diff options
author | Ilya Smirnov <ismirno@us.ibm.com> | 2019-02-19 09:19:35 -0600 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2019-03-01 15:06:57 -0600 |
commit | b1c1b2cc5e78267fadb9001587f66566cf19159e (patch) | |
tree | e40435fd16338b995a5b6c3b0c3bd132ce3d159f /src/usr/secureboot | |
parent | 7364f2447d187b1b7dfff42403db051c4fc7e4e4 (diff) | |
download | talos-hostboot-b1c1b2cc5e78267fadb9001587f66566cf19159e.tar.gz talos-hostboot-b1c1b2cc5e78267fadb9001587f66566cf19159e.zip |
Secureboot: Enhanced Multinode Comm: TPM_POISONED
This commit introduces a new attribute TPM_POISONED used
to indicate that a certain TPM was poisoned during the boot.
This attribute is also used to adjust the trustedboot flag
in HDAT: if the primary TPM was poisoned during the IPL,
the trustedboot setting is turned off in HDAT.
Change-Id: I32ff6e79ebba0e38c0e8b4b9bd4aa0f52a250d9a
RTC: 203645
Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/72129
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/secureboot')
-rw-r--r-- | src/usr/secureboot/node_comm/node_comm_exchange.C | 5 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedboot.C | 10 |
2 files changed, 9 insertions, 6 deletions
diff --git a/src/usr/secureboot/node_comm/node_comm_exchange.C b/src/usr/secureboot/node_comm/node_comm_exchange.C index 46eaabc69..fde09af52 100644 --- a/src/usr/secureboot/node_comm/node_comm_exchange.C +++ b/src/usr/secureboot/node_comm/node_comm_exchange.C @@ -770,11 +770,6 @@ errlHndl_t nodeCommProcessSlaveQuote(uint8_t* const i_slaveQuote, l_errl->collectTrace(TRBOOT_COMP_NAME); l_errl->collectTrace(NODECOMM_TRACE_NAME); } - else - { - // @TODO RTC 203645 need to notify HDAT to turn off trustedboot flag - // in RUNTIME::IPLPARMS_SYSTEM - } break; } diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C index 1237fe3b8..9c075dc7d 100644 --- a/src/usr/secureboot/trusted/trustedboot.C +++ b/src/usr/secureboot/trusted/trustedboot.C @@ -2254,7 +2254,7 @@ errlHndl_t GetRandom(const TpmTarget* i_pTpm, } #endif // CONFIG_TPMDD -errlHndl_t poisonTpm(const TpmTarget* i_pTpm) +errlHndl_t poisonTpm(TpmTarget* i_pTpm) { uint64_t l_randNum = 0; errlHndl_t l_errl = nullptr; @@ -2263,6 +2263,14 @@ errlHndl_t poisonTpm(const TpmTarget* i_pTpm) do { + l_errl = validateTpmHandle(i_pTpm); + if(l_errl) + { + break; + } + + i_pTpm->setAttr<TARGETING::ATTR_TPM_POISONED>(true); + // Note: GetRandom validates the TPM handle internally and returns an // error log if invalid l_errl = GetRandom(i_pTpm, |