Update 'is TPM Required' checking to include the use of a new sensor

This commit adds the support to read the new "is TPM Required" sensor
and updates the decision tree of whether or not the system requires a
TPM to be present.

Change-Id: I61871935d59272351ea1aa769641579efeee2f7e
RTC:167580
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/39592
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Timothy R. Block <block@us.ibm.com>
Reviewed-by: Christopher J. Engel <cjengel@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>

2 files changed, 109 insertions, 39 deletions

diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C
index 45043b3e4..d9b6b5cb7 100644
--- a/src/usr/secureboot/trusted/trustedboot.C
+++ b/src/usr/secureboot/trusted/trustedboot.C
@@ -1302,65 +1302,120 @@ void* tpmDaemon(void* unused)
 
 bool isTpmRequired()
 {
+    bool retVal = false;
+
+    do
+    {
+        // First check if sensor is available
+        if ( getTpmRequiredSensorValue(retVal) )
+        {
+            // Sensor is available so use its setting of retVal
+            TRACUCOMP( g_trac_trustedboot, "isTpmRequired: Sensor is "
+                       "available: using retVal=%d",
+                       retVal );
+            break;
+        }
+        else
+        {
+            // Sensor not available; reset retVal to be safe
+            retVal = false;
+        }
+
 
+        // Since sensor isn't available, use ATTR_TPM_REQUIRED
+        TARGETING::Target* pTopLevel = nullptr;
+        (void)TARGETING::targetService().getTopLevelTarget(pTopLevel);
+        assert(pTopLevel != nullptr, "Unable to get top level target");
+
+        retVal = pTopLevel->getAttr<TARGETING::ATTR_TPM_REQUIRED>();
+
+        TRACUCOMP( g_trac_trustedboot, "isTpmRequired: Using ATTR_TPM_REQUIRED:"
+                   " retVal=%d",
+                   retVal );
+
+    } while(0);
+
+    TRACFCOMP( g_trac_trustedboot,
+               "Tpm Required: %s",(retVal ? "Yes" : "No") );
+
+    return retVal;
+}
+
+bool getTpmRequiredSensorValue(bool& o_isTpmRequired)
+{
     bool retVal = false;
-    TARGETING::Target* pTopLevel = nullptr;
+    o_isTpmRequired = false;
+
+    // Get TPM Required Sensor
+#ifdef CONFIG_BMC_IPMI
 
+    TARGETING::Target* pTopLevel = nullptr;
     (void)TARGETING::targetService().getTopLevelTarget(pTopLevel);
     assert(pTopLevel != nullptr, "Unable to get top level target");
 
-    TARGETING::ATTR_TPM_REQUIRED_type tpmRequired =
-        pTopLevel->getAttr<TARGETING::ATTR_TPM_REQUIRED>();
+    uint32_t sensorNum = TARGETING::UTIL::getSensorNumber(pTopLevel,
+                                        TARGETING::SENSOR_NAME_TPM_REQUIRED);
+
+    TRACUCOMP( g_trac_trustedboot,"getTpmRequiredSensorValue: sensorNum=0x%X, "
+               "enum=0x%X",
+               sensorNum, TARGETING::SENSOR_NAME_TPM_REQUIRED);
 
