TPM Log Pass up to FSP Host

Adds hostboot functionality to populate the HDAT area with System
Security Settings, TPM Configuration bits, TPMs/Drawer and Hardware
Key Hash Values in the HDAT area for passing up to FSP hosts.

Change-Id: I34a9ec51d0311a0a7bc5468a8261a1276b0e5f7a
RTC:125306
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/35163
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>

2 files changed, 127 insertions, 3 deletions

diff --git a/src/usr/runtime/hdatstructs.H b/src/usr/runtime/hdatstructs.H
index 804f8414e..aee2c8108 100644
--- a/src/usr/runtime/hdatstructs.H
+++ b/src/usr/runtime/hdatstructs.H
@@ -5,7 +5,7 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* Contributors Listed Below - COPYRIGHT 2012,2016                        */
+/* Contributors Listed Below - COPYRIGHT 2012,2017                        */
 /* [+] International Business Machines Corp.                              */
 /*                                                                        */
 /*                                                                        */
@@ -33,7 +33,6 @@
 // offset in mainstore where NACA starts
 const uint64_t HDAT_NACA_OFFSET = 0x00004000;
 
-
 /* NOTE: Most of these structures were copied and adapted from the HDAT
  component in FipS.  They do not need to be kept exactly in sync so long
  as this code follows the HDAT specification. */
@@ -255,6 +254,18 @@ struct hdatSysParms_t
     uint8_t  vTpmEnabled;
     uint8_t  hdatReserved;
     uint16_t hdatDispWheel;
+    uint32_t hdatNestFreq;             // Nest Clock Frequency in MHz
+    uint8_t  hdatSplitCoreMode;        // Split Core Mode
+    uint8_t  hdatReserved4;            // Reserved
+    uint16_t hdatReserved5;            // Reserved
+    uint8_t  hdatSystemVendorName[64]; // System Vendor Name
+    uint16_t hdatSysSecuritySetting;   // System Security Settings
+    uint16_t hdatTpmConfBits;          // TPM Configuration Bits
+    uint16_t hdatTpmDrawer;            // TPMs/Drawer
+    uint16_t hdatReserved6;            // Reserved
+    uint8_t  hdatHwKeyHashValue[64];   // Hardware Keys Hash Value
+    char     hdatSystemFamily[64];     // System Family/Vendor Name
+    char     hdatSystemType[64];       // System Type/Vendor Type
 } __attribute__ ((packed));
 
 
diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C
index e3eaffdc1..5dbaa5291 100644
--- a/src/usr/runtime/populate_hbruntime.C
+++ b/src/usr/runtime/populate_hbruntime.C
@@ -5,7 +5,7 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* Contributors Listed Below - COPYRIGHT 2016                             */
+/* Contributors Listed Below - COPYRIGHT 2016,2017                        */
 /* [+] International Business Machines Corp.                              */
 /*                                                                        */
 /*                                                                        */
@@ -49,10 +49,17 @@
 #include <targeting/attrrp.H>
 #include <sys/mm.h>
 #include <util/align.H>
+#include <secureboot/trustedbootif.H>
+#include <secureboot/service.H>
+#include <config.h>
+
 
 namespace RUNTIME
 {
 
+// used for populating the TPM required bit in HDAT
+const uint16_t TPM_REQUIRED_BIT = 0x8000; //leftmost bit of uint16_t set to 1
+
 trace_desc_t *g_trac_runtime = NULL;
 TRAC_INIT(&g_trac_runtime, RUNTIME_COMP_NAME, KILOBYTE);
 
@@ -226,6 +233,112 @@ errlHndl_t populate_RtDataByNode(uint64_t iNodeId)
 } // end populate_RtDataByNode
 
