Support DRTM RIT protection

- Added mailbox scratch register 7 definition - Added DRTM functions - Added set/clear security switch register functions - Added additional security switch bit definitions - Added secureboot extended library to host DRTM functions - Inhibited TPM start command in DRTM flow - Added new config options for DRTM and DRTM RIT protection - Added new DRTM attribute to indicate if DRTM is active - Added new DRTM attribute to hold DRTM payload address - Added new DRTM attribute to initiate DRTM in lieu of loading payload - Updated target service init to determine DRTM settings - Updated host start payload step to initiate DRTM if conditions are met - Updated host MPIPL service to verify DRTM payload and clean up DRTM HW state - Updated host gard step to verify DRTM HW state - Rerouted PCR extensions to PCR 17 in DRTM boot - Use locality 2 for all PCR extensions in DRTM boot - Inhibit extension logging (for now) in DRTM boot - Only extend seperator to PCR 17 in DRTM boot Change-Id: Id52c36c3a64ca002571396d605caa308d9dc0199 RTC: 157140 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/35633 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Timothy R. Block <block@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Nick Bofferding <bofferdn@us.ibm.com> 2017-01-30 13:52:49 -0600
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2017-03-03 13:51:19 -0500
commit: a9eefaa1086c7a3cc51e374c52a7c04397968fd5 (patch)
tree: b0f15275d1fab88785d6efe8c47d3ad6ea3bc377 /src/include/usr/secureboot/service.H
parent: a0437b216feaa77f81cfa3738844a0b761a9e99d (diff)
download: talos-hostboot-a9eefaa1086c7a3cc51e374c52a7c04397968fd5.tar.gz
talos-hostboot-a9eefaa1086c7a3cc51e374c52a7c04397968fd5.zip
1 files changed, 41 insertions, 14 deletions
diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H
index afb3ed934..a328b7337 100644
--- a/src/include/usr/secureboot/service.H
+++ b/src/include/usr/secureboot/service.H
@@ -48,20 +48,6 @@ typedef uint8_t PAGE_TABLE_ENTRY_t[HASH_PAGE_TABLE_ENTRY_SIZE];
 
 namespace SECUREBOOT
 {
-    // these constants represent the scom addresses and masks we need
-    // to obtain secure boot settings from the system
-    enum class ProcSecurity : uint64_t
-    {
-        SabBit = 0x8000000000000000ull,
-        SwitchRegister = 0x00010005ull,
-    };
-
-    enum class ProcCbsControl : uint64_t
-    {
-        JumperStateBit = 0x0400000000000000ull,
-        StatusRegister = 0x00050001ull,
-    };
-
     /** @brief Perform initialization of Secureboot for the Base image.
      *
      *  - Copy secure header from original location.
@@ -107,6 +93,47 @@ namespace SECUREBOOT
             TARGETING::Target* i_targ
                 = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL);
 
+    /**
+     *  @brief  Clear specified bits in the processor security switch register
+     *
+     *  @par Detailed Description:
+     *      Clears the specified bits in the processor security switch register.
+     *
+     *  @param[in] i_bits Vector of ProcSecurity (bit) enums
+     *  @param[in] i_pTarget Processor target to write.  Must be either
+     *      the master processor target sentinel or valid processor target.
+     *      Must not be NULL.
+     *
+     *  @return errHndl_t Error log handle indicating success or failure
+     *  @retval nullptr  Cleared specified security switch register bits
+     *      successfully
+     *  @retval !nullptr Error log providing failure details
+     */
+    errlHndl_t clearSecuritySwitchBits(
+        const std::vector<SECUREBOOT::ProcSecurity>& i_bits,
+              TARGETING::Target*                     i_pTarget =
+              TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL);
+
+    /**
+     *  @brief  Set specified bits in the processor security switch register
+     *
+     *  @par Detailed Description:
+     *      Sets the specified bits in the processor security switch register.
+     *
+     *  @param[in] i_bits Vector of ProcSecurity (bit) enums
+     *  @param[in] i_pTarget Processor target to write.  Must be either
+     *      the master processor target sentinel or valid processor target.
+     *      Must not be NULL.
+     *
+     *  @return errHndl_t Error log handle indicating success or failure
+     *  @retval nullptr  Set specified security switch register bits
+     *      successfully
+     *  @retval !nullptr Error log providing failure details
+     */
+    errlHndl_t setSecuritySwitchBits(
+        const std::vector<SECUREBOOT::ProcSecurity>& i_bits,
+              TARGETING::Target*                     i_pTarget =
+              TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL);
 
     /** @brief Returns the state of the secure jumper as reported by the
      *      given processor.
author	Nick Bofferding <bofferdn@us.ibm.com>	2017-01-30 13:52:49 -0600
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2017-03-03 13:51:19 -0500
commit	a9eefaa1086c7a3cc51e374c52a7c04397968fd5 (patch)
tree	b0f15275d1fab88785d6efe8c47d3ad6ea3bc377 /src/include/usr/secureboot/service.H
parent	a0437b216feaa77f81cfa3738844a0b761a9e99d (diff)
download	talos-hostboot-a9eefaa1086c7a3cc51e374c52a7c04397968fd5.tar.gz talos-hostboot-a9eefaa1086c7a3cc51e374c52a7c04397968fd5.zip