Split ATTR_SECURITY_MODE into FSP/HB specific attributes

Change-Id: Ib4eed5cb069b4cef02fefcc398e27a51d0b287f6
RTC: 170650
CMVC-Coreq: 1022371
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/39552
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>

6 files changed, 36 insertions, 27 deletions

diff --git a/src/usr/pnor/spnorrp.C b/src/usr/pnor/spnorrp.C
index 496ebabe9..f9d286da0 100644
--- a/src/usr/pnor/spnorrp.C
+++ b/src/usr/pnor/spnorrp.C
@@ -781,11 +781,11 @@ void SPnorRP::processLabOverride(
     TARGETING::Target* pSys = nullptr;
     TARGETING::targetService().getTopLevelTarget(pSys);
     assert(pSys != nullptr,"System target was nullptr.");
-    // ATTR_SECURITY_MODE attribute values are inverted with respect to the lab
-    // override flag for the same logical meaning
-    TARGETING::ATTR_SECURITY_MODE_type securityMode =
+    // ATTR_HB_SECURITY_MODE attribute values are inverted with respect to the
+    // lab override flag for the same logical meaning
+    TARGETING::ATTR_HB_SECURITY_MODE_type securityMode =
         !(i_flags.hw_lab_override);
-    pSys->setAttr<TARGETING::ATTR_SECURITY_MODE>(securityMode);
+    pSys->setAttr<TARGETING::ATTR_HB_SECURITY_MODE>(securityMode);
     TRACFCOMP(g_trac_pnor,INFO_MRK "Set lab security override policy to %s.",
         securityMode ? "*NO* override" : "override if requested");
 }
diff --git a/src/usr/pnor/spnorrp.H b/src/usr/pnor/spnorrp.H
index 34a6a8aab..889b70f43 100644
--- a/src/usr/pnor/spnorrp.H
+++ b/src/usr/pnor/spnorrp.H
@@ -198,10 +198,11 @@ class SPnorRP
      *
      *  @par Detailed Description:
      *      Reads the lab override flag from the input flag set, inverts it, and
-     *      writes it to the ATTR_SECURITY_MODE attribute.  Later, SBE update
-     *      will customize that attribute into the SBEs.  If the policy is set
-     *      (attribute clear), the SBE will watch mailbox scratch register 3 bit
-     *      6 to be set.  In that case, SBE will disable security for the
+     *      writes it to the ATTR_HB_SECURITY_MODE attribute (which directly
+     *      maps to FAPI attribute ATTR_SECURITY_MODE).  Later, SBE update
+     *      will customize that FAPI attribute into the SBEs.  If the policy is
+     *      set (attribute clear), the SBE will watch mailbox scratch register 3
+     *      bit 6 to be set.  In that case, SBE will disable security for the
      *      processor, otherwise (policy clear/attribute set) it will not change
      *      the security settings.
      *
diff --git a/src/usr/targeting/common/xmltohb/attribute_types.xml b/src/usr/targeting/common/xmltohb/attribute_types.xml
index 1d0b5a9bd..4ad390838 100644
--- a/src/usr/targeting/common/xmltohb/attribute_types.xml
+++ b/src/usr/targeting/common/xmltohb/attribute_types.xml
@@ -28582,24 +28582,6 @@ Measured in GB</description>
 </attribute>
 
 <attribute>
-    <id>SECURITY_MODE</id>
-    <description>
-        If SBE image has ATTR_SECURITY_MODE == 0b1, then leave SAB bit as is,
-        else ATTR_SECURITY_MODE == 0b0, then clear SAB bit
-    </description>
-    <simpleType>
-        <uint8_t></uint8_t>
-    </simpleType>
-    <persistency>non-volatile</persistency>
-    <writeable/>
-    <readable/>
-    <hwpfToHbAttrMap>
-        <id>ATTR_SECURITY_MODE</id>
-        <macro>DIRECT</macro>
-    </hwpfToHbAttrMap>
-</attribute>
-
-<attribute>
     <id>PFET_OFF_CONTROLS</id>
     <description>
         To disable force pfet off control from fuse status
diff --git a/src/usr/targeting/common/xmltohb/attribute_types_hb.xml b/src/usr/targeting/common/xmltohb/attribute_types_hb.xml
index f5f56e2b2..255851800 100644
--- a/src/usr/targeting/common/xmltohb/attribute_types_hb.xml
+++ b/src/usr/targeting/common/xmltohb/attribute_types_hb.xml
@@ -1948,4 +1948,30 @@ ID for the sensor number returned with the elog. -->
     <hbOnly/>
 </attribute>
 
+<attribute>
+    <id>HB_SECURITY_MODE</id>
+    <description>
+        HB specific attribute which is aliased to the FAPI attribute
+        ATTR_SECURITY_MODE and customized into the SBE image.  If 0b0, SBE
+        will disable proc security (via SAB bit) if mailbox scratch register 3
+        bit 6 is set.  Otherwise, if 0b1, SBE will not override proc security.
+        TODO RTC 170650: When SBE image is signed in all environments, set
+            default to 0b1 and rely on SBE signing header to configure the final
+            value,  This may require hbOnly support for volatile attributes.
+    </description>
+    <simpleType>
+        <uint8_t>
+            <default>0x00</default>
+        </uint8_t>
+    </simpleType>
+    <persistency>volatile-zeroed</persistency>
+    <writeable/>
+    <readable/>
+    <hwpfToHbAttrMap>
+        <id>ATTR_SECURITY_MODE</id>
+        <macro>DIRECT</macro>
+    </hwpfToHbAttrMap>
+    <hbOnly/>
+</attribute>
+
 </attributes>
diff --git a/src/usr/targeting/common/xmltohb/target_types.xml b/src/usr/targeting/common/xmltohb/target_types.xml
index 63caf89d6..16503c252 100755
--- a/src/usr/targeting/common/xmltohb/target_types.xml
+++ b/src/usr/targeting/common/xmltohb/target_types.xml
@@ -805,7 +805,6 @@
     <attribute><id>SYS_FORCE_ALL_CORES</id></attribute>
     <attribute><id>DISABLE_HBBL_VECTORS</id></attribute>
     <attribute><id>SECURITY_ENABLE</id></attribute>
-    <attribute><id>SECURITY_MODE</id></attribute>
     <attribute><id>PIBMEM_REPAIR0</id></attribute>
     <attribute><id>PIBMEM_REPAIR1</id></attribute>
     <attribute><id>PIBMEM_REPAIR2</id></attribute>
diff --git a/src/usr/targeting/common/xmltohb/target_types_hb.xml b/src/usr/targeting/common/xmltohb/target_types_hb.xml
index d5b743e1f..b45a0bc79 100755
--- a/src/usr/targeting/common/xmltohb/target_types_hb.xml
+++ b/src/usr/targeting/common/xmltohb/target_types_hb.xml
@@ -88,6 +88,7 @@
     <attribute><id>DRTM_PAYLOAD_ADDR_MB_HB</id></attribute>
     <attribute><id>FORCE_PRE_PAYLOAD_DRTM</id></attribute>
     <attribute><id>HB_RSV_MEM_NEXT_SECTION</id></attribute>
+    <attribute><id>HB_SECURITY_MODE</id></attribute>
 </targetTypeExtension>
 
 <targetTypeExtension>