 
+errlHndl_t populate_hbSecurebootData ( void )
+{
+    using namespace TARGETING;
+
+    errlHndl_t l_elog = nullptr;
+
+    do {
+
+    const uint64_t l_instance = 0; // pass 0 since sys parms has only one record
+    uint64_t l_hbrtDataAddr = 0;
+    uint64_t l_hbrtDataSizeMax = 0;
+    l_elog = RUNTIME::get_host_data_section(RUNTIME::IPLPARMS_SYSTEM,
+                                                l_instance,
+                                                l_hbrtDataAddr,
+                                                l_hbrtDataSizeMax);
+    if(l_elog != nullptr)
+    {
+        TRACFCOMP( g_trac_runtime, ERR_MRK "populate_hbSecurebootData: "
+            "get_host_data_section() failed for system IPL parameters section");
+        break;
+    }
+
+    hdatSysParms_t* const l_sysParmsPtr
+                            = reinterpret_cast<hdatSysParms_t*>(l_hbrtDataAddr);
+
+    typedef struct sysSecSets
+    {
+        // bit 0: Code Container Digital Signature Checking
+        uint16_t secureboot : 1;
+        // bit 1: Measurements Extended to Secure Boot TPM
+        uint16_t trustedboot : 1;
+        uint16_t reserved : 14;
+    } SysSecSets;
+
+    // populate system security settings in hdat
+    SysSecSets* const l_sysSecSets =
+        reinterpret_cast<SysSecSets*>(&l_sysParmsPtr->hdatSysSecuritySetting);
+
+    // populate secure setting for trusted boot
+    bool trusted = false;
+    #ifdef CONFIG_TPMDD
+        trusted = TRUSTEDBOOT::enabled();
+    #endif
+    l_sysSecSets->trustedboot = trusted? 1: 0;
+
+    // populate secure setting for secureboot
+    bool secure = false;
+    #ifdef CONFIG_SECUREBOOT
+        secure = SECUREBOOT::enabled();
+    #endif
+    l_sysSecSets->secureboot = secure? 1: 0;
+
+    // populate TPM config bits in hdat
+    bool tpmRequired = false;
+    #ifdef CONFIG_TRUSTEDBOOT
+        tpmRequired = TRUSTEDBOOT::isTpmRequired();
+    #endif
+
+    l_sysParmsPtr->hdatTpmConfBits = tpmRequired? TPM_REQUIRED_BIT: 0;
+
+    // find max # of TPMs per drawer and populate hdat with it
+
+    // look for class ENC type NODE and class chip TPM to find TPMs
+    TARGETING::TargetHandleList l_nodeEncList;
+
+    getEncResources(l_nodeEncList, TYPE_NODE, UTIL_FILTER_ALL);
+
+    uint16_t l_maxTpms = 0;
+
+    // loop thru the nodes and check number of TPMs
+    for (TargetHandleList::const_iterator
+        l_node_iter = l_nodeEncList.begin();
+        l_node_iter != l_nodeEncList.end();
+        ++l_node_iter)
+    {
+        // for this Node, get a list of tpms
+        TARGETING::TargetHandleList l_tpmChipList;
+
+        getChildAffinityTargets ( l_tpmChipList, *l_node_iter,
+                        TARGETING::CLASS_CHIP, TYPE_TPM, false );
+
+        size_t l_numTpms = l_tpmChipList.size();
+
+        if (l_numTpms > l_maxTpms)
+        {
+            l_maxTpms = static_cast<uint16_t>(l_numTpms);
+        }
+    }
+
+    l_sysParmsPtr->hdatTpmDrawer = l_maxTpms;
+    TRACFCOMP(g_trac_runtime,"Max TPMs = 0x%04X", l_maxTpms);
+
+    // populate hw key hash in hdat
+    #ifdef CONFIG_SECUREBOOT
+    auto hash = l_sysParmsPtr->hdatHwKeyHashValue;
+    SECUREBOOT::getHwKeyHash(hash);
+    #else
+    memset(l_sysParmsPtr->hdatHwKeyHashValue,0,
+                                 sizeof(l_sysParmsPtr->hdatHwKeyHashValue));
+    #endif
+
+    } while(0);
+
+    return (l_elog);
+} // end populate_hbRuntiome
+
 errlHndl_t populate_hbRuntimeData( void )
 {
     errlHndl_t  l_elog = NULL;