Extend basic config entries to TPM

Change-Id: I17c215c3120782d022ade0ac8343934c64e2e13e
Original-Change-Id: I92e2c7758ebac2912caa9f449c3531c584487bd5
FowardPort: yes
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/22002
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/24481
Tested-by: Jenkins Server
Tested-by: FSP CI Jenkins
Reviewed-by: Christopher J. Engel <cjengel@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>

5 files changed, 112 insertions, 10 deletions

diff --git a/src/usr/secureboot/base/settings.C b/src/usr/secureboot/base/settings.C
index cda200b74..8caa6708c 100644
--- a/src/usr/secureboot/base/settings.C
+++ b/src/usr/secureboot/base/settings.C
@@ -5,7 +5,9 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* COPYRIGHT International Business Machines Corp. 2013,2014              */
+/* Contributors Listed Below - COPYRIGHT 2013,2016                        */
+/* [+] International Business Machines Corp.                              */
+/*                                                                        */
 /*                                                                        */
 /* Licensed under the Apache License, Version 2.0 (the "License");        */
 /* you may not use this file except in compliance with the License.       */
@@ -54,4 +56,9 @@ namespace SECUREBOOT
     {
         return 0 != (iv_regValue & SECURITY_SWITCH_TRUSTED_BOOT);
     }
+
+    uint64_t Settings::getSecuritySwitch()
+    {
+        return iv_regValue;
+    }
 }
diff --git a/src/usr/secureboot/settings.H b/src/usr/secureboot/settings.H
index 116280c05..3da86e3cb 100644
--- a/src/usr/secureboot/settings.H
+++ b/src/usr/secureboot/settings.H
@@ -5,7 +5,9 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* COPYRIGHT International Business Machines Corp. 2013,2014              */
+/* Contributors Listed Below - COPYRIGHT 2013,2016                        */
+/* [+] International Business Machines Corp.                              */
+/*                                                                        */
 /*                                                                        */
 /* Licensed under the Apache License, Version 2.0 (the "License");        */
 /* you may not use this file except in compliance with the License.       */
@@ -40,15 +42,18 @@ namespace SECUREBOOT
             /** @brief Determine if Secureboot is enabled. */
             bool getEnabled();
 
+            /** @brief Get security switch register value */
+            uint64_t getSecuritySwitch();
+
         private:
             void _init();
 
-                /** Cached register value. */
+            /** Cached register value. */
             uint64_t iv_regValue;
 
-                /** SCOM address for security settings. */
+            /** SCOM address for security settings. */
             static const uint64_t SECURITY_SWITCH_REGISTER;
-                /** Bitfield mask for Secureboot enable flag. */
+            /** Bitfield mask for Secureboot enable flag. */
             static const uint64_t SECURITY_SWITCH_TRUSTED_BOOT;
     };
 }
diff --git a/src/usr/secureboot/trusted/base/trustedboot_base.C b/src/usr/secureboot/trusted/base/trustedboot_base.C
index ea17bc39b..61e7a12a2 100644
--- a/src/usr/secureboot/trusted/base/trustedboot_base.C
+++ b/src/usr/secureboot/trusted/base/trustedboot_base.C
@@ -90,10 +90,8 @@ errlHndl_t pcrExtend(TPM_Pcr i_pcr,
 
     TRACDCOMP( g_trac_trustedboot, ENTER_MRK"pcrExtend()" );
     TRACUCOMP( g_trac_trustedboot,
-               ENTER_MRK"pcrExtend() pcr=%d msg='%s' digest=%016llX",
-               i_pcr,
-               i_logMsg,
-               *(reinterpret_cast<uint64_t*>(i_digest)));
+               ENTER_MRK"pcrExtend() pcr=%d msg='%s'", i_pcr, i_logMsg);
+    TRACFBIN(g_trac_trustedboot, "pcrExtend() digest:", i_digest, i_digestSize);
 
     // Ensure proper digest size
     uint8_t digestData[fullDigestSize];
@@ -109,6 +107,7 @@ errlHndl_t pcrExtend(TPM_Pcr i_pcr,
            (strlen(i_logMsg) < MAX_TPM_LOG_MSG ? strlen(i_logMsg) :
             MAX_TPM_LOG_MSG));
 
+
     for (size_t idx = 0; idx < MAX_SYSTEM_TPMS; idx++)
     {
         // Add the event to this TPM, if an error occurs the TPM will
diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C
index 03d957b9e..a934b592c 100644
--- a/src/usr/secureboot/trusted/trustedboot.C
+++ b/src/usr/secureboot/trusted/trustedboot.C
@@ -41,12 +41,14 @@
 #include <targeting/common/targetservice.H>
 #include <secureboot/trustedbootif.H>
 #include <secureboot/trustedboot_reasoncodes.H>
+#include <sys/mmio.h>
 #include "trustedboot.H"
 #include "trustedTypes.H"
 #include "trustedbootCmds.H"
 #include "trustedbootUtils.H"
 #include "base/tpmLogMgr.H"
 #include "base/trustedboot_base.H"
+#include "../settings.H"
 
 namespace TRUSTEDBOOT
 {
@@ -149,7 +151,6 @@ void* host_update_master_tpm( void *io_pArgs )
             break;
         }
 
