diff options
author | Jaymes Wilks <mjwilks@us.ibm.com> | 2017-02-02 09:42:19 -0600 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-03-03 13:51:48 -0500 |
commit | 2384503c61febe6b4b543afcae1cdc0ae27c1132 (patch) | |
tree | 08e58bdd248b1c479f8390ed18a337e6dbea0f4f /src/usr/secureboot/trusted | |
parent | a9eefaa1086c7a3cc51e374c52a7c04397968fd5 (diff) | |
download | talos-hostboot-2384503c61febe6b4b543afcae1cdc0ae27c1132.tar.gz talos-hostboot-2384503c61febe6b4b543afcae1cdc0ae27c1132.zip |
Integrate p9_update_security_ctrl HWP into Istep 10.3
Add handling of TPM deconfig and SBE Secure Seeprom Lock by
integrating the hardware procedure p9_update_security_ctrl into
Istep 10.3 and retriggering the hardware procedure any time a
TPM fails.
Change-Id: I36f57dc7aef3de6661357736a525fe25a3828c6e
RTC:153891
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/36189
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/secureboot/trusted')
-rw-r--r-- | src/usr/secureboot/trusted/makefile | 18 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedboot.C | 132 |
2 files changed, 147 insertions, 3 deletions
diff --git a/src/usr/secureboot/trusted/makefile b/src/usr/secureboot/trusted/makefile index b3da5a509..7ccb04ac2 100644 --- a/src/usr/secureboot/trusted/makefile +++ b/src/usr/secureboot/trusted/makefile @@ -5,7 +5,7 @@ # # OpenPOWER HostBoot Project # -# Contributors Listed Below - COPYRIGHT 2015,2016 +# Contributors Listed Below - COPYRIGHT 2015,2017 # [+] International Business Machines Corp. # # @@ -24,15 +24,31 @@ # IBM_PROLOG_END_TAG ROOTPATH = ../../../.. MODULE = secureboot_trusted +PERV_HWP_PATH += ${ROOTPATH}/src/import/chips/p9/procedures/hwp/perv +#Hardware procedure includes +EXTRAINCDIR += ${PERV_HWP_PATH} +EXTRAINCDIR += ${ROOTPATH}/src/include/usr/fapi2/ +EXTRAINCDIR += ${ROOTPATH}/src/import/hwpf/fapi2/include/ +EXTRAINCDIR += ${ROOTPATH}/src/import/chips/p9/utils/imageProcs/ +EXTRAINCDIR += ${ROOTPATH}/src/import/chips/p9/common/include/ + +#Trustedboot compilation units OBJS += $(if $(CONFIG_TPMDD),trustedboot.o,) OBJS += $(if $(CONFIG_TPMDD),trustedbootCmds.o,) OBJS += $(if $(CONFIG_TPMDD),trustedTypes.o,) OBJS += $(if $(CONFIG_TPMDD),tpmLogMgr.o,) OBJS += $(if $(CONFIG_TPMDD),trustedbootUtils.o,) +#Handle the hardware procedure link dependency +VPATH += ${PERV_HWP_PATH} + SUBDIRS += $(if $(CONFIG_TPMDD),test.d,) CFLAGS += -iquote ../ +#Include HWP procedure makefiles +include ${ROOTPATH}/procedure.rules.mk +include ${PERV_HWP_PATH}/p9_update_security_ctrl.mk + include ${ROOTPATH}/config.mk diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C index 2009ab07a..dba6e1ba1 100644 --- a/src/usr/secureboot/trusted/trustedboot.C +++ b/src/usr/secureboot/trusted/trustedboot.C @@ -59,6 +59,9 @@ #ifdef CONFIG_DRTM #include <secureboot/drtm.H> #endif +#include <fapi2.H> +#include <plat_hwp_invoker.H> +#include <p9_update_security_ctrl.H> namespace TRUSTEDBOOT { @@ -812,15 +815,140 @@ void pcrExtendSeparator(TpmTarget & io_target) void tpmMarkFailed(TpmTarget * io_target) { - TRACFCOMP( g_trac_trustedboot, ENTER_MRK"tpmMarkFailed() Marking TPM as failed : " "tgt=0x%X", TARGETING::get_huid(io_target->tpmTarget)); io_target->failed = true; - /// @todo RTC:125287 Add fail marker to TPM log and disable TPM access + #ifdef CONFIG_SECUREBOOT + TARGETING::Target* l_tpm = io_target->tpmTarget; + + errlHndl_t l_err = nullptr; + TARGETING::Target* l_proc = nullptr; + + do { + + if (!SECUREBOOT::enabled()) + { + break; + } + + // for the given tpm target, find the processor target + TARGETING::TargetHandleList l_procList; + getAllChips(l_procList,TARGETING::TYPE_PROC,false); + + auto l_tpmInfo = l_tpm->getAttr<TARGETING::ATTR_TPM_INFO>(); + + for(auto it : l_procList) + { + auto l_physPath = it->getAttr<TARGETING::ATTR_PHYS_PATH>(); + if (l_tpmInfo.i2cMasterPath == l_physPath) + { + // found processor to deconfigure + l_proc = it; + break; + } + } + if (l_proc == nullptr) + { + assert(false,"tpmMarkFailed - TPM with non-existent processor indicates" + " a bad MRW. TPM tgt=0x%X", TARGETING::get_huid(l_tpm)); + } + + // set ATTR_SECUREBOOT_PROTECT_DECONFIGURED_TPM for the processor + uint8_t l_protectTpm = 1; + l_proc->setAttr<TARGETING::ATTR_SECUREBOOT_PROTECT_DECONFIGURED_TPM>( + l_protectTpm); + + // do not deconfigure the processor if it already deconfigured + TARGETING::PredicateHwas isNonFunctional; + isNonFunctional.functional(false); + if (isNonFunctional(l_proc)) + { + // Note: at this point l_err is nullptr so + // no error log is created on break + break; + } + + uint64_t l_regValue = 0; + l_err = SECUREBOOT::getSecuritySwitch(l_regValue, l_proc); + if (l_err) + { + TRACFCOMP(g_trac_trustedboot, + ERR_MRK"tpmMarkFailed - call to getSecuritySwitch failed"); + break; + } + // if the SBE lock bit is not set, it means that istep 10.3 hasn't executed + // yet, so we will let istep 10.3 call p9_update_security_control HWP + // if the SBE lock bit is set, then we will call the HWP here + if (!(l_regValue & static_cast<uint64_t>(SECUREBOOT::ProcSecurity::SULBit))) + { + break; + } + + const fapi2::Target<fapi2::TARGET_TYPE_PROC_CHIP> l_fapiTarg(l_proc); + + FAPI_INVOKE_HWP(l_err, p9_update_security_ctrl, l_fapiTarg); + + if (l_err) + { + TRACFCOMP(g_trac_trustedboot, + ERR_MRK"tpmMarkFailed - call to p9_update_security_ctrl failed "); + } + + } while(0); + + if (l_err) + { + TRACFCOMP(g_trac_trustedboot, + ERR_MRK "Processor tgt=0x%X TPM tgt=0x&X. Deconfiguring processor " + "because future security cannot be guaranteed.", + TARGETING::get_huid(l_proc), + TARGETING::get_huid(l_tpm)); + + // save the plid from the error before commiting + auto plid = l_err->plid(); + + ERRORLOG::ErrlUserDetailsTarget(l_proc).addToLog(l_err); + + // commit this error log first before creating the new one + errlCommit(l_err, SECURE_COMP_ID); + + /*@ + * @errortype + * @reasoncode TRUSTEDBOOT::RC_UPDATE_SECURITY_CTRL_HWP_FAIL + * @moduleid TRUSTEDBOOT::MOD_TPM_MARK_FAILED + * @severity ERRL_SEV_UNRECOVERABLE + * @userdata1 Processor Target + * @userdata2 TPM Target + * @devdesc Failed to set SEEPROM lock and/or TPM deconfig + * protection for this processor, so we cannot + * guarrantee platform secuirty for this processor + * @custdesc Platform security problem detected + */ + l_err = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_UNRECOVERABLE, + TRUSTEDBOOT::MOD_TPM_MARK_FAILED, + TRUSTEDBOOT::RC_UPDATE_SECURITY_CTRL_HWP_FAIL, + TARGETING::get_huid(l_proc), + TARGETING::get_huid(l_tpm)); + + l_err->addHwCallout(l_proc, + HWAS::SRCI_PRIORITY_LOW, + HWAS::DELAYED_DECONFIG, + HWAS::GARD_NULL); + + l_err->collectTrace(SECURE_COMP_NAME); + + // pass on the plid from the previous error log to the new one + l_err->plid(plid); + + ERRORLOG::ErrlUserDetailsTarget(l_proc).addToLog(l_err); + + ERRORLOG::errlCommit(l_err, SECURE_COMP_ID); + } + #endif } void tpmVerifyFunctionalTpmExists() |