NVDIMM encryption HW function support

Update random number generation, IPL and runtime. Write encryption regs to enable nvdimm encryption, crypto-erase, disable encryption. Read config-status reg to verify encryption state. Change-Id: I25625b53f90eeb542767fa729ebb47f8f8455a4b RTC:201474 Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/77321 Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Matthew Raybuck <matthew.raybuck@ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Corey Swenson <cswenson@us.ibm.com> 2019-05-02 15:20:15 -0500
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2019-06-03 10:26:25 -0500
commit: 5fd22b47f8d633b118265bae079793e8d90a51c1 (patch)
tree: e923f832604423f163e11b95cd05c49e7442bbac /src/include
parent: af06bf24063e067ec0c6d7596588fc1716b2d4b9 (diff)
download: talos-hostboot-5fd22b47f8d633b118265bae079793e8d90a51c1.tar.gz
talos-hostboot-5fd22b47f8d633b118265bae079793e8d90a51c1.zip
3 files changed, 98 insertions, 4 deletions
diff --git a/src/include/arch/ppc.H b/src/include/arch/ppc.H
index b0c076d0a..2e6639da9 100644
--- a/src/include/arch/ppc.H
+++ b/src/include/arch/ppc.H
@@ -417,6 +417,26 @@ inline void writeScratchReg(uint64_t _scratch_addr, uint64_t _data)
 
 }
 
+#ifdef __HOSTBOOT_RUNTIME
+
+/** @brief  getDarn - deliver a random number instruction
+ *  Returns 64 bits of random data, requires random number generator
+ *  configured appropriately + locked down, only available at runtime.
+ */
+ALWAYS_INLINE
+inline uint64_t getDarn()
+{
+    register uint64_t rt = 0;
+    register uint64_t  L = 1;  // L=1 conditioned random number
+    asm volatile(".long 0x7C0005E6 | "
+                 "((%0 & 0x1F) << 21)  | "
+                 "((%1 & 0x3)  << 16)" :
+                 "=r" (rt), "=r" (L));
+    return rt;
+}
+
+#endif
+
 /** @brief  This is a special assembler instruction that is a nop on
  *  regular hardware, but has special meaning to Simics.  Code that
  *  executes this instruction in Simics will cause a "hap," a
diff --git a/src/include/usr/isteps/nvdimm/nvdimm.H b/src/include/usr/isteps/nvdimm/nvdimm.H
index 864ef187f..7325c9a7c 100644
--- a/src/include/usr/isteps/nvdimm/nvdimm.H
+++ b/src/include/usr/isteps/nvdimm/nvdimm.H
@@ -43,6 +43,7 @@ enum nvdimm_err_status
 };
 
 #ifndef __HOSTBOOT_RUNTIME
+
 /**
  * @brief Entry function to NVDIMM management
  *        - Restore image from NVDIMM NAND flash to DRAM
@@ -69,17 +70,64 @@ void nvdimm_restore(TARGETING::TargetHandleList &i_nvdimmList);
  **/
 bool nvdimm_update(TARGETING::TargetHandleList &i_nvdimmList);
 
-#endif
 
+/**
+ * @brief Entry function to NVDIMM unlock encryption
+ *
+ * @param[in] i_nvdimmList - list of nvdimm targets
+ *
+ * @return true if no errors logged, else false
+ */
+bool nvdimm_encrypt_unlock(TARGETING::TargetHandleList &i_nvdimmList);
+
+
+#endif
 
+// TODO RTC:210689 Handle return pass/fail
+//      Need to define what return=false means for the caller
+//      For all of the functions in this file
 /**
  * @brief Entry function to NVDIMM generate keys
- *        Generate encryption keys if required and set the FW key attribute
+ *        Generate encryption keys and set the FW key attribute
+ *
+ * @return true if no errors logged, else false
+ */
+bool nvdimm_gen_keys(void);
+
+/**
+ * @brief Entry function to NVDIMM remove keys
+ *        Set the FW key attribute = 0
+ *        Tell HWSV to clear anchor key attribute
+ *
+ * @return true if no errors logged, else false
+ */
+bool nvdimm_remove_keys(void);
+
+/**
+ * @brief Entry function to NVDIMM enable encryption
+ *
+ * @param[in] i_nvdimmList - list of nvdimm targets
+ *
+ * @return true if no errors logged, else false
+ */
+bool nvdimm_encrypt_enable(TARGETING::TargetHandleList &i_nvdimmList);
+
+/**
+ * @brief Entry function to NVDIMM crypto erase
  *
  * @param[in] i_nvdimmList - list of nvdimm targets
  *
+ * @return true if no errors logged, else false
+ */
+bool nvdimm_crypto_erase(TARGETING::TargetHandleList &i_nvdimmList);
+
+/**
+ * @brief Helper function to get list of nvdimm target pointers
+ *
+ * @param[out] o_nvdimmList - list of nvdimm targets
+ *
  */
-void nvdimm_gen_keys(TARGETING::TargetHandleList &i_nvdimmList);
+void nvdimm_getNvdimmList(TARGETING::TargetHandleList &o_nvdimmList);
 
