Check that LidMgr will only use PNOR or VFS LIDs in OpenPower

Change-Id: I03db54bea20d9d8ab0532b7ed7b7a29f4bfbfbda
RTC:167671
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/39779
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Matthew A. Ploetz <maploetz@us.ibm.com>

1 files changed, 17 insertions, 0 deletions

diff --git a/src/usr/util/utillidmgr.C b/src/usr/util/utillidmgr.C
index 8882e205d..872ec4363 100644
--- a/src/usr/util/utillidmgr.C
+++ b/src/usr/util/utillidmgr.C
@@ -40,6 +40,12 @@
 #include <pnor/pnorif.H>
 #endif
 
+#include <config.h>
+#ifdef CONFIG_SECUREBOOT
+#include <pnor/pnorif.H>
+#include <secureboot/service.H>
+#endif
+
 using namespace ERRORLOG;
 mutex_t UtilLidMgr::cv_mutex = MUTEX_INITIALIZER;
 
@@ -55,6 +61,17 @@ UtilLidMgr::UtilLidMgr(uint32_t i_lidId)
 {
     updateLid(i_lidId);
     iv_spBaseServicesEnabled = INITSERVICE::spBaseServicesEnabled();
+
+#ifdef CONFIG_SECUREBOOT
+    // In SECUREBOOT mode ensure that OpenPower systems only get LIDs from
+    // either PNOR or VFS where we can trust the security
+    assert( !(( iv_spBaseServicesEnabled == false  ) &&
+              ( iv_isLidInPnor           == false ) &&
+              ( iv_isLidInVFS            == false )
+             ), "UtilLidMgr::UtilLidMgr: Secureboot: OpenPower requesting LID "
+                "that is not in PNOR or VFS"
+          );
+#endif
 }
 
 ///////////////////////////////////////////////////////////