diff options
-rw-r--r-- | src/include/usr/isteps/nvdimm/nvdimm.H | 5 | ||||
-rw-r--r-- | src/usr/isteps/nvdimm/nvdimm.C | 83 | ||||
-rw-r--r-- | src/usr/isteps/nvdimm/nvdimm.H | 11 | ||||
-rw-r--r-- | src/usr/isteps/nvdimm/nvdimm_update.C | 30 | ||||
-rw-r--r-- | src/usr/isteps/nvdimm/nvdimm_update.H | 9 |
5 files changed, 69 insertions, 69 deletions
diff --git a/src/include/usr/isteps/nvdimm/nvdimm.H b/src/include/usr/isteps/nvdimm/nvdimm.H index 0bcd51bca..68f1b1c13 100644 --- a/src/include/usr/isteps/nvdimm/nvdimm.H +++ b/src/include/usr/isteps/nvdimm/nvdimm.H @@ -71,6 +71,9 @@ void nvdimm_restore(TARGETING::TargetHandleList &i_nvdimmList); bool nvdimm_update(TARGETING::TargetHandleList &i_nvdimmList); +#endif + + /** * @brief Entry function to NVDIMM unlock encryption * @@ -81,8 +84,6 @@ bool nvdimm_update(TARGETING::TargetHandleList &i_nvdimmList); bool nvdimm_encrypt_unlock(TARGETING::TargetHandleList &i_nvdimmList); -#endif - /** * @brief Entry function to NVDIMM generate keys * Generate encryption keys and set the FW key attribute diff --git a/src/usr/isteps/nvdimm/nvdimm.C b/src/usr/isteps/nvdimm/nvdimm.C index 9482b02d3..97fa001ce 100644 --- a/src/usr/isteps/nvdimm/nvdimm.C +++ b/src/usr/isteps/nvdimm/nvdimm.C @@ -513,6 +513,11 @@ errlHndl_t nvdimmResetController(Target *i_nvdimm) }while(0); + // Reset will lock encryption so unlock again + TargetHandleList l_nvdimmTargetList; + l_nvdimmTargetList.push_back(i_nvdimm); + nvdimm_encrypt_unlock(l_nvdimmTargetList); + TRACUCOMP(g_trac_nvdimm, EXIT_MRK"nvdimmResetController() HUID[%X]",get_huid(i_nvdimm)); return l_err; @@ -1746,6 +1751,9 @@ errlHndl_t nvdimm_getTPM(Target*& o_tpm) } +#endif + + bool nvdimm_encrypt_unlock(TargetHandleList &i_nvdimmList) { TRACFCOMP(g_trac_nvdimm, ENTER_MRK"nvdimm_encrypt_unlock()"); @@ -1754,18 +1762,15 @@ bool nvdimm_encrypt_unlock(TargetHandleList &i_nvdimmList) do { + // Do not check ATTR_NVDIMM_ENCRYPTION_ENABLE + // The attribute could have been reset by flashing the FSP + // Unlock if the keys are valid and NVDIMM hw encryption is enabled + // Get the sys pointer, attribute keys are system level Target* l_sys = nullptr; targetService().getTopLevelTarget( l_sys ); assert(l_sys, "nvdimm_encrypt_unlock() no TopLevelTarget"); - // Exit if encryption is not enabled via the attribute - if (!l_sys->getAttr<ATTR_NVDIMM_ENCRYPTION_ENABLE>()) - { - TRACFCOMP(g_trac_nvdimm,"ATTR_NVDIMM_ENCRYPTION_ENABLE=0"); - break; - } - // Get the FW key attributes auto l_attrKeysFw = l_sys->getAttrAsStdArr<ATTR_NVDIMM_ENCRYPTION_KEYS_FW>(); @@ -1774,22 +1779,14 @@ bool nvdimm_encrypt_unlock(TargetHandleList &i_nvdimmList) nvdimmKeyData_t* l_keysFw = reinterpret_cast<nvdimmKeyData_t*>(&l_attrKeysFw); - // Check for valid key attribute data - l_err = nvdimm_checkValidAttrKeys(l_keysFw); - if (l_err) - { - break; - } - // Check encryption unlock for all nvdimms for (const auto & l_nvdimm : i_nvdimmList) { // Get encryption state in the config/status reg - encryption_config_status_t l_encStatus; - l_encStatus.whole = 0; + encryption_config_status_t l_encStatus = {0}; l_err = nvdimmReadReg(l_nvdimm, - ENCRYPTION_CONFIG_STATUS, - l_encStatus.whole); + ENCRYPTION_CONFIG_STATUS, + l_encStatus.whole); if (l_err) { TRACFCOMP(g_trac_nvdimm, ERR_MRK"nvdimm_encrypt_unlock() nvdimm[%X] error reading ENCRYPTION_CONFIG_STATUS",get_huid(l_nvdimm)); @@ -1806,6 +1803,16 @@ bool nvdimm_encrypt_unlock(TargetHandleList &i_nvdimmList) break; } + // Check for valid key attribute data + l_err = nvdimm_checkValidAttrKeys(l_keysFw); + if (l_err) + { + errlCommit( l_err, NVDIMM_COMP_ID ); + nvdimmSetEncryptionError(l_nvdimm); + l_success = false; + break; + } + // Else encryption is enabled but needs unlock TRACFCOMP(g_trac_nvdimm, "nvdimm_encrypt_unlock() nvdimm[%X] enabled, unlocking...",get_huid(l_nvdimm)); @@ -1878,9 +1885,6 @@ bool nvdimm_encrypt_unlock(TargetHandleList &i_nvdimmList) } -#endif - - void nvdimmSetEncryptionError(Target *i_nvdimm) { ATTR_NVDIMM_ARMED_type l_armed_state = {}; @@ -2016,6 +2020,31 @@ errlHndl_t nvdimm_handleConflictingKeys( nvdimm_getNvdimmList(l_nvdimmTargetList); for (const auto & l_nvdimm : l_nvdimmTargetList) { + // Check encryption state in the config/status reg + encryption_config_status_t l_encStatus = {0}; + l_err = nvdimmReadReg(l_nvdimm, + ENCRYPTION_CONFIG_STATUS, + l_encStatus.whole); + if (l_err) + { + TRACFCOMP(g_trac_nvdimm, ERR_MRK"nvdimm_handleConflictingKeys() nvdimm[%X] error reading ENCRYPTION_CONFIG_STATUS",get_huid(l_nvdimm)); + errlCommit( l_err, NVDIMM_COMP_ID ); + nvdimmSetEncryptionError(l_nvdimm); + continue; + } + + // Encryption is not enabled + // Keys are not in use so could use either set of keys + // Use the ANCHOR card keys + if (!l_encStatus.encryption_enabled) + { + TRACFCOMP(g_trac_nvdimm, "nvdimm_handleConflictingKeys() nvdimm[%X] copying ANCHOR keys to FW",get_huid(l_nvdimm)); + l_validKeyFound = true; + set_ATTR_NVDIMM_ENCRYPTION_KEYS_FW(i_attrKeysAnchor); + continue; + } + + // Encryption is enabled, test the keys // Write the EK test reg with the FW attr value l_err = nvdimm_setKeyReg(l_nvdimm, l_keysFw->ek, @@ -2041,6 +2070,8 @@ errlHndl_t nvdimm_handleConflictingKeys( { TRACFCOMP(g_trac_nvdimm, ERR_MRK"nvdimm_handleConflictingKeys() nvdimm[%X] ATTR_NVDIMM_ENCRYPTION_KEYS_FW valid",get_huid(l_nvdimm)); l_validKeyFound = true; + // Re-write the FW keys, this will also update the ANCHOR keys + set_ATTR_NVDIMM_ENCRYPTION_KEYS_FW(i_attrKeysFw); break; } @@ -2132,13 +2163,6 @@ bool nvdimm_gen_keys(void) targetService().getTopLevelTarget( l_sys ); assert(l_sys, "nvdimm_gen_keys: no TopLevelTarget"); - // Exit if encryption is not enabled via the attribute - if (!l_sys->getAttr<ATTR_NVDIMM_ENCRYPTION_ENABLE>()) - { - TRACFCOMP(g_trac_nvdimm,"ATTR_NVDIMM_ENCRYPTION_ENABLE=0"); - break; - } - // Key size must be less that max TPM random generator size static_assert(ENC_KEY_SIZE <= MAX_TPM_SIZE, "nvdimm_gen_keys() ENC_KEY_SIZE is greater than MAX_TPM_SIZE"); @@ -2419,8 +2443,7 @@ bool nvdimm_encrypt_enable(TargetHandleList &i_nvdimmList) for (const auto & l_nvdimm : i_nvdimmList) { // Check encryption state in the config/status reg - encryption_config_status_t