diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/usr/isteps/istep21/call_host_start_payload.C | 107 | ||||
-rw-r--r-- | src/usr/isteps/istep21/makefile | 1 | ||||
-rw-r--r-- | src/usr/runtime/hdatservice.C | 1 | ||||
-rw-r--r-- | src/usr/runtime/hdatstructs.H | 17 | ||||
-rw-r--r-- | src/usr/runtime/populate_hbruntime.C | 22 |
5 files changed, 135 insertions, 13 deletions
diff --git a/src/usr/isteps/istep21/call_host_start_payload.C b/src/usr/isteps/istep21/call_host_start_payload.C index 9b80ae8a3..8d7e8c3eb 100644 --- a/src/usr/isteps/istep21/call_host_start_payload.C +++ b/src/usr/isteps/istep21/call_host_start_payload.C @@ -39,6 +39,7 @@ #include <hbotcompid.H> #include <sys/misc.h> #include <targeting/common/util.H> +#include <targeting/targplatutil.H> #include <pnor/pnorif.H> #include <kernel/console.H> #include <util/misc.H> @@ -59,6 +60,8 @@ #include <sbeio/sbeioif.H> #include <runtime/runtime.H> #include <p9_stop_api.H> +#include "../hdat/hdattpmdata.H" +#include "hdatstructs.H" #ifdef CONFIG_DRTM_TRIGGERING #include <secureboot/drtm.H> @@ -187,6 +190,104 @@ void* msg_handler(msg_q_t i_msgQ) return nullptr; } +/** +* Function to align the trustedboot status on all nodes +*/ +errlHndl_t calcTrustedBootState() +{ + errlHndl_t l_errl = nullptr; + + do { + + TARGETING::Target* l_sys = nullptr; + TARGETING::targetService().getTopLevelTarget(l_sys); + assert(l_sys != nullptr, "Could not get sys target!"); + auto l_hbInstanceMap = l_sys->getAttr<TARGETING::ATTR_HB_EXISTING_IMAGE>(); + const size_t l_hbInstanceCount = __builtin_popcount(l_hbInstanceMap); + if((l_hbInstanceCount < 2) || + (!TARGETING::UTIL::isCurrentMasterNode())) + { + break; // No-op on single node systems and non-master nodes. + } + + uint32_t l_instance = 0; + uint64_t l_hdatBaseAddr = 0; + uint64_t l_dataSizeMax = 0; //unused + uint64_t l_hdatInstanceCount = 0; + uint64_t l_hbrtDataAddr = 0; + + l_errl = RUNTIME::get_host_data_section(RUNTIME::IPLPARMS_SYSTEM, + l_instance, // instance 0 + l_hbrtDataAddr, + l_dataSizeMax); + if(l_errl) + { + break; + } + + hdatSysParms_t* const l_hdatSysParms = + reinterpret_cast<hdatSysParms_t*>(l_hbrtDataAddr); + + SysSecSets* const l_sysSecuritySettings = + reinterpret_cast<SysSecSets*>(&l_hdatSysParms->hdatSysSecuritySetting); + + l_errl = RUNTIME::get_instance_count(RUNTIME::NODE_TPM_RELATED, + l_hdatInstanceCount); + if(l_errl) + { + break; + } + + assert(l_hdatInstanceCount == l_hbInstanceCount, + "Inconsistent number of functional nodes reported"); + + for(l_instance = 0; l_instance < l_hdatInstanceCount; ++l_instance) + { + l_errl = RUNTIME::get_host_data_section(RUNTIME::NODE_TPM_RELATED, + l_instance, + l_hdatBaseAddr, + l_dataSizeMax); + if(l_errl) + { + break; + } + + auto const l_hdatTpmData = reinterpret_cast<HDAT::hdatTpmData_t*> + (l_hdatBaseAddr); + auto const l_hdatTpmInfo = + reinterpret_cast<HDAT::hdatHDIFDataArray_t*> + (reinterpret_cast<uint64_t>(l_hdatTpmData) + + l_hdatTpmData->hdatSbTpmInfo.hdatOffset); + auto const l_hdatTpmInstInfo = + reinterpret_cast<HDAT::hdatSbTpmInstInfo_t*>( + reinterpret_cast<uint64_t>(l_hdatTpmInfo) + + sizeof(*l_hdatTpmInfo)); + TRACFBIN(ISTEPS_TRACE::g_trac_isteps_trace, + "calcTrustedBootState: l_hdatTpmInstInfo:", + l_hdatTpmInstInfo, sizeof(*l_hdatTpmInstInfo)); + TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace, + "calcTrustedBootState: Primary TPM's functional status =" + " %d", l_hdatTpmInstInfo->hdatFunctionalStatus); + + if(l_hdatTpmInstInfo->hdatFunctionalStatus == + HDAT::TpmPresentAndFunctional) + { + l_sysSecuritySettings->trustedboot &= 1; + } + else + { + l_sysSecuritySettings->trustedboot &= 0; + } + } + + TRACFCOMP(ISTEPS_TRACE::g_trac_isteps_trace, + "calcTrustedBootState: final trusted boot enabled status = %d", + l_sysSecuritySettings->trustedboot); + + } while(0); + + return l_errl; +} void* call_host_start_payload (void *io_pArgs) { @@ -210,6 +311,12 @@ void* call_host_start_payload (void *io_pArgs) break; } + l_errl = calcTrustedBootState(); + if(l_errl) + { + break; + } + msg_q_t l_msgQ = msg_q_create(); // Register event to be called on shutdown diff --git a/src/usr/isteps/istep21/makefile b/src/usr/isteps/istep21/makefile index c0ec1114d..eedcb8cf5 100644 --- a/src/usr/isteps/istep21/makefile +++ b/src/usr/isteps/istep21/makefile @@ -36,6 +36,7 @@ EXTRAINCDIR += ${ROOTPATH}/src/import/chips/common/utils/imageProcs/ EXTRAINCDIR += ${ROOTPATH}/src/import/hwpf/fapi2/include/ EXTRAINCDIR += ${ROOTPATH}/src/include/usr/fapi2/ EXTRAINCDIR += ${ROOTPATH}/src/usr/isteps/ +EXTRAINCDIR += ${ROOTPATH}/src/usr/runtime/ OBJS += call_host_runtime_setup.o OBJS += freqAttrData.o diff --git a/src/usr/runtime/hdatservice.C b/src/usr/runtime/hdatservice.C index 47f7a500c..f77165d8d 100644 --- a/src/usr/runtime/hdatservice.C +++ b/src/usr/runtime/hdatservice.C @@ -1450,6 +1450,7 @@ errlHndl_t hdatService::getInstanceCount(const SectionId i_section, switch(i_section) { case RUNTIME::PCRD: + case RUNTIME::NODE_TPM_RELATED: { hdat5Tuple_t* tuple = nullptr; errhdl = getAndCheckTuple(i_section, tuple); diff --git a/src/usr/runtime/hdatstructs.H b/src/usr/runtime/hdatstructs.H index 29f23eac8..2f05a2a70 100644 --- a/src/usr/runtime/hdatstructs.H +++ b/src/usr/runtime/hdatstructs.H @@ -438,4 +438,21 @@ struct hdatCpuCtrlInfo_t hdatCpuCtrlPair_t servRoutineData; // Service Routines Data Area } __attribute__ ((packed)); +/** + * @brief Structure to reflect the security settings on a system. + */ +typedef struct sysSecSets +{ + // bit 0: Code Container Digital Signature Checking + uint16_t secureboot : 1; + // bit 1: Primary TPM is present and functional if single-node system; + // All primary TPMs are present and functional if multi-node system. + uint16_t trustedboot : 1; + // bit 2: SBE Security Backdoor bit. + // NOTE: This bit is labeled "Platform Security Overrides Allowed" + // in the section 6.1.1 of HDAT spec. + uint16_t sbeSecBackdoor : 1; + uint16_t reserved : 13; +} SysSecSets; + #endif diff --git a/src/usr/runtime/populate_hbruntime.C b/src/usr/runtime/populate_hbruntime.C index db26d87be..129068941 100644 --- a/src/usr/runtime/populate_hbruntime.C +++ b/src/usr/runtime/populate_hbruntime.C @@ -1461,19 +1461,6 @@ errlHndl_t populate_hbSecurebootData ( void ) hdatSysParms_t* const l_sysParmsPtr = reinterpret_cast<hdatSysParms_t*>(l_hbrtDataAddr); - typedef struct sysSecSets - { - // bit 0: Code Container Digital Signature Checking - uint16_t secureboot : 1; - // bit 1: Measurements Extended to Secure Boot TPM - uint16_t trustedboot : 1; - // bit 2: SBE Security Backdoor bit. - // NOTE: This bit is labeled "Platform Security Overrides Allowed" - // in the section 6.1.1 of HDAT spec. - uint16_t sbeSecBackdoor : 1; - uint16_t reserved : 13; - } SysSecSets; - // populate system security settings in hdat SysSecSets* const l_sysSecSets = reinterpret_cast<SysSecSets*>(&l_sysParmsPtr->hdatSysSecuritySetting); @@ -1703,6 +1690,15 @@ errlHndl_t populate_TpmInfoByNode(const uint64_t i_instance) TARGETING::TargetHandleList tpmList; TRUSTEDBOOT::getTPMs(tpmList, TRUSTEDBOOT::TPM_FILTER::ALL_IN_BLUEPRINT); + // Put the primary TPM first in the list of TPMs to simplify alignment of + // trusted boot enabled bits across the nodes. + std::sort(tpmList.begin(), tpmList.end(), + [](TARGETING::TargetHandle_t lhs, TARGETING::TargetHandle_t rhs) + { + return (lhs->getAttr<TARGETING::ATTR_TPM_ROLE>() == + TARGETING::TPM_ROLE_TPM_PRIMARY); + }); + TARGETING::TargetHandleList l_procList; getAllChips(l_procList,TARGETING::TYPE_PROC,false); |