diff options
Diffstat (limited to 'src/usr/runtime')
-rw-r--r-- | src/usr/runtime/hdatservice.C | 1 | ||||
-rw-r--r-- | src/usr/runtime/hdatstructs.H | 17 | ||||
-rw-r--r-- | src/usr/runtime/populate_hbruntime.C | 22 |
3 files changed, 27 insertions, 13 deletions
diff --git a/src/usr/runtime/hdatservice.C b/src/usr/runtime/hdatservice.C index 47f7a500c..f77165d8d 100644 --- a/src/usr/runtime/hdatservice.C +++ b/src/usr/runtime/hdatservice.C @@ -1450,6 +1450,7 @@ errlHndl_t hdatService::getInstanceCount(const SectionId i_section, switch(i_section) { case RUNTIME::PCRD: + case RUNTIME::NODE_TPM_RELATED: { hdat5Tuple_t* tuple = nullptr; errhdl = getAndCheckTuple(i_section, tuple); diff --git a/src/usr/runtime/hdatstructs.H b/src/usr/runtime/hdatstructs.H index 29f23eac8..2f05a2a70 100644 --- a/src/usr/runtime/hdatstructs.H +++ b/src/usr/runtime/hdatstructs.H @@ -438,4 +438,21 @@ struct hdatCpuCtrlInfo_t hdatCpuCtrlPair_t servRoutineData; // Service Routines Data Area } __attribute__ ((packed)); +/** + * @brief Structure to reflect the security settings on a system. + */ +typedef struct sysSecSets +{ + // bit 0: Code Container Digital Signature Checking + uint16_t secureboot : 1; + // bit 1: Primary TPM is present and functional if single-node system; + // All primary TPMs are present and functional if multi-node system. + uint16_t trustedboot : 1; + // bit 2: SBE Security Backdoor bit. + // NOTE: This bit is labeled "Platform Security Overrides Allowed" + // in the section 6.1.1 of HDAT spec. + uint16_t sbeSecBackdoor : 1; + uint16_t reserved : 13; +} SysSecSets; + #endif diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C index db26d87be..129068941 100644 --- a/src/usr/runtime/populate_hbruntime.C +++ b/src/usr/runtime/populate_hbruntime.C @@ -1461,19 +1461,6 @@ errlHndl_t populate_hbSecurebootData ( void ) hdatSysParms_t* const l_sysParmsPtr = reinterpret_cast<hdatSysParms_t*>(l_hbrtDataAddr); - typedef struct sysSecSets - { - // bit 0: Code Container Digital Signature Checking - uint16_t secureboot : 1; - // bit 1: Measurements Extended to Secure Boot TPM - uint16_t trustedboot : 1; - // bit 2: SBE Security Backdoor bit. - // NOTE: This bit is labeled "Platform Security Overrides Allowed" - // in the section 6.1.1 of HDAT spec. - uint16_t sbeSecBackdoor : 1; - uint16_t reserved : 13; - } SysSecSets; - // populate system security settings in hdat SysSecSets* const l_sysSecSets = reinterpret_cast<SysSecSets*>(&l_sysParmsPtr->hdatSysSecuritySetting); @@ -1703,6 +1690,15 @@ errlHndl_t populate_TpmInfoByNode(const uint64_t i_instance) TARGETING::TargetHandleList tpmList; TRUSTEDBOOT::getTPMs(tpmList, TRUSTEDBOOT::TPM_FILTER::ALL_IN_BLUEPRINT); + // Put the primary TPM first in the list of TPMs to simplify alignment of + // trusted boot enabled bits across the nodes. + std::sort(tpmList.begin(), tpmList.end(), + [](TARGETING::TargetHandle_t lhs, TARGETING::TargetHandle_t rhs) + { + return (lhs->getAttr<TARGETING::ATTR_TPM_ROLE>() == + TARGETING::TPM_ROLE_TPM_PRIMARY); + }); + TARGETING::TargetHandleList l_procList; getAllChips(l_procList,TARGETING::TYPE_PROC,false); |