Secureboot: Inhibit attribute overrides and sync exposures

For Secureboot purposes, we don't consider the FSP a secure source.  So
this commit inhibts attribute overrides and any sort of attribute syncing
from the FSP.

Change-Id: I941ab5083d3055bc29237839aaaf4b723a2b0e90
RTC:175071
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/42687
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>

5 files changed, 54 insertions, 4 deletions

diff --git a/src/usr/targeting/attrPlatOverride.C b/src/usr/targeting/attrPlatOverride.C
index a5f2a18c0..dafb27fb2 100644
--- a/src/usr/targeting/attrPlatOverride.C
+++ b/src/usr/targeting/attrPlatOverride.C
@@ -27,6 +27,7 @@
 #include <targeting/common/trace.H>
 #include <targeting/common/targreasoncodes.H>
 #include <errl/errlmanager.H>
+#include <secureboot/service.H>
 
 namespace TARGETING
 {
@@ -71,6 +72,13 @@ errlHndl_t getAttrOverrides(PNOR::SectionInfo_t &i_sectionInfo,
 
     do
     {
+        if (!SECUREBOOT::allowAttrOverrides())
+        {
+            TRACFCOMP(g_trac_targeting,"attrPlatOverride::getAttrOverrides: "
+                      "skipping since Attribute Overrides are not allowed");
+            break;
+        }
+
         TRACFCOMP( g_trac_targeting, "Section id=%d, size=%d", i_sectionInfo.id, i_sectionInfo.size );
 
         uint32_t l_index = 0;
diff --git a/src/usr/targeting/attrrp.C b/src/usr/targeting/attrrp.C
index 66be9a33f..2c9f0b6fe 100755
--- a/src/usr/targeting/attrrp.C
+++ b/src/usr/targeting/attrrp.C
@@ -52,6 +52,7 @@
 #include <fapi2/plat_attr_override_sync.H>
 #include <targeting/attrPlatOverride.H>
 #include <config.h>
+#include <secureboot/service.H>
 
 using namespace INITSERVICE;
 using namespace ERRORLOG;
@@ -929,6 +930,12 @@ namespace TARGETING
             size_t l_maxSize = io_size;
             io_size = 0;
 
+            if (!SECUREBOOT::allowAttrOverrides())
+            {
+                TRACFCOMP( g_trac_targeting, "AttrRP::_saveOverrides: skipping "
+                           "since Attribute Overrides are not allowed.");
+            }
+
             // Save the fapi and temp overrides
             //   Note: no need to look at PERM because those were added to
             //         the base targeting model
diff --git a/src/usr/targeting/attrsync.C b/src/usr/targeting/attrsync.C
index 6faca132a..4201776be 100644
--- a/src/usr/targeting/attrsync.C
+++ b/src/usr/targeting/attrsync.C
@@ -5,7 +5,7 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* Contributors Listed Below - COPYRIGHT 2012,2016                        */
+/* Contributors Listed Below - COPYRIGHT 2012,2017                        */
 /* [+] International Business Machines Corp.                              */
 /*                                                                        */
 /*                                                                        */
@@ -27,7 +27,7 @@
 #include <targeting/common/trace.H>
 #include <initservice/initserviceif.H>
 #include <errl/hberrltypes.H>
-
+#include <secureboot/service.H>
 
 using namespace ERRORLOG;
 
@@ -67,6 +67,14 @@ namespace TARGETING
                   "section type %u total pages %d",
                   iv_section_to_sync, iv_total_pages );
 
+        if (!SECUREBOOT::allowAttrOverrides())
+        {
+            TARG_INF("AttributeSync::updateSectionData(): skipping since "
+                     "attribute overrides are not allowed and we don't "
+                     "trust the FSP, but still returning ATTR_SYNC_SUCCESS");
+            return ATTR_SYNC_SUCCESS;
+        }
+
         ATTR_SYNC_RC l_rc = ATTR_SYNC_SUCCESS;
 
