Refactor SecureBoot Workarounds to better control leniency

At this time we are trying to secure OpenPOWER in secure mode,
but allow best effort policies in other scenarios

Change-Id: I9ec2b5be49dbfcff678c4d30bb85f8762e448cb6
RTC: 170136
RTC: 155374
RTC: 168021
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/43640
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>

1 files changed, 68 insertions, 67 deletions

diff --git a/src/usr/pnor/pnor_common.C b/src/usr/pnor/pnor_common.C
index addf0e491..20d6bd760 100644
--- a/src/usr/pnor/pnor_common.C
+++ b/src/usr/pnor/pnor_common.C
@@ -304,31 +304,31 @@ errlHndl_t PNOR::parseTOC( uint8_t* i_tocBuffer,SectionData_t * o_TOC)
 
             }
 
-            // @TODO RTC 168021 Remove legacy extensions when all
-            // secure sections are supported
+#ifndef __HOSTBOOT_RUNTIME
             if (PNOR::hasNonSecureHeader(o_TOC[l_secId]))
             {
                 // Never extend the base image through this path, it will be
                 // handled elsewhere
                 if(l_secId != PNOR::HB_BASE_CODE)
                 {
-                   // For non-secure sections with a SHA512 header, the
-                   // flash address has incremented past the header, so
-                   // back up by the header size (accounting for ECC) in order
-                   // to extend the header
-                   auto addr = o_TOC[l_secId].flashAddr;
-                   size_t headerSize =
+                    // For non-secure sections with a SHA512 header, the
+                    // flash address has incremented past the header, so
+                    // back up by the header size (accounting for ECC) in order
+                    // to extend the header
+                    auto addr = o_TOC[l_secId].flashAddr;
+                    size_t headerSize =
                        (o_TOC[l_secId].integrity == FFS_INTEG_ECC_PROTECT) ?
                        PAGESIZE_PLUS_ECC : PAGESIZE;
-                   addr -= headerSize;
+                    addr -= headerSize;
 
-                   l_errhdl = PNOR::extendHash(addr, headerSize, l_secId);
-                   if (l_errhdl)
-                   {
-                       break;
-                   }
+                    l_errhdl = PNOR::extendHash(addr, headerSize, l_secId);
+                    if (l_errhdl)
+                    {
+                        break;
+                    }
                 }
             }
+#endif
         }
 
         for(int tmpId = 0;
@@ -346,50 +346,49 @@ errlHndl_t PNOR::parseTOC( uint8_t* i_tocBuffer,SectionData_t * o_TOC)
     return l_errhdl;
 }
 
-// @TODO RTC 168021 Remove legacy extensions when all secure sections are
-// supported
-errlHndl_t PNOR::extendHash(uint64_t i_addr,
-    size_t i_size,
-    const PNOR::SectionId i_sectionId)
+#ifndef __HOSTBOOT_RUNTIME
+errlHndl_t PNOR::extendHash(uint64_t i_addr, size_t i_size,
+                            const PNOR::SectionId i_sectionId)
 {
     errlHndl_t l_errhdl = NULL;
 
     do {
-        #ifndef __HOSTBOOT_RUNTIME
-        const char* l_name = PNOR::SectionIdToString(i_sectionId);
-
-        // Read data from the PNOR DD
-        uint8_t* l_buf = new uint8_t[i_size]();
-        TARGETING::Target* l_target = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL;
-        l_errhdl = DeviceFW::deviceRead(l_target, l_buf, i_size,
-                                        DEVICE_PNOR_ADDRESS(0,i_addr));
-        if (l_errhdl)
-        {
-            break;
-        }
 
