diff options
| author | Mike Baiocchi <mbaiocch@us.ibm.com> | 2017-05-18 17:12:26 -0500 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-06-07 09:40:09 -0400 |
| commit | 94eff06a67f84e9eb0f2189efd7a0b47029fd154 (patch) | |
| tree | 963bbdaa8eb9fe5dc72e4bec62b3c3b2c5880d53 /src/usr/pnor | |
| parent | 449f2ba22f199b36de5e041ff8d028af8c3c3652 (diff) | |
| download | talos-hostboot-94eff06a67f84e9eb0f2189efd7a0b47029fd154.tar.gz talos-hostboot-94eff06a67f84e9eb0f2189efd7a0b47029fd154.zip | |
Disable Attribute Overrides in Secure Mode
This commit disables attribute overrides during the IPL and at Runtime
when the system has security enabled.
Change-Id: Ia56b11fc1450c8e11be27c90c0de179038273873
RTC: 163094
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/40735
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/pnor')
| -rw-r--r-- | src/usr/pnor/pnor_common.C | 8 | ||||
| -rw-r--r-- | src/usr/pnor/runtime/rt_pnor.C | 46 |
2 files changed, 33 insertions, 21 deletions
diff --git a/src/usr/pnor/pnor_common.C b/src/usr/pnor/pnor_common.C index eb62a6c36..2c491d990 100644 --- a/src/usr/pnor/pnor_common.C +++ b/src/usr/pnor/pnor_common.C @@ -385,12 +385,10 @@ errlHndl_t PNOR::extendHash(uint64_t i_addr, bool PNOR::isInhibitedSection(const uint32_t i_section) { -// TODO securebootp9 for now we won't be inhibiting overrides #ifdef CONFIG_SECUREBOOT -// return (i_section == ATTR_PERM || -// i_section == ATTR_TMP) && -// SECUREBOOT::enabled(); - return false; + return (i_section == ATTR_PERM || + i_section == ATTR_TMP) && + SECUREBOOT::enabled(); #else return false; #endif diff --git a/src/usr/pnor/runtime/rt_pnor.C b/src/usr/pnor/runtime/rt_pnor.C index cde36a487..a154254b3 100644 --- a/src/usr/pnor/runtime/rt_pnor.C +++ b/src/usr/pnor/runtime/rt_pnor.C @@ -40,6 +40,7 @@ #include <util/align.H> #include <runtime/customize_attrs_for_payload.H> #include <securerom/ROM.H> +#include <config.h> // Trace definition extern trace_desc_t* g_trac_pnor; @@ -109,9 +110,9 @@ void PNOR::getPnorInfo( PnorInfo_t& o_pnorInfo ) o_pnorInfo.mmioOffset = LPC_SFC_MMIO_OFFSET | LPC_FW_SPACE; //Using sys target - TARGETING::Target* sys = NULL; + TARGETING::Target* sys = nullptr; TARGETING::targetService().getTopLevelTarget( sys ); - assert(sys != NULL); + assert(sys != nullptr); o_pnorInfo.norWorkarounds = sys->getAttr< TARGETING::ATTR_PNOR_FLASH_WORKAROUNDS>(); @@ -154,24 +155,37 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section, PNOR::SectionInfo_t& o_info) { TRACFCOMP(g_trac_pnor, ENTER_MRK"RtPnor::getSectionInfo"); - errlHndl_t l_err = NULL; + errlHndl_t l_err = nullptr; do { - if (i_section == PNOR::INVALID_SECTION) + bool l_inhibited = false; + #ifdef CONFIG_SECUREBOOT + l_inhibited = PNOR::isInhibitedSection(i_section); + #endif + if (i_section == PNOR::INVALID_SECTION || l_inhibited) { TRACFCOMP(g_trac_pnor, "RtPnor::getSectionInfo: Invalid Section" " %d", (int)i_section); + #ifdef CONFIG_SECUREBOOT + if (l_inhibited) + { + TRACFCOMP(g_trac_pnor, "RtPnor::getSectionInfo: " + "attribute overrides inhibited by secureboot"); + } + #endif /*@ * @errortype * @moduleid PNOR::MOD_RTPNOR_GETSECTIONINFO * @reasoncode PNOR::RC_RTPNOR_INVALID_SECTION * @userdata1 PNOR::SectionId - * @devdesc invalid section passed to getSectionInfo + * @userdata2 Inhibited by secureboot + * @devdesc invalid section passed to getSectionInfo or + * section prohibited by secureboot */ l_err = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_UNRECOVERABLE, PNOR::MOD_RTPNOR_GETSECTIONINFO, PNOR::RC_RTPNOR_INVALID_SECTION, - i_section, 0,true); + i_section, l_inhibited, true); break; } @@ -199,8 +213,8 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section, bool l_ecc = (iv_TOC[i_section].integrity&FFS_INTEG_ECC_PROTECT) ? true : false; - void* l_pWorking = NULL; - void* l_pClean = NULL; + void* l_pWorking = nullptr; + void* l_pClean = nullptr; //find the section in the map first if(iv_pnorMap.find(i_section) != iv_pnorMap.end()) @@ -263,7 +277,7 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section, errlHndl_t RtPnor::flush( PNOR::SectionId i_section) { TRACFCOMP(g_trac_pnor, ENTER_MRK"RtPnor::flush"); - errlHndl_t l_err = NULL; + errlHndl_t l_err = nullptr; do { if (i_section == PNOR::INVALID_SECTION) @@ -388,8 +402,8 @@ errlHndl_t RtPnor::readFromDevice (uint64_t i_procId, TRACFCOMP(g_trac_pnor, ENTER_MRK"RtPnor::readFromDevice: i_offset=0x%X, " "i_procId=%d sec=%d size=0x%X ecc=%d", i_offset, i_procId, i_section, i_size, i_ecc); - errlHndl_t l_err = NULL; - uint8_t* l_eccBuffer = NULL; + errlHndl_t l_err = nullptr; + uint8_t* l_eccBuffer = nullptr; do { @@ -587,8 +601,8 @@ errlHndl_t RtPnor::writeToDevice( uint64_t i_procId, TRACFCOMP(g_trac_pnor, ENTER_MRK"RtPnor::writeToDevice: i_offset=0x%X, " "i_procId=%d sec=%d size=0x%X ecc=%d", i_offset, i_procId, i_section, i_size, i_ecc); - errlHndl_t l_err = NULL; - uint8_t* l_eccBuffer = NULL; + errlHndl_t l_err = nullptr; + uint8_t* l_eccBuffer = nullptr; do { @@ -804,7 +818,7 @@ RtPnor& RtPnor::getInstance() errlHndl_t RtPnor::getSideInfo( PNOR::SideId i_side, PNOR::SideInfo_t& o_info) { - errlHndl_t l_err = NULL; + errlHndl_t l_err = nullptr; do { // We only support the working side at runtime @@ -850,10 +864,10 @@ errlHndl_t RtPnor::getSideInfo( PNOR::SideId i_side, errlHndl_t RtPnor::clearSection(PNOR::SectionId i_section) { TRACFCOMP(g_trac_pnor, "RtPnor::clearSection Section id = %d", i_section); - errlHndl_t l_errl = NULL; + errlHndl_t l_errl = nullptr; const uint64_t CLEAR_BYTE = 0xFF; uint8_t* l_buf = new uint8_t[PAGESIZE](); - uint8_t* l_eccBuf = NULL; + uint8_t* l_eccBuf = nullptr; do { |
