diff options
author | Jaymes Wilks <mjwilks@us.ibm.com> | 2017-08-25 14:18:38 -0500 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-08-31 12:49:40 -0400 |
commit | e1678bffbd5cba43911f7e6f670ac3c3bb68af39 (patch) | |
tree | 2f9086aa3a1e29bbc353591c4a3d771c92472d0d /src/usr/secureboot/base/service.C | |
parent | 45d359f3df82a3e9edf31b89193c7a61c5229977 (diff) | |
download | talos-hostboot-e1678bffbd5cba43911f7e6f670ac3c3bb68af39.tar.gz talos-hostboot-e1678bffbd5cba43911f7e6f670ac3c3bb68af39.zip |
Replace HB_SECURITY_MODE attribute with SECUREBOOT API equivalent
The HB_SECURITY_MODE attribute will now be a variable managed by
secureboot. The FAPI attribue SECURITY_MODE that maps to the HB
version will now call to that variable in the SECUREBOOT API.
Change-Id: I7e42c3f2e355feeb0d49aa6a998960bc5409bfa2
RTC:178643
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/45167
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/secureboot/base/service.C')
-rw-r--r-- | src/usr/secureboot/base/service.C | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/src/usr/secureboot/base/service.C b/src/usr/secureboot/base/service.C index 98a750c98..d0e3b8f89 100644 --- a/src/usr/secureboot/base/service.C +++ b/src/usr/secureboot/base/service.C @@ -74,6 +74,17 @@ struct SecureRegisterValues uint64_t data; }; +/* + * HB specific secureboot setting which is aliased to the FAPI attribute + * ATTR_SECURITY_MODE and customized into the SBE image. If 0b0, SBE + * will disable proc security (via SAB bit) if mailbox scratch register 3 + * bit 6 is set. Otherwise, if 0b1, SBE will not override proc security. + * TODO RTC 170650: When SBE image is signed in all environments, set + * default to 0b1 and rely on SBE signing header to configure the final + * value. + */ +uint8_t g_sbeSecurityMode = 0; + /** * @brief Retrieve values of Security Registers of the processors in the system * @@ -600,4 +611,16 @@ bool allowAttrOverrides() }; #endif +uint8_t getSbeSecurityMode() +{ + return g_sbeSecurityMode; +} + +void setSbeSecurityMode(uint8_t i_sbeSecurityMode) +{ + assert(i_sbeSecurityMode == 0 || i_sbeSecurityMode == 1, + "SBE Security Mode can only be set to 0 or 1"); + g_sbeSecurityMode = i_sbeSecurityMode; +} + } //namespace SECUREBOOT |