diff options
author | Stephen Cprek <smcprek@us.ibm.com> | 2017-11-20 16:56:44 -0600 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-12-18 17:27:59 -0500 |
commit | 9ae6e9595f9773d295b7e3ade47088f554c1ed48 (patch) | |
tree | f33427b681154991423fb9faad3476bf4aa17ff4 /src/usr/pnor/spnorrp.C | |
parent | 8392e4f606607e505bb99de2a8d229ae69be5efe (diff) | |
download | talos-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.tar.gz talos-hostboot-9ae6e9595f9773d295b7e3ade47088f554c1ed48.zip |
Remove Secure Boot workarounds
- Removing the magic number checks that would block sb functionality
if things didn't appear secure
- Remove Best Effort Policy and all of its related code
- Remove the legacy PCR extension
- Remove the non-secure header preservation path.
- Always load HB base image header from the bl to hb data path
vs settings unsecurely out of pnor
Change-Id: Ie638384ac50ed47850985c959ea7a32e5757d64e
RTC: 178520
RTC: 155374
RTC: 173489
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49925
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/pnor/spnorrp.C')
-rw-r--r-- | src/usr/pnor/spnorrp.C | 71 |
1 files changed, 23 insertions, 48 deletions
diff --git a/src/usr/pnor/spnorrp.C b/src/usr/pnor/spnorrp.C index 90c53d712..29dd6de64 100644 --- a/src/usr/pnor/spnorrp.C +++ b/src/usr/pnor/spnorrp.C @@ -328,38 +328,30 @@ uint64_t SPnorRP::verifySections(SectionId i_id, if (!l_info.secure) { - if(SECUREBOOT::bestEffortPolicy()) - { - TRACFCOMP(g_trac_pnor,"PNOR::verifySections> called on unsecured section - Best effort policy skipping"); - break; - } - else - { - TRACFCOMP(g_trac_pnor,ERR_MRK"PNOR::verifySections> called on " + TRACFCOMP(g_trac_pnor,ERR_MRK"PNOR::verifySections> called on " "unsecured section"); - /*@ - * @errortype - * @severity ERRL_SEV_CRITICAL_SYS_TERM - * @moduleid PNOR::MOD_SPNORRP_VERIFYSECTIONS - * @reasoncode PNOR::RC_UNSIGNED_PNOR_SECTION - * @userdata1 PNOR section requested to verify - * @userdata2 0 - * @devdesc Cannot verify unsigned PNOR section - * @custdesc Security failure: unable to securely load - * requested firmware. - */ - l_errhdl = new ERRORLOG::ErrlEntry( - ERRORLOG::ERRL_SEV_CRITICAL_SYS_TERM, - PNOR::MOD_SPNORRP_VERIFYSECTIONS, - PNOR::RC_UNSIGNED_PNOR_SECTION, - TO_UINT64(i_id), - 0, - true /*Add HB SW Callout*/); - l_errhdl->collectTrace(PNOR_COMP_NAME); - l_errhdl->collectTrace(SECURE_COMP_NAME); - break; - } + /*@ + * @errortype + * @severity ERRL_SEV_CRITICAL_SYS_TERM + * @moduleid PNOR::MOD_SPNORRP_VERIFYSECTIONS + * @reasoncode PNOR::RC_UNSIGNED_PNOR_SECTION + * @userdata1 PNOR section requested to verify + * @userdata2 0 + * @devdesc Cannot verify unsigned PNOR section + * @custdesc Security failure: unable to securely load + * requested firmware. + */ + l_errhdl = new ERRORLOG::ErrlEntry( + ERRORLOG::ERRL_SEV_CRITICAL_SYS_TERM, + PNOR::MOD_SPNORRP_VERIFYSECTIONS, + PNOR::RC_UNSIGNED_PNOR_SECTION, + TO_UINT64(i_id), + 0, + true /*Add HB SW Callout*/); + l_errhdl->collectTrace(PNOR_COMP_NAME); + l_errhdl->collectTrace(SECURE_COMP_NAME); + break; } else { @@ -881,16 +873,8 @@ void SPnorRP::waitForMessage() size_t l_sizeWithHdr = PAGESIZE + l_rec->textSize; - bool l_wasLoadedAsBestEffort = false; - if (l_rec->textSize == 0 && - SECUREBOOT::bestEffortPolicy()) - { - // indicate that this section had been loaded - // as "best effort" - l_wasLoadedAsBestEffort = true; - } // if the section has an unsecured portion - else if (l_sizeWithHdr != l_rec->infoSize) + if (l_sizeWithHdr != l_rec->infoSize) { TRACFCOMP( g_trac_pnor, ERR_MRK"SPnorRP::waitForMessage> Attempting to unload an unsupported section: 0x%X textsize+hdr: 0x%llX infosize: 0x%llX (the two sizes must be equal)", l_id, l_sizeWithHdr, l_rec->infoSize); /*@ @@ -922,15 +906,6 @@ void SPnorRP::waitForMessage() break; } - if (l_wasLoadedAsBestEffort) - { - l_rec->secAddr = nullptr; - l_rec->textSize = 0; - l_rec->infoSize = 0; - l_rec->refCount = 0; - break; - } - l_errhdl = removePages(l_rec->secAddr, l_sizeWithHdr); if (l_errhdl) |