738844a0b761a9e99d (diff)
downloadtalos-hostboot-a9eefaa1086c7a3cc51e374c52a7c04397968fd5.tar.gz
talos-hostboot-a9eefaa1086c7a3cc51e374c52a7c04397968fd5.zip
Support DRTM RIT protection
- Added mailbox scratch register 7 definition - Added DRTM functions - Added set/clear security switch register functions - Added additional security switch bit definitions - Added secureboot extended library to host DRTM functions - Inhibited TPM start command in DRTM flow - Added new config options for DRTM and DRTM RIT protection - Added new DRTM attribute to indicate if DRTM is active - Added new DRTM attribute to hold DRTM payload address - Added new DRTM attribute to initiate DRTM in lieu of loading payload - Updated target service init to determine DRTM settings - Updated host start payload step to initiate DRTM if conditions are met - Updated host MPIPL service to verify DRTM payload and clean up DRTM HW state - Updated host gard step to verify DRTM HW state - Rerouted PCR extensions to PCR 17 in DRTM boot - Use locality 2 for all PCR extensions in DRTM boot - Inhibit extension logging (for now) in DRTM boot - Only extend seperator to PCR 17 in DRTM boot Change-Id: Id52c36c3a64ca002571396d605caa308d9dc0199 RTC: 157140 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/35633 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Timothy R. Block <block@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/include/usr/secureboot/service.H')
-rw-r--r--src/include/usr/secureboot/service.H55
1 files changed, 41 insertions, 14 deletions
diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H
index afb3ed934..a328b7337 100644
--- a/src/include/usr/secureboot/service.H
+++ b/src/include/usr/secureboot/service.H
@@ -48,20 +48,6 @@ typedef uint8_t PAGE_TABLE_ENTRY_t[HASH_PAGE_TABLE_ENTRY_SIZE];
namespace SECUREBOOT
{
- // these constants represent the scom addresses and masks we need
- // to obtain secure boot settings from the system
- enum class ProcSecurity : uint64_t
- {
- SabBit = 0x8000000000000000ull,
- SwitchRegister = 0x00010005ull,
- };
-
- enum class ProcCbsControl : uint64_t
- {
- JumperStateBit = 0x0400000000000000ull,
- StatusRegister = 0x00050001ull,
- };
-
/** @brief Perform initialization of Secureboot for the Base image.
*
* - Copy secure header from original location.
@@ -107,6 +93,47 @@ namespace SECUREBOOT
TARGETING::Target* i_targ
= TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL);
+ /**
+ * @brief Clear specified bits in the processor security switch register
+ *
+ * @par Detailed Description:
+ * Clears the specified bits in the processor security switch register.
+ *
+ * @param[in] i_bits Vector of ProcSecurity (bit) enums
+ * @param[in] i_pTarget Processor target to write. Must be either
+ * the master processor target sentinel or valid processor target.
+ * Must not be NULL.
+ *
+ * @return errHndl_t Error log handle indicating success or failure
+ * @retval nullptr Cleared specified security switch register bits
+ * successfully
+ * @retval !nullptr Error log providing failure details
+ */
+ errlHndl_t clearSecuritySwitchBits(
+ const std::vector<SECUREBOOT::ProcSecurity>& i_bits,
+ TARGETING::Target* i_pTarget =
+ TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL);
+
+ /**
+ * @brief Set specified bits in the processor security switch register
+ *
+ * @par Detailed Description:
+ * Sets the specified bits in the processor security switch register.
+ *
+ * @param[in] i_bits Vector of ProcSecurity (bit) enums
+ * @param[in] i_pTarget Processor target to write. Must be either
+ * the master processor target sentinel or valid processor target.
+ * Must not be NULL.
+ *
+ * @return errHndl_t Error log handle indicating success or failure
+ * @retval nullptr Set specified security switch register bits
+ * successfully
+ * @retval !nullptr Error log providing failure details
+ */
+ errlHndl_t setSecuritySwitchBits(
+ const std::vector<SECUREBOOT::ProcSecurity>& i_bits,
+ TARGETING::Target* i_pTarget =
+ TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL);
/** @brief Returns the state of the secure jumper as reported by the
* given processor.
OpenPOWER on IntegriCloud