diff options
author | Nick Bofferding <bofferdn@us.ibm.com> | 2017-04-20 16:33:39 -0500 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-04-28 14:18:34 -0400 |
commit | f30075299ce2c078705192b1835b70eff4f08fc1 (patch) | |
tree | f8d45e2052765457bee020e7b9b3b60d37f5b6a4 /src/usr/pnor/spnorrp.C | |
parent | 21187e0ac2c55cd238b915a0d1c9e80ff2fbaacd (diff) | |
download | talos-hostboot-f30075299ce2c078705192b1835b70eff4f08fc1.tar.gz talos-hostboot-f30075299ce2c078705192b1835b70eff4f08fc1.zip |
Support setting security mode based on SBE key indicator bit
Change-Id: I9db3857b73116db5761b55eb3aa6ec7e47dd4c3d
RTC: 170650
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/39515
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/pnor/spnorrp.C')
-rw-r--r-- | src/usr/pnor/spnorrp.C | 41 |
1 files changed, 40 insertions, 1 deletions
diff --git a/src/usr/pnor/spnorrp.C b/src/usr/pnor/spnorrp.C index cd59cf26d..496ebabe9 100644 --- a/src/usr/pnor/spnorrp.C +++ b/src/usr/pnor/spnorrp.C @@ -386,6 +386,15 @@ uint64_t SPnorRP::verifySections(SectionId i_id, LoadRecord* o_rec) } } + l_errhdl = processFwKeyIndicators(l_conHdr,i_id); + if(l_errhdl) + { + TRACFCOMP(g_trac_pnor, ERR_MRK "SPnorrRP::verifySections: Failed " + "in call to processFwKeyIndicators(). PNOR section = %s.", + PNOR::SectionIdToString(i_id)); + break; + } + // verification succeeded // parse container header now that it is verified @@ -766,6 +775,36 @@ errlHndl_t PNOR::unloadSecureSection(const SectionId i_section) return pError; } +void SPnorRP::processLabOverride( + const sb_flags_t& i_flags) const +{ + TARGETING::Target* pSys = nullptr; + TARGETING::targetService().getTopLevelTarget(pSys); + assert(pSys != nullptr,"System target was nullptr."); + // ATTR_SECURITY_MODE attribute values are inverted with respect to the lab + // override flag for the same logical meaning + TARGETING::ATTR_SECURITY_MODE_type securityMode = + !(i_flags.hw_lab_override); + pSys->setAttr<TARGETING::ATTR_SECURITY_MODE>(securityMode); + TRACFCOMP(g_trac_pnor,INFO_MRK "Set lab security override policy to %s.", + securityMode ? "*NO* override" : "override if requested"); +} + +errlHndl_t SPnorRP::processFwKeyIndicators( + const SECUREBOOT::ContainerHeader& i_header, + const PNOR::SectionId i_sectionId) const +{ + errlHndl_t pError = nullptr; + + if(i_sectionId == PNOR::SBE_IPL) + { + auto const * const headerFlags = i_header.sb_flags(); + processLabOverride(*headerFlags); + } + + return pError; +} + errlHndl_t SPnorRP::miscSectionVerification(const uint8_t *i_vaddr, SectionId i_secId) const { @@ -908,4 +947,4 @@ errlHndl_t SPnorRP::keyTransitionCheck(const uint8_t *i_vaddr) const }while(0); return l_errl; -}
\ No newline at end of file +} |