Remove Secure Boot workarounds

- Removing the magic number checks that would block sb functionality if things didn't appear secure - Remove Best Effort Policy and all of its related code - Remove the legacy PCR extension - Remove the non-secure header preservation path. - Always load HB base image header from the bl to hb data path vs settings unsecurely out of pnor Change-Id: Ie638384ac50ed47850985c959ea7a32e5757d64e RTC: 178520 RTC: 155374 RTC: 173489 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49925 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Stephen Cprek <smcprek@us.ibm.com> 2017-11-20 16:56:44 -0600
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2017-12-18 17:27:59 -0500
commit: 9ae6e9595f9773d295b7e3ade47088f554c1ed48 (patch)
tree: f33427b681154991423fb9faad3476bf4aa17ff4 /src/usr/pnor/pnorrp.C
parent: 8392e4f606607e505bb99de2a8d229ae69be5efe (diff)
download: talos-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.tar.gz
talos-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.zip
1 files changed, 0 insertions, 79 deletions
diff --git a/src/usr/pnor/pnorrp.C b/src/usr/pnor/pnorrp.C
index da2548ebc..a874d3735 100644
--- a/src/usr/pnor/pnorrp.C
+++ b/src/usr/pnor/pnorrp.C
@@ -160,36 +160,6 @@ errlHndl_t PNOR::fixECC(PNOR::SectionId i_section)
     return Singleton<PnorRP>::instance().fixECC(i_section);
 }
 
-// @TODO RTC 173489
-// Remove API once FSP fully supports signing of PNOR sections that did not
-// previously have a sha512 header
-errlHndl_t PNOR::readHeaderMagic(
-    const PNOR::SectionId      i_secId,
-    const PNOR::SectionData_t& i_TOC,
-    const size_t               i_size,
-          void* const          o_pData)
-{
-    errlHndl_t pError = nullptr;
-    assert(o_pData != nullptr,"Output buffer pointer was nullptr");
-
-    do {
-
-    size_t size = i_size;
-    auto pTarget = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL;
-    // Read first <=8 bytes of section data from the PNOR DD
-    // Note: Do not need to worry about ECC as the 9th byte is the first
-    //       ECC byte.
-    pError = DeviceFW::deviceRead(pTarget, o_pData, size,
-                         DEVICE_PNOR_ADDRESS(0,i_TOC.flashAddr));
-    if (pError)
-    {
-        break;
-    }
-
-    } while(0);
-
-    return pError;
-}
 
 /**
  * STATIC
@@ -369,55 +339,6 @@ void PnorRP::initDaemon()
             break;
         }
 
-        // @TODO RTC 178520 Remove the non-secure extension path and
-        // always used the converged HBB extension path.
-
-        // If secured, extend base image (HBB) when Hostboot first starts.
-        // Since HBB is never re-loaded, inhibit extending this image in
-        // runtime code.
-        #ifndef __HOSTBOOT_RUNTIME
-        #ifdef CONFIG_SECUREBOOT
-        if(!SECUREBOOT::enabled())
-        {
-            // If compliant bootloader was present, it saved the HBB header
-            // to a known location accessible to HBB.  Until that bootloader
-            // is widely distributed, when in non-secure mode in lab,
-            // manufacturing, etc., read the header directly from PNOR.
-            PNOR::SideInfo_t pnorInfo = {PNOR::WORKING};
-            l_errhdl = PnorRP::getSideInfo(PNOR::WORKING, pnorInfo);
-            if(l_errhdl != nullptr)
-            {
-                break;
-            }
-
-            const SectionData_t* const pHbb = &iv_TOC[PNOR::HB_BASE_CODE];
-            const bool ecc = (pHbb->integrity == FFS_INTEG_ECC_PROTECT) ?
-                true :false;
-
-            uint8_t pHeader[PAGESIZE] = {0};
-            uint64_t fatalError = 0;
-            l_errhdl = readFromDevice(
-                    pnorInfo.hbbAddress,
-                    pHbb->chip,
-                    ecc,
-                    pHeader,
-                    fatalError);
-
-            // If fatalError != 0 there is an uncorrectable ECC error (UE).
-            // In that case, continue on with inaccurate data, as
-            // readFromDevice API will initiate a shutdown
-            if(l_errhdl != nullptr)
-            {
-                break;
-            }
-
-            // Cache the header
-            (void)SECUREBOOT::baseHeader().setNonSecurely(
-                pHeader);
-        }
-        #endif
-        #endif
-
         // start task to wait on the queue
         task_create( wait_for_message, NULL );
     } while(0);
author	Stephen Cprek <smcprek@us.ibm.com>	2017-11-20 16:56:44 -0600
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2017-12-18 17:27:59 -0500
commit	9ae6e9595f9773d295b7e3ade47088f554c1ed48 (patch)
tree	f33427b681154991423fb9faad3476bf4aa17ff4 /src/usr/pnor/pnorrp.C
parent	8392e4f606607e505bb99de2a8d229ae69be5efe (diff)
download	talos-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.tar.gz talos-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.zip