-    // TPM Required is on in the attributes, now let's check the BMC sensor
-    if (tpmRequired)
+    // VALID IPMI sensors are 0-0xFE
+    if (TARGETING::UTIL::INVALID_IPMI_SENSOR != sensorNum)
     {
-#ifdef CONFIG_BMC_IPMI
-        uint32_t sensorNum = TARGETING::UTIL::getSensorNumber(pTopLevel,
-                                        TARGETING::SENSOR_NAME_TPM_REQUIRED);
-        // VALID IPMI sensors are 0-0xFE
-        if (TARGETING::UTIL::INVALID_IPMI_SENSOR != sensorNum)
+        // Check if TPM is required by BMC
+        SENSOR::getSensorReadingData tpmRequiredData;
+        SENSOR::SensorBase tpmRequired(TARGETING::SENSOR_NAME_TPM_REQUIRED,
+                                       pTopLevel);
+        errlHndl_t err = tpmRequired.readSensorData(tpmRequiredData);
+        if (nullptr == err)
         {
-            // Check if TPM is required by BMC
-            SENSOR::getSensorReadingData tpmRequiredData;
-            SENSOR::SensorBase tpmRequired(TARGETING::SENSOR_NAME_TPM_REQUIRED,
-                                           pTopLevel);
-            errlHndl_t err = tpmRequired.readSensorData(tpmRequiredData);
-            if (nullptr == err)
-            {
-                // 0x02 == Asserted bit (TPM is required)
-                if ((tpmRequiredData.event_status &
-                     (1 << SENSOR::ASSERTED)) ==
-                    (1 << SENSOR::ASSERTED))
-                {
-                    retVal = true;
-                }
-            }
-            else
+            // Sensor is available and found without error
+            retVal = true;
+
+            // 0x02 == Asserted bit (TPM is required)
+            if ((tpmRequiredData.event_status &
+                 (1 << SENSOR::ASSERTED)) ==
+                (1 << SENSOR::ASSERTED))
             {
-                // error reading sensor, assume TPM is required
-                TRACFCOMP( g_trac_trustedboot,
-                           "Unable to read Tpm Required Sensor : rc = 0x%04X",
-                           err->reasonCode());
-                delete err;
-                err = nullptr;
-                retVal = true;
+                o_isTpmRequired = true;
             }
         }
         else
         {
-            // Sensor not supported so assume TPM required
-            retVal = true;
+            // error reading sensor, so consider sensor not available
+            TRACFCOMP( g_trac_trustedboot,ERR_MRK"getTpmRequiredSensorValue: "
+                       "Unable to read Tpm Required Sensor: rc = 0x%04X "
+                       "(sensorNum=0x%X, enum=0x%X) Deleting Error plid=0x%04X",
+                       err->reasonCode(), sensorNum,
+                       TARGETING::SENSOR_NAME_TPM_REQUIRED,
+                       err->plid());
+            delete err;
+            err = nullptr;
+            retVal = false;
         }
+    }
+    else
+    {
+        // Sensor not available
+        retVal = false;
+        TRACUCOMP( g_trac_trustedboot, "getTpmRequiredSensorValue: Sensor "
+                   "not available: retVal=%d (sensorNum=0x%X)",
+                   retVal, sensorNum );
+    }
 #else
-        // IPMI support not there, assume true
-        retVal = true;
+    // IPMI support not there, so consider sensor not available
+    retVal = false;
+    TRACUCOMP( g_trac_trustedboot, "getTpmRequiredSensorValue: IPMI Support "
+               "not found; retVal=%d",
+               retVal );
 #endif
-    }
 
 
     TRACFCOMP( g_trac_trustedboot,
-               "Tpm Required: %s",(retVal ? "Yes" : "No"));
+               "getTpmRequiredSensorValue: isAvail=%s, o_isTpmRequired=%s",
+               (retVal ? "Yes" : "No"),
+               (o_isTpmRequired ? "Yes" : "No") );
 
     return retVal;
 }
diff --git a/src/usr/secureboot/trusted/trustedboot.H b/src/usr/secureboot/trusted/trustedboot.H
index 64a3bd727..660bf92de 100644
--- a/src/usr/secureboot/trusted/trustedboot.H
+++ b/src/usr/secureboot/trusted/trustedboot.H
@@ -202,6 +202,21 @@ void getTpmWithRoleOf(
     TARGETING::TPM_ROLE i_tpmRole,
     TARGETING::Target*& o_pTpm);
 
+/**
+ *  @brief Returns value of TPM Sensor if it is available
+ *         All error handing is contained in the function and the output value
+ *         is only valid if the function returns TRUE
+ *
+ *  @param[out] o_isTpmRequired Value returned from TPM Required sensor:
+ *              TRUE if TPM is required; FALSE if TPM is NOT required
+ *              NOTE: this parameter is only valid if this function returns TRUE
+ *
+ *  @return bool  Returns TRUE if sensor was available and found without error;
+ *                otherwise returns FALSE
+ */
+bool getTpmRequiredSensorValue(
+    bool& o_isTpmRequired);
+
 
 } // end TRUSTEDBOOT namespace
 #endif