         // call the targeting function here to get context.
@@ -167,6 +175,13 @@ namespace TARGETING
         memset( &l_page, 0, sizeof(TARGETING::sectionRefData) );
 
         do{
+            if (!SECUREBOOT::allowAttrOverrides())
+            {
+                TARG_INF("AttributeSync::syncSectionFromFsp(): skipping since "
+                         "attribute overrides are not allowed and we don't "
+                         "trust the FSP");
+                break;
+            }
 
             // send a request to FSP to sync to Hostboot
             l_errl = sendSyncToHBRequestMessage();
@@ -554,6 +569,14 @@ namespace TARGETING
                 break;
             }
 
+            if (!SECUREBOOT::allowAttrOverrides())
+            {
+                TARG_INF("syncAllAttributesFromFsp(): skipping since "
+                         "attribute overrides are not allowed and we don't "
+                         "trust the FSP");
+                break;
+            }
+
             // create Hostboot message queue
             msg_q_t l_pHbMsgQ = msg_q_create();
 
diff --git a/src/usr/targeting/runtime/attrPlatOverride_rt.C b/src/usr/targeting/runtime/attrPlatOverride_rt.C
index 6b9fc5a8f..fcd6aabc1 100644
--- a/src/usr/targeting/runtime/attrPlatOverride_rt.C
+++ b/src/usr/targeting/runtime/attrPlatOverride_rt.C
@@ -54,7 +54,7 @@ int apply_attr_override(uint8_t* i_data,
     bool l_allowOverrides = true;
 
     #ifdef CONFIG_SECUREBOOT
-    l_allowOverrides = !SECUREBOOT::enabled();
+    l_allowOverrides = SECUREBOOT::allowAttrOverrides();
     #endif
 
     if (l_allowOverrides)
diff --git a/src/usr/targeting/test/testattrtank.H b/src/usr/targeting/test/testattrtank.H
index 247076e58..e1a2b22af 100644
--- a/src/usr/targeting/test/testattrtank.H
+++ b/src/usr/targeting/test/testattrtank.H
@@ -5,7 +5,7 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* Contributors Listed Below - COPYRIGHT 2013,2014                        */
+/* Contributors Listed Below - COPYRIGHT 2013,2017                        */
 /* [+] International Business Machines Corp.                              */
 /*                                                                        */
 /*                                                                        */
@@ -36,6 +36,7 @@
 #include <targeting/common/attributeTank.H>
 #include <targeting/attrPlatOverride.H>
 #include <pnor/pnorif.H>
+#include <kernel/bltohbdatamgr.H>
 
 using namespace TARGETING;
 
@@ -1171,6 +1172,13 @@ public:
         l_attrPermSec.name = "Test Attr Perm";
         l_attrPermSec.vaddr = reinterpret_cast<uint64_t>(malloc(3*l_chunkSize));
 
+
+        // This test needs Attribute Overrides to work, so save global variable
+        // before setting it to 'true' for the duration of this test
+        bool save_allowAttrOverrides = g_BlToHbDataManager.iv_data.allowAttrOverrides;
+        g_BlToHbDataManager.iv_data.allowAttrOverrides = true;
+        TS_TRACE("testBMCAttrOverride: saved Allow Attr Override (%d) and set to true", save_allowAttrOverrides);
+
         do
         {
             // Create local AttributeTanks
@@ -1448,6 +1456,10 @@ public:
 
         } while(0);
 
+        // Restore Allow Attr Override Setting
+        g_BlToHbDataManager.iv_data.allowAttrOverrides = save_allowAttrOverrides;
+        TS_TRACE("testBMCAttrOverride: restored Allow Attr Override (%d)", save_allowAttrOverrides);
+
         // Free memory
         free (reinterpret_cast<char *>(l_attrTmpSec.vaddr));
         free (reinterpret_cast<char *>(l_attrPermSec.vaddr));