| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changed partitions (WOFDATA, MEMD)
to be signed with a hash page table bit. This generates
a hash page table in the protected payload which will be
used to validate pages in the unprotected payload
Change-Id: I9be4b1f6e65b9a52a8b6ba23affdacc4d89f5295
RTC: 179519
Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/72776
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commits enables HOMER BAR to point to the top
of the secure memory on SMF-enabled systems. Consequently,
the HOMER image and hostboot reserved memory will
be moved to the secure memory if SMF is enabled.
Change-Id: I37c7527b06688a41e57f14b4107ff53a507ffae8
RTC: 198825
Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/66702
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds the error log severity to the trace saying that
a new error log is being created. It also cleans up an unused
variable in some error log parsing logic.
Change-Id: Iff196993bdabf80ad65006fca195f0785221257f
Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/63476
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: ILYA SMIRNOV <ismirno@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new custom Node Comm Device Driver error log
user details section and its parser code. It also adds a function
to add the target and important HW registers to an error log.
Change-Id: I11893af06b7a097b43106117d648e9a431c4f3ea
RTC:191008
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/59079
Reviewed-by: ILYA SMIRNOV <ismirno@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When reading a secure header, the container header object can overrun a buffer
when number of ECIDs or software keys specified is greater than the supported
amount. This change implements hard enforcement to ensure that this is no
longer possible.
Change-Id: Ife9194763f858b37e2de6f12fa01d74da1145df3
CQ: SW419735
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/55088
CI-Ready: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: ILYA SMIRNOV <ismirno@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the Hostboot extended image verification fails, it calls FFDC collection
routine which invokes UtilMem functionality that is contained in the extended
image. This creates a circular loop of dependency that cannot be satisfied.
The FFDC collection was fixed to remove use of UtilMem while providing same
function
Change-Id: Id7a15ae68ec316c5d6d6779143d1409f5333e816
Backport: release-fips910
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/53456
Reviewed-by: ILYA SMIRNOV <ismirno@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Collect both the UTIL and RUNTIME component traces on a ROM
verify failure
Added a new Errlog User Details sections "Verify Info" containing
the component name, ID(s), measured, and expected hashes
Change-Id: I0d0408128e05807bb906be5ee365d56d1416693f
CQ:SW413889
Backport:release-fips910
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/52593
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sections that do not have Secure Headers and need one injected were
not passing in the correct size to preverifiedlidmgr.
e.g. RINGOVD section or when SB is compiled out
Change-Id: I6e8c775a9a1d3f89473c55af6efc8109fb378c99
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/50545
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Error log trace never included "TRBOOT" trace
Change-Id: I0ff99d3d3cc78a7a25c576059d69d1644a2c802d
RTC: 181899
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/50077
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change-Id: I2dfd02bd7c7f5b5356cd93ca967482c2d7f79ec1
RTC: 178520
RTC: 181899
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49966
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Force all PNOR sections we load from HB rserved memory to be secure
Only exception is the RINGOVD section, in which we use a fake header
- Add fake header when Secureboot compiled out or a section is never
signed as there is no secure header preserved in virtual memory
RTC: 171708
RTC: 180063
Change-Id: Ibbbd7be24ee7b199e73451c63b2c2d1f86a2c2d8
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/49020
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new '--build-type' option to genPnorImages.pl to specify
either fspbuild or opbuild, which adds the appropriate magic
value to the secure header during the signing process.
Change-Id: I46a97f88666a5cc925797d3ad0e870a5f5bac89a
RTC:163655
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/48930
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Repurposed container SW header reserved field for component ID
- Parse component ID when reading container header
- Implement user API to read component ID
Change-Id: I005f0e1cb20d4022333d05bfe86d88bf706f60de
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/46173
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RTC: 175115
Change-Id: Ia12949a63100202895be315cb7febb85df3cda3e
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/44131
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change-Id: Ife4a19ea7f94670143b701f740c80f991f924601
RTC:165693
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/41904
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds an interface to read the HW Key Hash located in the HBBL
section of each Processor's two SBE Seeproms.
Change-Id: I906434269746c296c646f7b0594575c58b145294
RTC: 167585
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/38465
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Martin Gloff <mgloff@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit traces the HwKeyHash to Secureboot-specific error logs. It also
adds the infrastucture necessary to parse secureboot-specific errorlog user
data sections. It includes 2 new custom sections: one which is used in this
commit, and another which will be used in a future commit.
Change-Id: Id5fb115ad1214f956e5256d3641236021e4642ab
RTC:165205
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/37901
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a trace of the Security Switch and CBS Control/Status
registers for all processors in the system. These registers are also
captured for Security-specific error logs.
Change-Id: I245815c720725a9aaf15a3cbad9a50b3288fc1f9
RTC:165205
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/37290
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Added mailbox scratch register 7 definition
- Added DRTM functions
- Added set/clear security switch register functions
- Added additional security switch bit definitions
- Added secureboot extended library to host DRTM functions
- Inhibited TPM start command in DRTM flow
- Added new config options for DRTM and DRTM RIT protection
- Added new DRTM attribute to indicate if DRTM is active
- Added new DRTM attribute to hold DRTM payload address
- Added new DRTM attribute to initiate DRTM in lieu of loading payload
- Updated target service init to determine DRTM settings
- Updated host start payload step to initiate DRTM if conditions are met
- Updated host MPIPL service to verify DRTM payload and clean up DRTM HW state
- Updated host gard step to verify DRTM HW state
- Rerouted PCR extensions to PCR 17 in DRTM boot
- Use locality 2 for all PCR extensions in DRTM boot
- Inhibit extension logging (for now) in DRTM boot
- Only extend seperator to PCR 17 in DRTM boot
Change-Id: Id52c36c3a64ca002571396d605caa308d9dc0199
RTC: 157140
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/35633
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Timothy R. Block <block@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
|
|
- Added verify_container API to runtime interface for secureboot
- Added testcase to test API registration
- Created common secureboot tracing files
Change-Id: If755644ff6507f14fd0463f4accf05301fc91832
RTC: 156119
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/26104
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Christopher J. Engel <cjengel@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
|