l_encStatus; - l_encStatus.whole = 0; + encryption_config_status_t l_encStatus = {0}; l_err = nvdimmReadReg(l_nvdimm, ENCRYPTION_CONFIG_STATUS, l_encStatus.whole); diff --git a/src/usr/isteps/nvdimm/nvdimm.H b/src/usr/isteps/nvdimm/nvdimm.H index df1487974..1eb9f89dc 100644 --- a/src/usr/isteps/nvdimm/nvdimm.H +++ b/src/usr/isteps/nvdimm/nvdimm.H @@ -572,6 +572,17 @@ bool nvdimm_validRandomNumber(uint8_t* i_genData); void nvdimmSetEncryptionError(TARGETING::Target *i_nvdimm); +/** + * @brief Helper function to reset the NVDIMM controller + * + * @param[in] i_nvdimm - nvdimm target + * + * @return errlHndl_t - Null if successful, otherwise a pointer to + * the error log + */ +errlHndl_t nvdimmResetController(TARGETING::Target *i_nvdimm); + + #ifndef __HOSTBOOT_RUNTIME /** diff --git a/src/usr/isteps/nvdimm/nvdimm_update.C b/src/usr/isteps/nvdimm/nvdimm_update.C index 0a319360b..e7fbad4a8 100644 --- a/src/usr/isteps/nvdimm/nvdimm_update.C +++ b/src/usr/isteps/nvdimm/nvdimm_update.C @@ -668,7 +668,7 @@ errlHndl_t NvdimmInstalledImage::updateImage(NvdimmLidImage * i_lidImage) // Reset controller to activate new firmware TRACUCOMP(g_trac_nvdimm_upd, "updateImage: resetController"); - l_err = resetController(); + l_err = nvdimmResetController(iv_dimm); if (l_err) { TRACFCOMP(g_trac_nvdimm_upd, ERR_MRK "updateImage: " @@ -1699,34 +1699,6 @@ errlHndl_t NvdimmInstalledImage::validateFwImage() return l_err; } -errlHndl_t NvdimmInstalledImage::resetController() -{ - errlHndl_t l_err = nullptr; - - // If bit 0 is set, the module shall start a Reset Controller operation - l_err = nvdimmWriteReg(iv_dimm, NVDIMM_MGT_CMD0, 0x01); - if (l_err) - { - TRACFCOMP(g_trac_nvdimm_upd,ERR_MRK"resetController: NVDIMM 0x%.8X " - "write of 0x01 to NVDIMM_MGT_CMD0 register failed", - TARGETING::get_huid(iv_dimm)); - } - else - { - // Now wait until NV controller is ready again after reset - // nvdimmReady will retry NACK calls - l_err = nvdimmReady(iv_dimm); - if (l_err) - { - TRACFCOMP(g_trac_nvdimm_upd,ERR_MRK"resetController: NV controller for " - "NVDIMM 0x%.8X is not reporting as ready after reset", - TARGETING::get_huid(iv_dimm)); - - } - } - return l_err; -} - uint16_t NvdimmInstalledImage::crc16(const uint8_t * i_data, int i_data_size) { // From JEDEC JESD245B.01 document diff --git a/src/usr/isteps/nvdimm/nvdimm_update.H b/src/usr/isteps/nvdimm/nvdimm_update.H index 37153b9c2..ea606d89d 100644 --- a/src/usr/isteps/nvdimm/nvdimm_update.H +++ b/src/usr/isteps/nvdimm/nvdimm_update.H @@ -5,7 +5,7 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2018 */ +/* Contributors Listed Below - COPYRIGHT 2018,2019 */ /* [+] International Business Machines Corp. */ /* */ /* */ @@ -318,13 +318,6 @@ class NvdimmInstalledImage errlHndl_t isFwOpsSuccess(bool & o_success); /** - * @brief Reset NV controller. Resets controller and waits for it to - * come back online - * @return error if reset failed, else nullptr - */ - errlHndl_t resetController(); - - /** * @brief Updates the NV controller with the lid's image data * (minus header and signature) * @param i_lidImage - lid object with image data |