Secure Boot: Implement Centaur SCOM cache

This change implements a Centaur SCOM cache for sensitive SCOM registers.  The
cache is initialized and enabled before the first Centaur SCOM, and disabled
just prior to locking down the Centaur configuration.  Once the Centaur has been
locked down, the real register values are compared to the cache entries, and the
Centaur is deconfigured (not garded) on any mismatch in assumptions.

RTC: 187288
Change-Id: I7b13bfd7eb6b427aba115d6944958bf55e171008
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/57532
Reviewed-by: ILYA SMIRNOV <ismirno@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>

2 files changed, 38 insertions, 1 deletions

diff --git a/src/usr/isteps/istep14/call_proc_exit_cache_contained.C b/src/usr/isteps/istep14/call_proc_exit_cache_contained.C
index f018c452b..46ed22845 100644
--- a/src/usr/isteps/istep14/call_proc_exit_cache_contained.C
+++ b/src/usr/isteps/istep14/call_proc_exit_cache_contained.C
@@ -51,6 +51,11 @@
 #include <util/misc.H>
 #include <hwas/common/hwas.H>
 
+#ifdef CONFIG_SECUREBOOT
+#include <secureboot/service.H>
+#include <scom/centaurScomCache.H>
+#endif
+
 using   namespace   ISTEP;
 using   namespace   ISTEP_ERROR;
 using   namespace   ERRORLOG;
@@ -69,6 +74,24 @@ void* call_proc_exit_cache_contained (void *io_pArgs)
 
     TRACDCOMP( ISTEPS_TRACE::g_trac_isteps_trace,
                "call_proc_exit_cache_contained entry" );
+    errlHndl_t  l_errl = nullptr;
+
+#ifdef CONFIG_SECUREBOOT
+    if(SECUREBOOT::enabled())
+    {
+        SECUREBOOT::CENTAUR_SECURITY::ScomCache& centaurCache =
+            SECUREBOOT::CENTAUR_SECURITY::ScomCache::getInstance();
+
+        l_errl = centaurCache.verify();
+        if(l_errl)
+        {
+            l_stepError.addErrorDetails(l_errl);
+            errlCommit(l_errl, HWPF_COMP_ID );
+        }
+
+        centaurCache.destroy();
+    }
+#endif
 
     // @@@@@    CUSTOM BLOCK:   @@@@@
     //  figure out what targets we need
@@ -87,7 +110,6 @@ void* call_proc_exit_cache_contained (void *io_pArgs)
     //Check that minimum hardware requirement is meet.
     //If not, log error and do not proceed
     bool l_bootable;
-    errlHndl_t  l_errl = nullptr;
     l_errl = HWAS::checkMinimumHardware(l_sys, &l_bootable);
     if (!l_bootable && !l_errl)
     {
diff --git a/src/usr/isteps/istep14/call_proc_setup_bars.C b/src/usr/isteps/istep14/call_proc_setup_bars.C
index e42ba9a07..08d1708d3 100644
--- a/src/usr/isteps/istep14/call_proc_setup_bars.C
+++ b/src/usr/isteps/istep14/call_proc_setup_bars.C
@@ -22,6 +22,7 @@
 /* permissions and limitations under the License.                         */
 /*                                                                        */
 /* IBM_PROLOG_END_TAG                                                     */
+#include <config.h>
 #include <errl/errlentry.H>
 #include <isteps/hwpisteperror.H>
 #include <initservice/isteps_trace.H>
@@ -48,6 +49,10 @@
 
 #include   <attribute_ids.H>
 
+#ifdef CONFIG_SECUREBOOT
+#include <scom/centaurScomCache.H>
+#endif
+
 using   namespace   ISTEP_ERROR;
 using   namespace   ERRORLOG;
 
@@ -188,6 +193,7 @@ void* call_proc_setup_bars (void *io_pArgs)
 
     }   // end if !l_errl
 
+#ifdef CONFIG_SECUREBOOT
     // Assuming no errors, secure any Centaurs
     if ( l_stepError.isNull() )
     {
@@ -247,7 +253,16 @@ void* call_proc_setup_bars (void *io_pArgs)
                 }
             }
         }
+
+        if(SECUREBOOT::CENTAUR_SECURITY::ScomCache::getInstance().
+                cacheEnabled())
+        {
+            SECUREBOOT::CENTAUR_SECURITY::ScomCache::getInstance().
+                disableCache();
+        }
+
     }
+#endif
 
     if ( l_errl )
     {