diff options
author | Nick Bofferding <bofferdn@us.ibm.com> | 2017-01-30 13:52:49 -0600 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-03-03 13:51:19 -0500 |
commit | a9eefaa1086c7a3cc51e374c52a7c04397968fd5 (patch) | |
tree | b0f15275d1fab88785d6efe8c47d3ad6ea3bc377 /src/include | |
parent | a0437b216feaa77f81cfa3738844a0b761a9e99d (diff) | |
download | talos-hostboot-a9eefaa1086c7a3cc51e374c52a7c04397968fd5.tar.gz talos-hostboot-a9eefaa1086c7a3cc51e374c52a7c04397968fd5.zip |
Support DRTM RIT protection
- Added mailbox scratch register 7 definition
- Added DRTM functions
- Added set/clear security switch register functions
- Added additional security switch bit definitions
- Added secureboot extended library to host DRTM functions
- Inhibited TPM start command in DRTM flow
- Added new config options for DRTM and DRTM RIT protection
- Added new DRTM attribute to indicate if DRTM is active
- Added new DRTM attribute to hold DRTM payload address
- Added new DRTM attribute to initiate DRTM in lieu of loading payload
- Updated target service init to determine DRTM settings
- Updated host start payload step to initiate DRTM if conditions are met
- Updated host MPIPL service to verify DRTM payload and clean up DRTM HW state
- Updated host gard step to verify DRTM HW state
- Rerouted PCR extensions to PCR 17 in DRTM boot
- Use locality 2 for all PCR extensions in DRTM boot
- Inhibit extension logging (for now) in DRTM boot
- Only extend seperator to PCR 17 in DRTM boot
Change-Id: Id52c36c3a64ca002571396d605caa308d9dc0199
RTC: 157140
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/35633
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Timothy R. Block <block@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/usr/initservice/mboxRegs.H | 12 | ||||
-rw-r--r-- | src/include/usr/secureboot/drtm.H | 156 | ||||
-rw-r--r-- | src/include/usr/secureboot/secure_reasoncodes.H | 1 | ||||
-rw-r--r-- | src/include/usr/secureboot/service.H | 55 | ||||
-rw-r--r-- | src/include/usr/secureboot/settings.H | 73 |
5 files changed, 282 insertions, 15 deletions
diff --git a/src/include/usr/initservice/mboxRegs.H b/src/include/usr/initservice/mboxRegs.H index 716311385..2f0314c54 100644 --- a/src/include/usr/initservice/mboxRegs.H +++ b/src/include/usr/initservice/mboxRegs.H @@ -5,7 +5,7 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2015,2016 */ +/* Contributors Listed Below - COPYRIGHT 2015,2017 */ /* [+] International Business Machines Corp. */ /* */ /* */ @@ -99,6 +99,16 @@ namespace SPLESS } PACKED; }; + // Mailbox Scratch Register 7 + union MboxScratch7_t + { + uint32_t data32; + struct + { + uint32_t drtmPayloadAddrMb :32; //0 + } PACKED; + }; + // Mailbox Scratch Register 8 union MboxScratch8_t { diff --git a/src/include/usr/secureboot/drtm.H b/src/include/usr/secureboot/drtm.H new file mode 100644 index 000000000..e061502ae --- /dev/null +++ b/src/include/usr/secureboot/drtm.H @@ -0,0 +1,156 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/include/usr/secureboot/drtm.H $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2013,2017 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ + +#ifndef __SECUREBOOT_DRTM_H +#define __SECUREBOOT_DRTM_H + +#include <initservice/mboxRegs.H> +#include <config.h> +#include <errl/errlentry.H> +#include <errl/errlmanager.H> +#include <vector> +#include <secureboot/settings.H> +#include <targeting/common/targetservice.H> + +namespace SECUREBOOT +{ + +namespace DRTM +{ + +/** + * @brief Determine HW DRTM state and cache for code to use + * + * @par Detailed Description: + * Reads DRTM related scratch registers, attributes, and proc chip security + * settings to determine the DRTM state, and caches DRTM settings in + * attributes for use by the code. It will return an error log if a DRTM + * consistency violation is detected. + * + * @param[in] i_scratchReg7 Value of scratch register 7 + * @param[in] i_scratchReg8 Value of scratch register 8 + * + * @return errHndl_t Error log handle indicating success or failure + * @retval nullptr Discovered/configured DRTM state successfully + * @retval !nullptr Error log providing failure details + */ +errlHndl_t discoverDrtmState( + const INITSERVICE::SPLESS::MboxScratch7_t& i_scratchReg7, + const INITSERVICE::SPLESS::MboxScratch8_t& i_scratchReg8); + +/** + * @brief Returns whether this is a DRTM MPIPL or not + * + * @param[out] o_isDrtmMpipl Returns whether this is a DRTM MPIPL or not + */ +void isDrtmMpipl(bool& o_isDrtmMpipl); + +/** + * @brief Determines whether DRTM HW settings are consistent across all + * processors in a node + * + * @par Detailed Description: + * Ensures that, when coming up in a DRTM MPIPL, the L4A, LQA, and SUL bits + * are set + LLP and LLS are clear in the processor security register