 /**
  * @brief This function erases image on the nvdimm target
@@ -139,6 +187,15 @@ errlHndl_t nvdimmChangeArmState(TARGETING::Target *i_nvdimm, bool i_state);
 bool nvdimmArm(TARGETING::TargetHandleList &i_nvdimmTargetList);
 
 /**
+ * @brief  Disarms the trigger to enable backup in the event of a
+ *         power loss on each NVDIMM
+ *
+ * @param[in] i_nvdimmTargetList : list of dimms that are NVDIMMs
+ * @return true if no errors logged, else false
+ */
+bool nvdimmDisarm(TARGETING::TargetHandleList &i_nvdimmTargetList);
+
+/**
  * @brief NVDIMM protection state
  *
  *        NOT_PROTECTED - default state
diff --git a/src/include/usr/isteps/nvdimm/nvdimmreasoncodes.H b/src/include/usr/isteps/nvdimm/nvdimmreasoncodes.H
index f84581896..b973b1a77 100644
--- a/src/include/usr/isteps/nvdimm/nvdimmreasoncodes.H
+++ b/src/include/usr/isteps/nvdimm/nvdimmreasoncodes.H
@@ -86,7 +86,15 @@ enum nvdimmModuleId
     WAIT_FW_OPS_BLOCK_RECEIVED              = 0x24,
     NVDIMM_IS_UPDATE_NEEDED                 = 0x25,
     NVDIMM_RUN_UPDATE_USING_LID             = 0x26,
-    NVDIMM_GEN_KEYS                         = 0x27,
+    NVDIMM_GET_TPM                          = 0x27,
+    NVDIMM_SET_KEY_REG                      = 0x28,
+    NVDIMM_ENCRYPT_ENABLE                   = 0x29,
+    NVDIMM_CRYPTO_ERASE                     = 0x2A,
+    NVDIMM_CHECK_VALID_ATTR_DATA            = 0x2B,
+    NVDIMM_HANDLE_CONFLICTING_KEYS          = 0x2C,
+    NVDIMM_ENCRYPT_UNLOCK                   = 0x2D,
+    NVDIMM_GET_DARN_NUMBER                  = 0x2E,
+    NVDIMM_KEYIFY_RANDOM_NUMBER             = 0x2F,
 };
 
 /**
@@ -140,6 +148,15 @@ enum nvdimmReasonCode
     NVDIMM_START_UPDATE                     = NVDIMM_COMP_ID | 0x28,   // start update
     NVDIMM_UPDATE_COMPLETE                  = NVDIMM_COMP_ID | 0x29,   // update completed
     NVDIMM_TPM_NOT_FOUND                    = NVDIMM_COMP_ID | 0x30,   // TPM not found
+    NVDIMM_VERIF_BYTE_CHECK_FAILED          = NVDIMM_COMP_ID | 0x31,   // Encryption key reg verif failed
+    NVDIMM_ENCRYPTION_ENABLE_FAILED         = NVDIMM_COMP_ID | 0x32,   // Encryption enable failed
+    NVDIMM_ENCRYPTION_ERASE_PENDING_FAILED  = NVDIMM_COMP_ID | 0x32,   // Encryption crypto erase pending failed
+    NVDIMM_ENCRYPTION_ERASE_FAILED          = NVDIMM_COMP_ID | 0x33,   // Encryption crypto erase failed
+    NVDIMM_ENCRYPTION_UNLOCK_FAILED         = NVDIMM_COMP_ID | 0x34,   // Encryption unlock failed
+    NVDIMM_ENCRYPTION_INVALID_ATTRIBUTE     = NVDIMM_COMP_ID | 0x35,   // Encryption attribute key data invalid
+    NVDIMM_ENCRYPTION_KEY_ATTRS_INVALID     = NVDIMM_COMP_ID | 0x36,   // Encryption key attributes are both invalid
+    NVDIMM_ENCRYPTION_MAX_DARN_ERRORS       = NVDIMM_COMP_ID | 0x37,   // Darn random key gen reached max errors
+    NVDIMM_ENCRYPTION_BAD_RANDOM_DATA       = NVDIMM_COMP_ID | 0x38,   // Generated key data not valid
 };
 
 enum UserDetailsTypes
author	Corey Swenson <cswenson@us.ibm.com>	2019-05-02 15:20:15 -0500
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2019-06-03 10:26:25 -0500
commit	5fd22b47f8d633b118265bae079793e8d90a51c1 (patch)
tree	e923f832604423f163e11b95cd05c49e7442bbac /src/include
parent	af06bf24063e067ec0c6d7596588fc1716b2d4b9 (diff)
download	talos-hostboot-5fd22b47f8d633b118265bae079793e8d90a51c1.tar.gz talos-hostboot-5fd22b47f8d633b118265bae079793e8d90a51c1.zip