-
         // Lastly we will check on the backup TPM and see if it is enabled
         //  in the attributes at least
         TPMDD::tpm_info_t tpmInfo;
@@ -184,6 +185,11 @@ void* host_update_master_tpm( void *io_pArgs )
         mutex_unlock(&(systemTpms.tpm[TPM_MASTER_INDEX].tpmMutex));
     }
 
+    if (NULL == err)
+    {
+        // Log config entries to TPM - needs to be after mutex_unlock
+        err = tpmLogConfigEntries(systemTpms.tpm[TPM_MASTER_INDEX]);
+    }
 
     TRACDCOMP( g_trac_trustedboot,
                EXIT_MRK"host_update_master_tpm() - %s",
@@ -322,4 +328,80 @@ void tpmReplayLog(TRUSTEDBOOT::TpmTarget & io_target)
     }
 }
 
+errlHndl_t tpmLogConfigEntries(TRUSTEDBOOT::TpmTarget & io_target)
+{
+    TRACFCOMP(g_trac_trustedboot, ENTER_MRK"tpmLogConfigEntries()");
+
+    errlHndl_t l_err = NULL;
+
+    do
+    {
+        // Create digest buffer and set to largest config entry size.
+        uint8_t l_digest[sizeof(uint64_t)];
+        memset(l_digest, 0, sizeof(uint64_t));
+
+        // Security switches
+        uint64_t l_securitySwitchValue = Singleton<SECUREBOOT::Settings>::
+                                                instance().getSecuritySwitch();
+        TRACFCOMP(g_trac_trustedboot, "security switch value = 0x%X",
+                                l_securitySwitchValue);
+        // Extend to TPM - PCR_1
+        memcpy(l_digest, &l_securitySwitchValue, sizeof(l_securitySwitchValue));
+        l_err = pcrExtend(PCR_1, l_digest, sizeof(l_securitySwitchValue),
+                          "Security Switches");
+        if (l_err)
+        {
+            break;
+        }
+        memset(l_digest, 0, sizeof(uint64_t));
+
+        // Chip type and EC
+        // Fill in the actual PVR of chip
+        // Layout of the PVR is (32-bit): (see cpuid.C for latest format)
+        //     2 nibbles reserved.
+        //     2 nibbles chip type.
+        //     1 nibble technology.
+        //     1 nibble major DD.
+        //     1 nibble reserved.
+        //     1 nibble minor D
+        uint32_t l_pvr = mmio_pvr_read() & 0xFFFFFFFF;
+        TRACDCOMP(g_trac_trustedboot, "PVR of chip = 0x%X", l_pvr);
+        // Extend to TPM - PCR_1
+        memcpy(l_digest, &l_pvr, sizeof(l_pvr));
+        l_err = pcrExtend(PCR_1, l_digest, sizeof(l_pvr),"PVR of Chip");
+        if (l_err)
+        {
+            break;
+        }
+        memset(l_digest, 0, sizeof(uint64_t));
+
+        // Figure out which node we are running on
+        TARGETING::Target* l_masterProc = NULL;
+        TARGETING::targetService().masterProcChipTargetHandle(l_masterProc);
+        TARGETING::EntityPath l_entityPath =
+                        l_masterProc->getAttr<TARGETING::ATTR_PHYS_PATH>();
+        const TARGETING::EntityPath::PathElement l_pathElement =
+                        l_entityPath.pathElementOfType(TARGETING::TYPE_NODE);
+        uint64_t l_nodeid = l_pathElement.instance;
+        // Extend to TPM - PCR_1,4,5,6
+        memcpy(l_digest, &l_nodeid, sizeof(l_nodeid));
+        const TPM_Pcr l_pcrs[] = {PCR_1,PCR_4,PCR_5,PCR_6};
+        for (size_t i = 0; i < (sizeof(l_pcrs)/sizeof(TPM_Pcr)) ; ++i)
+        {
+            l_err = pcrExtend(l_pcrs[i], l_digest, sizeof(l_nodeid),"Node id");
+            if (l_err)
+            {
+                break;
+            }
+        }
+        if (l_err)
+        {
+            break;
+        }
+
+    } while(0);
+
+    return l_err;
+}
+
 } // end TRUSTEDBOOT
diff --git a/src/usr/secureboot/trusted/trustedboot.H b/src/usr/secureboot/trusted/trustedboot.H
index 2569de487..866e253e5 100644
--- a/src/usr/secureboot/trusted/trustedboot.H
+++ b/src/usr/secureboot/trusted/trustedboot.H
@@ -87,6 +87,15 @@ errlHndl_t tpmVerifyFunctionalTpmExists();
  */
 void tpmReplayLog(TRUSTEDBOOT::TpmTarget & io_target);
 
+/**
+ * @brief Send config entries to tpm
+ *
+ * @param[in/out] io_target Current TPM target structure
+ *
+ * @return errlHndl_t NULL if successful, otherwise a pointer to the
+ *       error log.
+ */
+errlHndl_t tpmLogConfigEntries(TRUSTEDBOOT::TpmTarget & io_target);
 
 } // end TRUSTEDBOOT namespace
 #endif