Trusted Boot: Provide appropriate callout when TPM not provisioned

Adds high priority TPM callout and low priority HB procedure callout when the TPM is detected not to be provisoned correctly Change-Id: Ia6fc3e4d5baf80f5a899e0b576d9fe07f4a1570c CQ: SW435398 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/61429 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Nick Bofferding <bofferdn@us.ibm.com> 2018-06-26 18:13:37 -0500
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2018-06-27 16:29:26 -0400
commit: 9886d8d502e87d7568779fce855de6dc24222bda (patch)
tree: 299874a8e9b587158a9fe3972e80da48c28af407 /src/usr/secureboot
parent: 5129448452b605487512bdaabb66b5afb7cd7a70 (diff)
download: talos-hostboot-9886d8d502e87d7568779fce855de6dc24222bda.tar.gz
talos-hostboot-9886d8d502e87d7568779fce855de6dc24222bda.zip
3 files changed, 68 insertions, 40 deletions
diff --git a/src/usr/secureboot/trusted/trustedbootCmds.C b/src/usr/secureboot/trusted/trustedbootCmds.C
index 9a73a7052..db1dca51e 100644
--- a/src/usr/secureboot/trusted/trustedbootCmds.C
+++ b/src/usr/secureboot/trusted/trustedbootCmds.C
@@ -887,24 +887,39 @@ errlHndl_t tpmCmdGetCapNvIndexValidate(TpmTarget* io_target)
 
         /*@
          * @errortype
-         * @reasoncode     RC_TPM_NVINDEX_VALIDATE_FAIL
-         * @severity       ERRL_SEV_UNRECOVERABLE
-         * @moduleid       MOD_TPM_CMD_GETCAPNVINDEX
-         * @userdata1[0:3] foundRSAEKCert
-         * @userdata1[4:7] foundECCEKCert
-         * @userdata1[8:11] foundPlatCert
-         * @userdata1[12:31] 0
-         * @userdata2[0:3] moreData
-         * @userdata2[4:31] 0
-         * @devdesc        Command failure reading TPM NV indexes.
-         * @custdesc       Failure detected in security subsystem
+         * @reasoncode       RC_TPM_NVINDEX_VALIDATE_FAIL
+         * @severity         ERRL_SEV_UNRECOVERABLE
+         * @moduleid         MOD_TPM_CMD_GETCAPNVINDEX
+         * @userdata1[0:7]   foundRSAEKCert
+         * @userdata1[7:15]  foundECCEKCert
+         * @userdata1[16:23] foundPlatCert
+         * @userdata1[24:31] moreData
+         * @userdata1[32:63] 0
+         * @devdesc          Command failure reading TPM NV indexes.
+         *                   TPM is likely provisioned incorrectly.
+         * @custdesc         Failure detected in security subsystem.
          */
-        err = tpmCreateErrorLog(MOD_TPM_CMD_GETCAPNVINDEX,
-                                RC_TPM_NVINDEX_VALIDATE_FAIL,
-                                (uint32_t)foundRSAEKCert << 28 |
-                                (uint32_t)foundECCEKCert << 14 |
-                                (uint32_t)foundPlatCert << 20,
-                                (uint32_t)moreData << 28);
+        err = tpmCreateErrorLog(
+            MOD_TPM_CMD_GETCAPNVINDEX,
+            RC_TPM_NVINDEX_VALIDATE_FAIL,
+            TWO_UINT32_TO_UINT64(
+                FOUR_UINT8_TO_UINT32(
+                    foundRSAEKCert,foundECCEKCert,
+                    foundPlatCert,moreData),
+                0),
+            0,
+            ERRORLOG::ErrlEntry::NO_SW_CALLOUT);
+
+        // Likely a TPM provisioning issue
+        err->addHwCallout(io_target,
+                          HWAS::SRCI_PRIORITY_HIGH,
+                          HWAS::NO_DECONFIG,
+                          HWAS::GARD_NULL);
+
+        // Small chance HB code failed to check the provisoning
+        // correctly
+        err->addProcedureCallout(HWAS::EPUB_PRC_HB_CODE,
+                                 HWAS::SRCI_PRIORITY_LOW);
     }
 
