diff options
author | Stephen Cprek <smcprek@us.ibm.com> | 2017-07-26 10:33:24 -0500 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-08-25 23:16:28 -0400 |
commit | cefc4c2c1bf3a43a993f2091813ee181779ddee4 (patch) | |
tree | f6b15a971c3207dbae3b1800f8555b55d5dd8ae7 /src/usr/pnor/runtime/rt_pnor.C | |
parent | b8f86e3a6bb4f491360dc3771854e36e903f8a71 (diff) | |
download | talos-hostboot-cefc4c2c1bf3a43a993f2091813ee181779ddee4.tar.gz talos-hostboot-cefc4c2c1bf3a43a993f2091813ee181779ddee4.zip |
Refactor SecureBoot Workarounds to better control leniency
At this time we are trying to secure OpenPOWER in secure mode,
but allow best effort policies in other scenarios
Change-Id: I9ec2b5be49dbfcff678c4d30bb85f8762e448cb6
RTC: 170136
RTC: 155374
RTC: 168021
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/43640
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/pnor/runtime/rt_pnor.C')
-rw-r--r-- | src/usr/pnor/runtime/rt_pnor.C | 120 |
1 files changed, 20 insertions, 100 deletions
diff --git a/src/usr/pnor/runtime/rt_pnor.C b/src/usr/pnor/runtime/rt_pnor.C index c65ad905d..ae187a057 100644 --- a/src/usr/pnor/runtime/rt_pnor.C +++ b/src/usr/pnor/runtime/rt_pnor.C @@ -50,9 +50,6 @@ extern trace_desc_t* g_trac_pnor; */ TASK_ENTRY_MACRO( RtPnor::init ); -// @TODO RTC:155374 Remove this in the future -const size_t BEST_EFFORT_NUM_BYTES = 32; - /** * @brief Return the size and address of a given section of PNOR data */ @@ -159,33 +156,42 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section, do { bool l_inhibited = false; - #ifdef CONFIG_SECUREBOOT + bool l_secure = false; +#ifdef CONFIG_SECUREBOOT l_inhibited = PNOR::isInhibitedSection(i_section); - #endif - if (i_section == PNOR::INVALID_SECTION || l_inhibited) + l_secure = iv_TOC[i_section].secure; +#endif + if (i_section == PNOR::INVALID_SECTION || l_inhibited || l_secure) { - TRACFCOMP(g_trac_pnor, "RtPnor::getSectionInfo: Invalid Section" - " %d", (int)i_section); - #ifdef CONFIG_SECUREBOOT + TRACFCOMP(g_trac_pnor, "RtPnor::getSectionInfo: Invalid Section %d", + static_cast<int>(i_section)); +#ifdef CONFIG_SECUREBOOT if (l_inhibited) { - TRACFCOMP(g_trac_pnor, "RtPnor::getSectionInfo: " - "attribute overrides inhibited by secureboot"); + TRACFCOMP(g_trac_pnor, ERR_MRK"RtPnor::getSectionInfo: attribute overrides inhibited by secureboot"); + } + else if (l_secure) + { + TRACFCOMP(g_trac_pnor, ERR_MRK"RtPnor::getSectionInfo: secure sections should be loaded via Hostboot Reserved Memory"); } - #endif +#endif /*@ * @errortype * @moduleid PNOR::MOD_RTPNOR_GETSECTIONINFO * @reasoncode PNOR::RC_RTPNOR_INVALID_SECTION * @userdata1 PNOR::SectionId - * @userdata2 Inhibited by secureboot + * @userdata2[0:31] Inhibited by secureboot + * @userdata2[32:63] Indication of a secure section * @devdesc invalid section passed to getSectionInfo or * section prohibited by secureboot */ l_err = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_UNRECOVERABLE, PNOR::MOD_RTPNOR_GETSECTIONINFO, PNOR::RC_RTPNOR_INVALID_SECTION, - i_section, l_inhibited, true); + i_section, + TWO_UINT32_TO_UINT64(l_inhibited, + l_secure), + true); break; } @@ -258,16 +264,6 