Secure Boot: Support Phyp debug flag in HDAT

PHYP needs a way to know if SBE security backdoor is enabled for debug purposes. This change creates a flag in TPM instance data structure to indicate whether the backdoor is enabled. This flag is passed by SBE to the hb bootloader; also added the flag to indicate whether PCR is poisoned (default of 0). The population of this flag will be implemented on Fleetwood. Change-Id: I22305dbc9651134ba7dfe3b0bd3c760fe53c2c85 RTC: 188961 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/56045 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> CI-Ready: Daniel M. Crowell <dcrowell@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
author: Ilya Smirnov <ismirno@us.ibm.com> 2018-03-19 17:12:32 -0500
committer: Daniel M. Crowell <dcrowell@us.ibm.com> 2018-04-09 16:29:14 -0400
commit: da8911ce095aa7d18231c9d344dc978dae7cf984 (patch)
tree: bba30d639c013bdd5f77cf70a31fc560f8c33698 /src/usr
parent: 5192636a15d9fd36653952eaad5dac0974094f00 (diff)
download: talos-hostboot-da8911ce095aa7d18231c9d344dc978dae7cf984.tar.gz
talos-hostboot-da8911ce095aa7d18231c9d344dc978dae7cf984.zip
3 files changed, 42 insertions, 3 deletions
diff --git a/src/usr/hdat/hdattpmdata.H b/src/usr/hdat/hdattpmdata.H
index f04403e1e..8bb07bcf5 100644
--- a/src/usr/hdat/hdattpmdata.H
+++ b/src/usr/hdat/hdattpmdata.H
@@ -86,6 +86,17 @@ struct hdatTpmData_t
 } __attribute__ ((packed));
 
 /**
+ * @brief Structure definition for TPM Configuration Flags
+ *
+ */
+struct hdatTpmConfigFlags_t
+{
+    uint8_t pcrPoisonedFlag : 1; // Intentionally break remote attestation
+                                 // of this TPM
+    uint8_t reserved : 7;
+} __attribute__ ((packed));
+
+/**
  *  @brief Structure definition for Secureboot TPM Instance Info
  */
 struct hdatSbTpmInstInfo_t
@@ -97,7 +108,8 @@ struct hdatSbTpmInstInfo_t
     uint8_t hdatLocality3Addr;
     uint8_t hdatLocality4Addr;
     uint8_t hdatFunctionalStatus;
-    uint8_t reserved[3];
+    struct hdatTpmConfigFlags_t hdatTpmConfigFlags;
+    uint8_t reserved[2];
     uint32_t hdatTpmSrtmEventLogOffset;
     uint32_t hdatTpmSrtmEventLogEntrySize;
     uint32_t hdatTpmDrtmEventLogOffset;
diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C
index 1f59a8d43..1554633ae 100644
--- a/src/usr/runtime/populate_hbruntime.C
+++ b/src/usr/runtime/populate_hbruntime.C
@@ -1430,7 +1430,11 @@ errlHndl_t populate_hbSecurebootData ( void )
             uint16_t secureboot : 1;
             // bit 1: Measurements Extended to Secure Boot TPM
             uint16_t trustedboot : 1;
-            uint16_t reserved : 14;
+            // bit 2: SBE Security Backdoor bit.
+            // NOTE: This bit is labeled "Platform Security Overrides Allowed"
+            // in the section 6.1.1 of HDAT spec.
+            uint16_t sbeSecBackdoor : 1;
+            uint16_t reserved : 13;
         } SysSecSets;
 
         // populate system security settings in hdat
@@ -1451,6 +1455,9 @@ errlHndl_t populate_hbSecurebootData ( void )
 #endif
         l_sysSecSets->secureboot = secure? 1: 0;
 
+        // populate security override setting
+        l_sysSecSets->sbeSecBackdoor = SECUREBOOT::getSbeSecurityBackdoor();
+
         // populate TPM config bits in hdat
         bool tpmRequired = false;
 #ifdef CONFIG_TPMDD
@@ -1768,6 +1775,9 @@ errlHndl_t populate_TpmInfoByNode(const uint64_t i_instance)
             l_tpmInstInfo->hdatFunctionalStatus = HDAT::TpmNonPresent;
         }
 
+        // Set TPM configuration flag
+        l_tpmInstInfo->hdatTpmConfigFlags.pcrPoisonedFlag = 0;
+
         // advance the current offset to account for this tpm instance info
         l_currOffset += sizeof(*l_tpmInstInfo);
 
diff --git a/src/usr/secureboot/base/service.C b/src/usr/secureboot/base/service.C
index 1f5b5d83d..e5af124ab 100644
--- a/src/usr/secureboot/base/service.C
+++ b/src/usr/secureboot/base/service.C
@@ -5,7 +5,7 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* Contributors Listed Below - COPYRIGHT 2013,2017                        */
+/* Contributors Listed Below - COPYRIGHT 2013,2018                        */
 /* [+] International Business Machines Corp.                              */
 /*                                                                        */
 /*                                                                        */
@@ -637,6 +637,23 @@ bool allowAttrOverrides()
 };
 #endif
 
+bool getSbeSecurityBackdoor()
+{
+    bool l_backdoorEnabled = false;
+
+    if(g_BlToHbDataManager.getSecBackdoor())
+    {
+        l_backdoorEnabled = true;
+        SB_INF("getSbeSecurityBackdoor: SBE Security Backdoor is enabled.");
+    }
+    else
+    {
+        l_backdoorEnabled = false;
+        SB_INF("getSbeSecurityBackdoor: SBE Security Backdoor is disabled.");
+    }
+    return l_backdoorEnabled;
+}
+
 uint8_t getSbeSecurityMode()
 {
     return g_sbeSecurityMode;
author	Ilya Smirnov <ismirno@us.ibm.com>	2018-03-19 17:12:32 -0500
committer	Daniel M. Crowell <dcrowell@us.ibm.com>	2018-04-09 16:29:14 -0400
commit	da8911ce095aa7d18231c9d344dc978dae7cf984 (patch)
tree	bba30d639c013bdd5f77cf70a31fc560f8c33698 /src/usr
parent	5192636a15d9fd36653952eaad5dac0974094f00 (diff)
download	talos-hostboot-da8911ce095aa7d18231c9d344dc978dae7cf984.tar.gz talos-hostboot-da8911ce095aa7d18231c9d344dc978dae7cf984.zip