Replace HB_SECURITY_MODE attribute with SECUREBOOT API equivalent

The HB_SECURITY_MODE attribute will now be a variable managed by secureboot. The FAPI attribue SECURITY_MODE that maps to the HB version will now call to that variable in the SECUREBOOT API. Change-Id: I7e42c3f2e355feeb0d49aa6a998960bc5409bfa2 RTC:178643 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/45167 Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Jaymes Wilks <mjwilks@us.ibm.com> 2017-08-25 14:18:38 -0500
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2017-08-31 12:49:40 -0400
commit: e1678bffbd5cba43911f7e6f670ac3c3bb68af39 (patch)
tree: 2f9086aa3a1e29bbc353591c4a3d771c92472d0d /src/include/usr
parent: 45d359f3df82a3e9edf31b89193c7a61c5229977 (diff)
download: talos-hostboot-e1678bffbd5cba43911f7e6f670ac3c3bb68af39.tar.gz
talos-hostboot-e1678bffbd5cba43911f7e6f670ac3c3bb68af39.zip
2 files changed, 50 insertions, 0 deletions
diff --git a/src/include/usr/fapi2/attribute_service.H b/src/include/usr/fapi2/attribute_service.H
index a6e793914..f21020610 100644
--- a/src/include/usr/fapi2/attribute_service.H
+++ b/src/include/usr/fapi2/attribute_service.H
@@ -276,6 +276,25 @@ ReturnCode fapiAttrGetBadDqBitmap( const Target<TARGET_TYPE_ALL>& i_fapiTarget,
 ReturnCode fapiAttrSetBadDqBitmap( const Target<TARGET_TYPE_ALL>& i_fapiTarget,
                                    ATTR_BAD_DQ_BITMAP_Type (&i_data) );
 
+/// @brief This function is called by the FAPI_ATTR_GET macro when getting
+/// the SECURITY_MODE attribute. It should not be called directly.
+///
+/// @param[out] o_securityMode   Provides the attribute contents to the caller
+/// @return ReturnCode           Always FAPI2_RC_SUCCESS, this cannot fail.
+///                              If a toplevel target cannot be found then
+///                              an assert triggers in the platform call
+///
+ReturnCode platGetSecurityMode(uint8_t & o_securityMode);
+
+/// @brief This function is called by the FAPI_ATTR_SET macro when setting
+/// the SECURITY_MODE attribute. It should not be called directly. There are no
+/// parameters. This is intentional as setting this attribute is not supported
+/// from FAPI or FAPI runtime code. A FAPI INFO trace will be printed explaining
+/// this.
+///
+/// @return ReturnCode           Always FAPI2_RC_SUCCESS, this cannot fail.
+ReturnCode platSetSecurityMode();
+
 // -----------------------------------------------------------------------------
 // End TODO: End to be supported functions
 // -----------------------------------------------------------------------------
@@ -381,4 +400,16 @@ fapiToTargeting::ID, sizeof(VAL), &(VAL))
     ? fapi2::ReturnCode() : \
     fapi2::platAttrSvc::fapiAttrSetBadDqBitmap(TARGET, VAL)
 
+//------------------------------------------------------------------------------
+// MACRO to route ATTR_SECURITY_MODE access to the correct HB function
+//------------------------------------------------------------------------------
+#define ATTR_SECURITY_MODE_GETMACRO(ID, TARGET, VAL) \
+    AttrOverrideSync::getAttrOverrideFunc(ID, TARGET, &VAL)\
+    ? fapi2::ReturnCode() : \
+    fapi2::platAttrSvc::platGetSecurityMode(VAL)
+#define ATTR_SECURITY_MODE_SETMACRO(ID, TARGET, VAL) \
+    AttrOverrideSync::getAttrOverrideFunc(ID, TARGET, &VAL)\
+    ? fapi2::ReturnCode() : \
+    fapi2::platAttrSvc::platSetSecurityMode()
+
 #endif // ATTRIBUTESERVICE_H_
diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H
index 0258b5706..4c4d43d3c 100644
--- a/src/include/usr/secureboot/service.H
+++ b/src/include/usr/secureboot/service.H
@@ -305,6 +305,25 @@ namespace SECUREBOOT
     /* Definition in securerommgr.H */
     bool secureRomValidPolicy();
 
+    /*
+     *  @brief Gets the current SBE security mode value from the secureboot
+     *         subsystem
+     *
+     *  @return uint8_t returns 0 if SBE should check for security disable
+     *                  requests, 1 if not
+     */
+    uint8_t getSbeSecurityMode();
+
+    /*
+     *  @brief Sets the current SBE security mode value in the secureboot
+     *         subsystem
+     *
+     *  @param[in] uint8_t The value to set the security mode to. Will accept a
+     *                     a value of 0 if SBE should check for security disable
+     *                     requests and 1 if not. All other values are not
+     *                     allowed and will be rejected via an assert.
+     */
+    void setSbeSecurityMode(uint8_t i_sbeSecurityMode);
 
 }
author	Jaymes Wilks <mjwilks@us.ibm.com>	2017-08-25 14:18:38 -0500
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2017-08-31 12:49:40 -0400
commit	e1678bffbd5cba43911f7e6f670ac3c3bb68af39 (patch)
tree	2f9086aa3a1e29bbc353591c4a3d771c92472d0d /src/include/usr
parent	45d359f3df82a3e9edf31b89193c7a61c5229977 (diff)
download	talos-hostboot-e1678bffbd5cba43911f7e6f670ac3c3bb68af39.tar.gz talos-hostboot-e1678bffbd5cba43911f7e6f670ac3c3bb68af39.zip