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section, (iv_TOC[i_section].version & FFS_VERS_SHA512) ? true : false; o_info.sha512perEC = (iv_TOC[i_section].version & FFS_VERS_SHA512_PER_EC) ? true : false; -#ifdef CONFIG_SECUREBOOT - o_info.secure = iv_TOC[i_section].secure; - // We don't verify PNOR sections at runtime, but we - // still have to bypass the secure header - if(o_info.secure) - { - o_info.vaddr += PAGESIZE; - o_info.size -= PAGESIZE; - } -#endif } while (0); TRACFCOMP(g_trac_pnor, EXIT_MRK"RtPnor::getSectionInfo"); @@ -722,15 +718,6 @@ errlHndl_t RtPnor::readTOC () TRACFCOMP(g_trac_pnor, "RtPnor::readTOC: parseTOC failed"); break; } - - // Check if PNOR section has a secureHeader or not. - // Cannot do a device read during parseTOC in Runtime, so do after. - l_err = setSecure(l_toc0Buffer, iv_TOC); - if (l_err) - { - TRACFCOMP(g_trac_pnor, "RtPnor::readTOC: setSecure failed"); - break; - } } } while (0); @@ -743,73 +730,6 @@ errlHndl_t RtPnor::readTOC () return l_err; } -// @TODO RTC:155374 Remove this in the future -errlHndl_t RtPnor::setSecure(const uint8_t* i_tocBuffer, - PNOR::SectionData_t* io_TOC) const -{ - errlHndl_t l_errhdl = nullptr; - - assert(i_tocBuffer != nullptr, "RtPnor::setSecure received a NULL tocBuffer to read"); - assert(io_TOC != nullptr, "RtPnor::setSecure received a NULL toc to modify"); - - do { - // Set secure flag for each section after the TOC - // Walk through all the entries in the table and parse the data. - auto const l_ffs_hdr = reinterpret_cast<const ffs_hdr*>(i_tocBuffer); - for(uint32_t i=0; i<l_ffs_hdr->entry_count; ++i) - { - PNOR::SectionId l_secId = PNOR::INVALID_SECTION; - - // Get current entry section id - auto cur_entry = &(l_ffs_hdr->entries[i]); - PNOR::getSectionEnum(cur_entry, &l_secId); - if(l_secId == PNOR::INVALID_SECTION) - { - TRACFCOMP(g_trac_pnor, "RtPnor::setSecure Unrecognized Section name(%s), skipping",cur_entry->name); - continue; - } - - // Set secure field based on enforced policy - io_TOC[l_secId].secure = PNOR::isEnforcedSecureSection(l_secId); - -#ifdef CONFIG_SECUREBOOT_BEST_EFFORT - if (io_TOC[l_secId].secure) - { - // Apply best effort policy by checking if the section appears to have a - // secure header - // Need to read first 4 bytes of data to check version header - // Note: For OPAL and PHYP need to read 8 bytes for ECC checking - // In CXX test a pnorDD read is called and requires a - // multiple of 4 bytes. If the section as ECC then it - // needs to be a multiple of 4 bytes after ECC. - // 32 Bytes fulfills both requirements. - size_t l_size = BEST_EFFORT_NUM_BYTES; - uint8_t l_buf[l_size] = {0}; - - bool l_ecc = io_TOC[l_secId].integrity & FFS_INTEG_ECC_PROTECT; - // Read first 8 bytes of section data from PNOR - l_errhdl = readFromDevice(iv_masterProcId, - static_cast<PNOR::SectionId>(l_secId), - 0, l_size, l_ecc, l_buf); - if (l_errhdl) - { - break; - } - - // Check if first 4 bytes match the Secureboot Magic Number - io_TOC[l_secId].secure &= PNOR::cmpSecurebootMagicNumber(l_buf); - } -#endif - } - if (l_errhdl) - { - break; - } - } while(0); - - return l_errhdl; -} - /***********************************************************/ RtPnor& RtPnor::getInstance() { |