diff options
author | Ilya Smirnov <ismirno@us.ibm.com> | 2018-05-29 15:16:28 -0500 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2018-06-19 17:35:42 -0400 |
commit | c7384e829f3dec35cbdf3a18dba432c8fcd1c069 (patch) | |
tree | e8af37ef4ae44b51ce06afb478c93e7df4813cf0 /src/usr/isteps | |
parent | 112e8c957fb6c7be34c86f4005badc5b88871764 (diff) | |
download | talos-hostboot-c7384e829f3dec35cbdf3a18dba432c8fcd1c069.tar.gz talos-hostboot-c7384e829f3dec35cbdf3a18dba432c8fcd1c069.zip |
Secure Boot: Support API to fence off all node processors' secure mailboxes
This change imlpements the logic to lock down the Abus
secure mailboxes prior to starting PHyp. The lock down
is perormed as part of secure node communication in istep 18
Change-Id: I4bc678ce7844290a7229b605406d5d3c689a0c6c
RTC: 191005
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/59692
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/isteps')
-rw-r--r-- | src/usr/isteps/istep18/establish_system_smp.C | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/usr/isteps/istep18/establish_system_smp.C b/src/usr/isteps/istep18/establish_system_smp.C index c5e4aab2d..a912bfcab 100644 --- a/src/usr/isteps/istep18/establish_system_smp.C +++ b/src/usr/isteps/istep18/establish_system_smp.C @@ -82,6 +82,8 @@ #include "establish_system_smp.H" +#include <secureboot/service_ext.H> + namespace ESTABLISH_SYSTEM_SMP { @@ -537,6 +539,10 @@ void *host_sys_fab_iovalid_processing(void* io_ptr ) sys->setAttr<TARGETING::ATTR_HB_EXISTING_IMAGE>(hb_existing_image); +#ifdef CONFIG_TPMDD + SECUREBOOT::lockAbusSecMailboxes(); +#endif + // after agreement, open a-busses as required // @TODO RTC:187337 -- HB doesn't have the knowledge of attributes that // p9_fab_iovalid requires at the moment. Currently, this is being called |