port p8 secureboot settings code to p9

Update the p9 branch to handle the secure settings states as per p8
code but with the new updated p9 constant values. Remove caching of
register values.

Change-Id: I0a29ce0103a8f9b60b421a4bb625f12adcd916f8
RTC:161916
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/32490
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>

1 files changed, 36 insertions, 7 deletions

diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H
index d138250ad..dce836106 100644
--- a/src/include/usr/secureboot/service.H
+++ b/src/include/usr/secureboot/service.H
@@ -41,13 +41,19 @@ typedef uint8_t PAGE_TABLE_ENTRY_t[HASH_PAGE_TABLE_ENTRY_SIZE];
 
 namespace SECUREBOOT
 {
-    // TODO securebootp9 - the two constants below were taken from master-p8
-    // branch (version 2257b1) of service.H underneath secureboot.
-    // The p9 version of service.H needs many more updates in order to match
-    // the p8 version.
-    const uint64_t PROC_SECURITY_SWITCH_REGISTER = 0x00010005ull;
-    const uint64_t
-          PROC_SECURITY_SWITCH_TRUSTED_BOOT_MASK = 0x8000000000000000ull;
+    // these constants represent the scom addresses and masks we need
+    // to obtain secure boot settings from the system
+    enum class ProcSecurity : uint64_t
+    {
+        SabBit = 0x8000000000000000ull,
+        SwitchRegister = 0x00010005ull,
+    };
+
+    enum class ProcCbsControl : uint64_t
+    {
+        JumperStateBit = 0x0400000000000000ull,
+        StatusRegister = 0x00050001ull,
+    };
 
     /** @brief Perform initialization of Secureboot for the Base image.
      *
@@ -70,6 +76,29 @@ namespace SECUREBOOT
      */
     bool enabled();
 
+    /** @brief Returns the state of the secure jumper as reported by the master
+     *      processor.
+     *
+     *  @par Detailed Description:
+     *      Returns the state of the secure jumper as reported by the master
+     *      processor.  This should NOT be used to determine whether security is
+     *      enabled, because several conditions are aggregated together to
+     *      determine that.  To query whether security is actually enabled or
+     *      not, call the enabled() API.  This is a limited-use API intended to
+     *      be called by trusted boot code to determine whether a system shipped
+     *      with a secure jumper applied or removed, in order to decide
+     *      whether to enforce the "TPM Required" policy or not.
+     *
+     *  @return Boolean indicating acting master processor's secure jumper state
+     *  @retval true Jumper is configured to request HW security.  This does not
+     *      necessarily imply security is enabled, because an open SBE can
+     *      override the HW policy.  Use the enabled() API to determine whether
+     *      security is actually enabled.
+     *  @retval false Jumper is configured to disble HW security.
+     */
+    bool getJumperState();
+
+
     /**
      * @brief Verify Signed Container
      *