3 files changed, 27 insertions, 13 deletions

diff --git a/src/usr/runtime/hdatservice.C b/src/usr/runtime/hdatservice.C
index 47f7a500c..f77165d8d 100644
--- a/src/usr/runtime/hdatservice.C
+++ b/src/usr/runtime/hdatservice.C
@@ -1450,6 +1450,7 @@ errlHndl_t hdatService::getInstanceCount(const SectionId i_section,
     switch(i_section)
     {
         case RUNTIME::PCRD:
+        case RUNTIME::NODE_TPM_RELATED:
         {
             hdat5Tuple_t* tuple = nullptr;
             errhdl = getAndCheckTuple(i_section, tuple);
diff --git a/src/usr/runtime/hdatstructs.H b/src/usr/runtime/hdatstructs.H
index 29f23eac8..2f05a2a70 100644
--- a/src/usr/runtime/hdatstructs.H
+++ b/src/usr/runtime/hdatstructs.H
@@ -438,4 +438,21 @@ struct hdatCpuCtrlInfo_t
     hdatCpuCtrlPair_t servRoutineData;   // Service Routines Data Area
 }  __attribute__ ((packed));
 
+/**
+ * @brief Structure to reflect the security settings on a system.
+ */
+typedef struct sysSecSets
+{
+    // bit 0: Code Container Digital Signature Checking
+    uint16_t secureboot : 1;
+    // bit 1: Primary TPM is present and functional if single-node system;
+    // All primary TPMs are present and functional if multi-node system.
+    uint16_t trustedboot : 1;
+    // bit 2: SBE Security Backdoor bit.
+    // NOTE: This bit is labeled "Platform Security Overrides Allowed"
+    // in the section 6.1.1 of HDAT spec.
+    uint16_t sbeSecBackdoor : 1;
+    uint16_t reserved : 13;
+} SysSecSets;
+
 #endif
diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C
index db26d87be..129068941 100644
--- a/src/usr/runtime/populate_hbruntime.C
+++ b/src/usr/runtime/populate_hbruntime.C
@@ -1461,19 +1461,6 @@ errlHndl_t populate_hbSecurebootData ( void )
         hdatSysParms_t* const l_sysParmsPtr
             = reinterpret_cast<hdatSysParms_t*>(l_hbrtDataAddr);
 
-        typedef struct sysSecSets
-        {
-            // bit 0: Code Container Digital Signature Checking
-            uint16_t secureboot : 1;
-            // bit 1: Measurements Extended to Secure Boot TPM
-            uint16_t trustedboot : 1;
-            // bit 2: SBE Security Backdoor bit.
-            // NOTE: This bit is labeled "Platform Security Overrides Allowed"
-            // in the section 6.1.1 of HDAT spec.
-            uint16_t sbeSecBackdoor : 1;
-            uint16_t reserved : 13;
-        } SysSecSets;
-
         // populate system security settings in hdat
         SysSecSets* const l_sysSecSets =
             reinterpret_cast<SysSecSets*>(&l_sysParmsPtr->hdatSysSecuritySetting);
@@ -1703,6 +1690,15 @@ errlHndl_t populate_TpmInfoByNode(const uint64_t i_instance)
     TARGETING::TargetHandleList tpmList;
     TRUSTEDBOOT::getTPMs(tpmList, TRUSTEDBOOT::TPM_FILTER::ALL_IN_BLUEPRINT);
 
+    // Put the primary TPM first in the list of TPMs to simplify alignment of
+    // trusted boot enabled bits across the nodes.
+    std::sort(tpmList.begin(), tpmList.end(),
+              [](TARGETING::TargetHandle_t lhs, TARGETING::TargetHandle_t rhs)
+              {
+                return (lhs->getAttr<TARGETING::ATTR_TPM_ROLE>() ==
+                        TARGETING::TPM_ROLE_TPM_PRIMARY);
+              });
+
     TARGETING::TargetHandleList l_procList;
 
     getAllChips(l_procList,TARGETING::TYPE_PROC,false);