     TRACDCOMP( g_trac_trustedboot,
diff --git a/src/usr/secureboot/trusted/trustedbootUtils.C b/src/usr/secureboot/trusted/trustedbootUtils.C
index 62f1c8d74..1fbe394a2 100644
--- a/src/usr/secureboot/trusted/trustedbootUtils.C
+++ b/src/usr/secureboot/trusted/trustedbootUtils.C
@@ -5,7 +5,7 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* Contributors Listed Below - COPYRIGHT 2015,2017                        */
+/* Contributors Listed Below - COPYRIGHT 2015,2018                        */
 /* [+] International Business Machines Corp.                              */
 /*                                                                        */
 /*                                                                        */
@@ -81,20 +81,26 @@ errlHndl_t tpmTransmit(TpmTarget * io_target,
     return err;
 }
 
-errlHndl_t tpmCreateErrorLog(const uint8_t i_modId,
-                             const uint16_t i_reasonCode,
-                             const uint64_t i_user1,
-                             const uint64_t i_user2)
+errlHndl_t tpmCreateErrorLog(
+    const uint8_t  i_modId,
+    const uint16_t i_reasonCode,
+    const uint64_t i_user1,
+    const uint64_t i_user2,
+    const bool     i_addSwCallout)
 {
-    errlHndl_t err = new ERRORLOG::ErrlEntry( ERRORLOG::ERRL_SEV_UNRECOVERABLE,
-                                    i_modId,
-                                    i_reasonCode,
-                                    i_user1,
-                                    i_user2,
-                                    true /*Add HB SW Callout*/ );
-    err->collectTrace( SECURE_COMP_NAME );
-    err->collectTrace(TRBOOT_COMP_NAME);
-    return err;
+    errlHndl_t pError =
+        new ERRORLOG::ErrlEntry(
+            ERRORLOG::ERRL_SEV_UNRECOVERABLE,
+            i_modId,
+            i_reasonCode,
+            i_user1,
+            i_user2,
+            i_addSwCallout);
+
+    pError->collectTrace(SECURE_COMP_NAME);
+    pError->collectTrace(TRBOOT_COMP_NAME);
+
+    return pError;
 }
 
 } // end TRUSTEDBOOT
diff --git a/src/usr/secureboot/trusted/trustedbootUtils.H b/src/usr/secureboot/trusted/trustedbootUtils.H
index 887aaf70f..112556223 100644
--- a/src/usr/secureboot/trusted/trustedbootUtils.H
+++ b/src/usr/secureboot/trusted/trustedbootUtils.H
@@ -67,16 +67,23 @@ errlHndl_t tpmTransmit(TpmTarget * io_target,
                        tpm_locality_t i_locality);
 
 /**
- * @brief Create an error log entry for potential logging
- * @param[in] i_modId Code Module ID
- * @param[in] i_reasonCode Error Reason Code
- * @param[in] i_user1 User data 1
- * @param[in] i_user2 User data 2
+ *  @brief Create an error log entry for potential logging
+ *
+ *  @param[in] i_modId Code Module ID
+ *  @param[in] i_reasonCode Error Reason Code
+ *  @param[in] i_user1 User data 1
+ *  @param[in] i_user2 User data 2
+ *  @param[in] i_addSwCallout Whether to add a high priority Hostboot software
+ *      callout to the error log or not (default: true)
+ *
+ *  @return errlHndl_t Handle to newly created error log
  */
-errlHndl_t tpmCreateErrorLog(const uint8_t i_modId,
-                             const uint16_t i_reasonCode,
-                             const uint64_t i_user1,
-                             const uint64_t i_user2);
+errlHndl_t tpmCreateErrorLog(
+    uint8_t  i_modId,
+    uint16_t i_reasonCode,
+    uint64_t i_user1,
+    uint64_t i_user2,
+    bool     i_addSwCallout = ERRORLOG::ErrlEntry::ADD_SW_CALLOUT);
 
 /**
  *  @brief Mark the TPM as non-functional and take required steps
author	Nick Bofferding <bofferdn@us.ibm.com>	2018-06-26 18:13:37 -0500
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2018-06-27 16:29:26 -0400
commit	9886d8d502e87d7568779fce855de6dc24222bda (patch)
tree	299874a8e9b587158a9fe3972e80da48c28af407 /src/usr/secureboot
parent	5129448452b605487512bdaabb66b5afb7cd7a70 (diff)
download	talos-hostboot-9886d8d502e87d7568779fce855de6dc24222bda.tar.gz talos-hostboot-9886d8d502e87d7568779fce855de6dc24222bda.zip