-        SHA512_t l_hash = {0};
-        SECUREBOOT::hashBlob(l_buf, i_size, l_hash);
-        l_errhdl = TRUSTEDBOOT::pcrExtend(TRUSTEDBOOT::PCR_0,
-            PNOR::PAYLOAD == i_sectionId?
-                TRUSTEDBOOT::EV_COMPACT_HASH:
-                (PNOR::isCoreRootOfTrustSection(i_sectionId)?
-                    TRUSTEDBOOT::EV_S_CRTM_CONTENTS:
-                    TRUSTEDBOOT::EV_POST_CODE),
-            l_hash,
-            sizeof(SHA512_t),
-            l_name);
-        delete[] l_buf;
+    const char* l_name = PNOR::SectionIdToString(i_sectionId);
+
+    // Read data from the PNOR DD
+    uint8_t* l_buf = new uint8_t[i_size]();
+    TARGETING::Target* l_target = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL;
+    l_errhdl = DeviceFW::deviceRead(l_target, l_buf, i_size,
+                                    DEVICE_PNOR_ADDRESS(0,i_addr));
+    if (l_errhdl)
+    {
+        break;
+    }
+
+    SHA512_t l_hash = {0};
+    SECUREBOOT::hashBlob(l_buf, i_size, l_hash);
+    l_errhdl = TRUSTEDBOOT::pcrExtend(TRUSTEDBOOT::PCR_0,
+        PNOR::PAYLOAD == i_sectionId?
+            TRUSTEDBOOT::EV_COMPACT_HASH:
+            (PNOR::isCoreRootOfTrustSection(i_sectionId)?
+                TRUSTEDBOOT::EV_S_CRTM_CONTENTS:
+                TRUSTEDBOOT::EV_POST_CODE),
+        l_hash,
+        sizeof(SHA512_t),
+        l_name);
+    delete[] l_buf;
+
+    if (l_errhdl)
+    {
+        break;
+    }
 
-        if (l_errhdl)
-        {
-            break;
-        }
-        #endif
     } while(0);
 
     return l_errhdl;
 }
+#endif
 
 bool PNOR::isInhibitedSection(const uint32_t i_section)
 {
@@ -445,7 +444,7 @@ bool PNOR::isInhibitedSection(const uint32_t i_section)
 #endif
 }
 
-// @TODO RTC:155374 Remove this in the future
+
 errlHndl_t PNOR::setSecure(const uint32_t i_secId,
                            PNOR::SectionData_t* io_TOC)
 {
@@ -458,30 +457,32 @@ errlHndl_t PNOR::setSecure(const uint32_t i_secId,
     // Set secure field based on enforced policy
     io_TOC[i_secId].secure = PNOR::isEnforcedSecureSection(i_secId);
 
+    // HBRT does not support best effort policy. Use enforced secure policy only.
 #ifndef __HOSTBOOT_RUNTIME
-#ifdef CONFIG_SECUREBOOT_BEST_EFFORT
-    if (io_TOC[i_secId].secure)
+    if(SECUREBOOT::bestEffortPolicy())
     {
-        // Apply best effort policy by checking if the section appears to have a
-        // secure header
-        size_t l_size = sizeof(ROM_MAGIC_NUMBER);
-        uint8_t l_buf[l_size] = {0};
-        auto l_target = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL;
-        // Read first 4 bytes of section data from the PNOR DD
-        // Note: Do not need to worry about ECC as the 9th byte is the first
-        //       ECC byte.
-        l_errhdl = DeviceFW::deviceRead(l_target, l_buf, l_size,
-                                DEVICE_PNOR_ADDRESS(0,io_TOC[i_secId].flashAddr));
-        if (l_errhdl)
+        if (io_TOC[i_secId].secure)
         {
-            break;
-        }
+            // Apply best effort policy by checking if the section appears to have a
+            // secure header
+            size_t l_size = sizeof(ROM_MAGIC_NUMBER);
+            uint8_t l_buf[l_size] = {0};
+            auto l_target = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL;
+            // Read first 4 bytes of section data from the PNOR DD
+            // Note: Do not need to worry about ECC as the 9th byte is the first
+            //       ECC byte.
+            l_errhdl = DeviceFW::deviceRead(l_target, l_buf, l_size,
+                              DEVICE_PNOR_ADDRESS(0,io_TOC[i_secId].flashAddr));
+            if (l_errhdl)
+            {
+                break;
+            }
 
-        // Check if first 4 bytes match the Secureboot Magic Number
-        io_TOC[i_secId].secure &= PNOR::cmpSecurebootMagicNumber(l_buf);
+            // Check if first 4 bytes match the Secureboot Magic Number
+            io_TOC[i_secId].secure &= PNOR::cmpSecurebootMagicNumber(l_buf);
+        }
     }
 #endif
-#endif
 
     } while (0);