diff options
Diffstat (limited to 'src/usr/secureboot')
-rw-r--r-- | src/usr/secureboot/base/service.C | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/src/usr/secureboot/base/service.C b/src/usr/secureboot/base/service.C index 98a750c98..d0e3b8f89 100644 --- a/src/usr/secureboot/base/service.C +++ b/src/usr/secureboot/base/service.C @@ -74,6 +74,17 @@ struct SecureRegisterValues uint64_t data; }; +/* + * HB specific secureboot setting which is aliased to the FAPI attribute + * ATTR_SECURITY_MODE and customized into the SBE image. If 0b0, SBE + * will disable proc security (via SAB bit) if mailbox scratch register 3 + * bit 6 is set. Otherwise, if 0b1, SBE will not override proc security. + * TODO RTC 170650: When SBE image is signed in all environments, set + * default to 0b1 and rely on SBE signing header to configure the final + * value. + */ +uint8_t g_sbeSecurityMode = 0; + /** * @brief Retrieve values of Security Registers of the processors in the system * @@ -600,4 +611,16 @@ bool allowAttrOverrides() }; #endif +uint8_t getSbeSecurityMode() +{ + return g_sbeSecurityMode; +} + +void setSbeSecurityMode(uint8_t i_sbeSecurityMode) +{ + assert(i_sbeSecurityMode == 0 || i_sbeSecurityMode == 1, + "SBE Security Mode can only be set to 0 or 1"); + g_sbeSecurityMode = i_sbeSecurityMode; +} + } //namespace SECUREBOOT |