diff options
| author | Ilya Smirnov <ismirno@us.ibm.com> | 2018-05-22 10:20:56 -0500 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2018-05-31 13:33:16 -0400 |
| commit | 6ebff9a73ab0bb2d2bf74ee0e566e7aefef569eb (patch) | |
| tree | cc9dc24d7072ffab27602bf84742c2f6c9b75a66 /src/usr/runtime/hdatstructs.H | |
| parent | 27bbfd3457364099b604513d5d1dbb4d6751d6f3 (diff) | |
| download | talos-hostboot-6ebff9a73ab0bb2d2bf74ee0e566e7aefef569eb.tar.gz talos-hostboot-6ebff9a73ab0bb2d2bf74ee0e566e7aefef569eb.zip | |
Secure Boot: Set trusted boot enabled in HDAT considering all nodes
This change implements reporting of trusted boot status
to HDAT considering all nodes of the system. To avoid
inter-node communication, the check is done after the
HDAT TPM info is populated for all nodes. The logic goes
through all TPM Info HDAT records (for each node) and checks
whether the master TPM on each node is present and functional.
The result is aggregated into the trusted boot enabled bit on
the master node. The check is done after the separators have
been extended into TPM; this allows each primary TPM more
chances to fail before we say that it's functional.
Trusted boot enabled bit is reported as 1 if ALL primary
TPMs on ALL booting nodes are present and functional. It is
reported as 0 if at least one primary is not present or
not functional.
Change-Id: I926532efe85b33e95e50d84b0b5e4554852f0601
RTC: 191194
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/59279
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/runtime/hdatstructs.H')
| -rw-r--r-- | src/usr/runtime/hdatstructs.H | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/usr/runtime/hdatstructs.H b/src/usr/runtime/hdatstructs.H index 29f23eac8..2f05a2a70 100644 --- a/src/usr/runtime/hdatstructs.H +++ b/src/usr/runtime/hdatstructs.H @@ -438,4 +438,21 @@ struct hdatCpuCtrlInfo_t hdatCpuCtrlPair_t servRoutineData; // Service Routines Data Area } __attribute__ ((packed)); +/** + * @brief Structure to reflect the security settings on a system. + */ +typedef struct sysSecSets +{ + // bit 0: Code Container Digital Signature Checking + uint16_t secureboot : 1; + // bit 1: Primary TPM is present and functional if single-node system; + // All primary TPMs are present and functional if multi-node system. + uint16_t trustedboot : 1; + // bit 2: SBE Security Backdoor bit. + // NOTE: This bit is labeled "Platform Security Overrides Allowed" + // in the section 6.1.1 of HDAT spec. + uint16_t sbeSecBackdoor : 1; + uint16_t reserved : 13; +} SysSecSets; + #endif |