for + * all processors in a node. If this is not the case, it returns an error + * log. Must only be called after FSI path is established and presence + * detect has been confirmed. + * + * @return errHndl_t Error log handle indicating success or failure + * @retval nullptr All processors in node have correct DRTM HW signature + * @retval !nullptr Error log providing failure details + */ +errlHndl_t validateDrtmHwSignature(); + +/** + * @brief Validates and extends the DRTM payload + * + * @par Detailed Description: + * When coming up in a DRTM MPIPL, locates the DRTM payload preserved in + * memory, validates its secure signature, and extends its measurement to + * TPM dynamic PCR range / dynamic log. + * + * @return errHndl_t Error log handle indicating success or failure + * @retval nullptr Validated/extended the DRTM payload + * @retval !nullptr Error log providing failure details + */ +errlHndl_t validateDrtmPayload(); + +/** + * @brief Completes the DRTM sequence + * + * @par Detailed Description: + * Completes the DRTM sequence by clearing the LQA and L4A security switch + * register bits on all the functional processors + * + * @return errHndl_t Error log handle indicating success or failure + * @retval nullptr Completed DRTM HW sequencing + * @retval !nullptr Error log providing failure details + */ +errlHndl_t completeDrtm(); + +#ifdef CONFIG_DRTM_TRIGGERING +/** + * @brief Initiates a DRTM sequence + * + * @par Detailed Description: + * Initiates a DRTM sequence. This pins the task running this code to the + * master processor and sets the LLP bit (for master proc chip) and LLS bit + * (for non-masters) on every processor, setting the LL bit for the + * processor this task is running on last, so that it doesn't get clobbered + * by the SBE core quiesce logic. It also sets up the master processor + * scratch registers to indicate presence and address of the DRTM payload. + * If successful, the function will never return becaue the core it's + * running on will be quiesced by SBE. + * + * @note: Only valid for RIT protection + * + * @return errHndl_t Error log handle indicating success or failure + * @retval nullptr Not possible; on success the function never returns. + * @retval !nullptr Error log providing failure details + */ +errlHndl_t initiateDrtm(); + +/** + * @brief Updates DRTM related scratch registers with DRTM payload details + * + * @par Detailed Description: + * Updates scratch register 7+8 to record details of the DRTM payload + * preserved in memory. This should be called prior to initiating the + * DRTM late launch sequence. + * + * @note: Only valid for RIT protection + * + * @param[in] i_drtmPayloadAddrMb DRTM payload physical address in MB + */ +void setDrtmPayloadPhysAddrMb(uint32_t i_drtmPayloadPhysAddrMb); +#endif + +} // End DRTM namespace + +} // End SECUREBOOT namespace + +#endif // End __SECUREBOOT_DRTM_H + diff --git a/src/include/usr/secureboot/secure_reasoncodes.H b/src/include/usr/secureboot/secure_reasoncodes.H index 2bbed2b23..1609e1a5f 100644 --- a/src/include/usr/secureboot/secure_reasoncodes.H +++ b/src/include/usr/secureboot/secure_reasoncodes.H @@ -38,6 +38,7 @@ namespace SECUREBOOT MOD_SECURE_ROM_CLEANUP = 0x04, MOD_SECURE_ROM_SHA512 = 0x05, MOD_SECURE_READ_REG = 0x06, + MOD_SECURE_WRITE_REG = 0x07, }; enum SECUREReasonCode diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H index afb3ed934..a328b7337 100644 --- a/src/include/usr/secureboot/service.H +++ b/src/include/usr/secureboot/service.H @@ -48,20 +48,6 @@ typedef uint8_t PAGE_TABLE_ENTRY_t[HASH_PAGE_TABLE_ENTRY_SIZE]; namespace SECUREBOOT { - // these constants represent the scom addresses and masks we need - // to obtain secure boot settings from the system - enum class ProcSecurity : uint64_t - { - SabBit = 0x8000000000000000ull, - SwitchRegister = 0x00010005ull, - }; - - enum class ProcCbsControl : uint64_t - { - JumperStateBit = 0x0400000000000000ull, - StatusRegister = 0x00050001ull, - }; - /** @brief Perform initialization of Secureboot for the Base image. * * - Copy secure header from original location. @@ -107,6 +93,47 @@ namespace SECUREBOOT TARGETING::Target* i_targ = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL); + /** + * @brief Clear specified bits in the processor security switch register + * + * @par Detailed Description: + * Clears the specified bits in the processor security switch register. + * + * @param[in] i_bits Vector of ProcSecurity (bit) enums + * @param[in] i_pTarget Processor target to write. Must be either + * the master processor target sentinel or valid processor target. + * Must not be NULL. + * + * @return errHndl_t Error log handle indicating success or failure + * @retval nullptr Cleared specified security switch register bits + * successfully + * @retval !nullptr Error log providing failure details + */ + errlHndl_t clearSecuritySwitchBits( + const std::vector<SECUREBOOT::ProcSecurity>& i_bits, + TARGETING::Target* i_pTarget = + TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL); + + /** + * @brief Set specified bits in the processor security switch register + * + * @par Detailed Description: + * Sets the specified bits in the processor security switch register. + * + * @param[in] i_bits Vector of ProcSecurity (bit) enums + * @param[in] i_pTarget Processor target to write. Must be either + * the master processor target sentinel or valid processor target. + * Must not be NULL. + * + * @return errHndl_t Error log handle indicating success or failure + * @retval nullptr Set specified security switch register bits + * successfully + * @retval !nullptr Error log providing failure details + */ + errlHndl_t setSecuritySwitchBits( + const std::vector<SECUREBOOT::ProcSecurity>& i_bits, + TARGETING::Target* i_pTarget = + TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL); /** @brief Returns the state of the secure jumper as reported by the * given processor. diff --git a/src/include/usr/secureboot/settings.H b/src/include/usr/secureboot/settings.H index d6f83126d..08681e08e 100644 --- a/src/include/usr/secureboot/settings.H +++ b/src/include/usr/secureboot/settings.H @@ -29,6 +29,7 @@ #include <targeting/common/target.H> #include <targeting/common/targetservice.H> #include <cstdint> +#include <vector> namespace SECUREBOOT { @@ -38,6 +39,39 @@ namespace SECUREBOOT SECURITY_ASSERTED = 0b1, }; + // these constants represent the scom addresses and masks we need + // to obtain secure boot settings from the system + enum class ProcSecurity : uint64_t + { + SabBit = 0x8000000000000000ull, // Secure access (mirrored) + LLPBit = 0x4000000000000000ull, // Late launch primary + LLSBit = 0x2000000000000000ull, // Late launch secondary + LQABit = 0x1000000000000000ull, // Local quiesce achieved + SULBit = 0x0800000000000000ull, // Security update lock + L4ABit = 0x0400000000000000ull, // Locality 4 access + SDBBit = 0x0200000000000000ull, // Secure chip debug mode + CMFSIBit = 0x0100000000000000ull, // cMFSI access protection + ABUSBit = 0x0080000000000000ull, // Abus mailbox protection + RNGBit = 0x0040000000000000ull, // Random number generator lock + // Spare = 0x0020000000000000ull, + // Spare = 0x0010000000000000ull, + TDPBit = 0x0008000000000000ull, // TPM deconfig protection + // Spare = 0x0004000000000000ull, + // Spare = 0x0002000000000000ull, + // Spare = 0x0001000000000000ull, + + SwitchRegister = 0x00010005ull, + SwitchRegisterClear = 0x00010006ull, + }; + + enum class ProcCbsControl : uint64_t + { + SabBit = 0x0800000000000000ull, // Secure access + JumperStateBit = 0x0400000000000000ull, // Secure jumper + + StatusRegister = 0x00050001ull, + }; + /** @class Settings * * @brief Caches and parses the hardware settings for Secureboot. @@ -58,6 +92,23 @@ namespace SECUREBOOT TARGETING::Target* i_targ = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL) const; + /** + * @brief Clear bits in the processor security swith register. See + * full documentation in service.H. + */ + errlHndl_t clearSecuritySwitchBits( + const std::vector<SECUREBOOT::ProcSecurity>& i_bits, + TARGETING::Target* i_pTarget = + TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL) const; + /** + * @brief Set bits in the processor security swith register. See + * full documentation in service.H. + */ + errlHndl_t setSecuritySwitchBits( + const std::vector<SECUREBOOT::ProcSecurity>& i_bits, + TARGETING::Target* i_pTarget = + TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL) const; + /** @brief Returns the state of the secure jumper as reported by the * given processor. See wrapper in Secureboot's service.H * for documenation. @@ -91,6 +142,28 @@ namespace SECUREBOOT const uint64_t i_scomAddress, uint64_t& o_regValue) const; + /** + * @brief Write a generic security related register + * + * @par Detailed Description: + * Writes a given security register given a proc target, SCOM + * address, and value. + * + * @param[in] i_pTarget Processor target to write. Must be either + * the master processor target sentinel or valid processor + * target. Must not be NULL. + * @param[in] i_scomAddress SCOM address to write + * @param[in] i_data Data to write to given SCOM address + * + * @return errHndl_t Error log handle indicating success or failure + * @retval nullptr Wrote data to SCOM address successfully + * @retval !nullptr Error log providing failure details + */ + errlHndl_t writeSecurityRegister( + TARGETING::Target* i_pTarget, + uint64_t i_scomAddress, + uint64_t i_data) const; + /** Cached secure boot enabled value */ bool iv_enabled; }; |