diff options
| author | Mike Baiocchi <mbaiocch@us.ibm.com> | 2017-07-01 01:43:12 -0500 |
|---|---|---|
| committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2017-08-09 13:47:00 -0400 |
| commit | 776d1086a7ed224c482d2da3c49b2c597b8776ab (patch) | |
| tree | 1da81d9f9edec18550b4bd69dcfd95140e741fa1 /src/usr/secureboot | |
| parent | e676209189922c5105629a9785a25958ba0972a9 (diff) | |
| download | talos-hostboot-776d1086a7ed224c482d2da3c49b2c597b8776ab.tar.gz talos-hostboot-776d1086a7ed224c482d2da3c49b2c597b8776ab.zip | |
Secureboot: Inhibit attribute overrides and sync exposures
For Secureboot purposes, we don't consider the FSP a secure source. So
this commit inhibts attribute overrides and any sort of attribute syncing
from the FSP.
Change-Id: I941ab5083d3055bc29237839aaaf4b723a2b0e90
RTC:175071
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/42687
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Diffstat (limited to 'src/usr/secureboot')
| -rw-r--r-- | src/usr/secureboot/base/service.C | 32 | ||||
| -rw-r--r-- | src/usr/secureboot/runtime/rt_secureboot.C | 35 | ||||
| -rw-r--r-- | src/usr/secureboot/runtime/test/testsecureboot_rt.H | 20 |
3 files changed, 85 insertions, 2 deletions
diff --git a/src/usr/secureboot/base/service.C b/src/usr/secureboot/base/service.C index fc4498908..6d0bf8ff3 100644 --- a/src/usr/secureboot/base/service.C +++ b/src/usr/secureboot/base/service.C @@ -41,6 +41,7 @@ #include "purge.H" #include <kernel/misc.H> #include <kernel/console.H> +#include <kernel/bltohbdatamgr.H> #include <console/consoleif.H> #include <util/misc.H> @@ -559,4 +560,35 @@ void addSecureUserDetailsToErrolog(errlHndl_t & io_err) //Note: adding UdTargetHwKeyHash left to Extended image } +#ifndef __HOSTBOOT_RUNTIME +bool allowAttrOverrides() +{ + bool retVal = false; + + if (enabled()) + { + if (g_BlToHbDataManager.getAllowAttrOverrides()) + { + retVal = true; + SB_INF("allowAttrOverrides: Allowing Attr Overrides in " + "Secure Mode: retVal=%d", retVal); + } + else + { + retVal = false; + SB_INF("allowAttrOverrides: DO NOT Allow Attr Overrides in " + "Secure Mode: retVal=%d", retVal); + } + } + else + { + retVal = true; + SB_DBG("allowAttrOverrides: Allow Attr Overrides in " + "Unsecure Mode: retVal=%d", retVal); + } + + return retVal; +}; +#endif + } //namespace SECUREBOOT diff --git a/src/usr/secureboot/runtime/rt_secureboot.C b/src/usr/secureboot/runtime/rt_secureboot.C index 1c84c2bf1..2277cce29 100644 --- a/src/usr/secureboot/runtime/rt_secureboot.C +++ b/src/usr/secureboot/runtime/rt_secureboot.C @@ -40,7 +40,7 @@ #include <targeting/common/commontargeting.H> #include <targeting/common/targetservice.H> #include <devicefw/userif.H> - +#include <util/misc.H> namespace SECUREBOOT { @@ -87,6 +87,39 @@ bool enabled() } #endif +#ifdef __HOSTBOOT_RUNTIME +bool allowAttrOverrides() +{ + bool retVal = false; + + if (enabled()) + { + // Check attribute to see if overrides are allowed in secure mode + if ( Util::isTargetingLoaded() ) + { + TARGETING::TargetService& tS = TARGETING::targetService(); + TARGETING::Target* sys = nullptr; + (void) tS.getTopLevelTarget( sys ); + assert(sys, "SECUREBOOT::allowAttrOverrides() system target is NULL"); + + retVal = sys->getAttr< + TARGETING::ATTR_ALLOW_ATTR_OVERRIDES_IN_SECURE_MODE>(); + + SB_INF("SECUREBOOT::allowAttrOverrides: " + "Inside Attr check: retVal=0x%X", + retVal); + } + } + else + { + // Allow Attribute Overrides in unsecure mode + retVal = true; + } + + return retVal; +} +#endif + int verify_container( const void* i_pContainer, const void* i_pHwKeyHash, diff --git a/src/usr/secureboot/runtime/test/testsecureboot_rt.H b/src/usr/secureboot/runtime/test/testsecureboot_rt.H index ef9a641a9..4173c0855 100644 --- a/src/usr/secureboot/runtime/test/testsecureboot_rt.H +++ b/src/usr/secureboot/runtime/test/testsecureboot_rt.H @@ -5,7 +5,7 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2016 */ +/* Contributors Listed Below - COPYRIGHT 2016,2017 */ /* [+] International Business Machines Corp. */ /* */ /* */ @@ -36,6 +36,7 @@ #include <config.h> #include "common/securetrace.H" +#include <secureboot/service.H> class SecurebootRtTestSuite: public CxxTest::TestSuite { @@ -95,6 +96,23 @@ class SecurebootRtTestSuite: public CxxTest::TestSuite SB_EXIT("SecurebootRtTestSuite::testVerifyContainer"); } + void testBaseInterfaces() + { + SB_ENTER("SecurebootRtTestSuite::testBaseInterfaces"); + + do { + + SB_INF("SECUREBOOT::enabled() = %d", SECUREBOOT::enabled()); + + SB_INF("SECUREBOOT::allowAttrOverrides() = %d", + SECUREBOOT::allowAttrOverrides()); + + } while(0); + + SB_EXIT("SecurebootRtTestSuite::testBaseInterfaces"); + } + + private: }; |
