From 4c586e2298ffafed3c1979784e1626868bd46f58 Mon Sep 17 00:00:00 2001
From: Mike Baiocchi <mbaiocch@us.ibm.com>
Date: Mon, 22 May 2017 17:14:12 -0500
Subject: Disable Ring Overrides in Secure Mode

This commit disables ring overrides during the IPL and at Runtime
when the system has security enabled.

Change-Id: Ic3b0db92994a61d4ba6e28858bcd6fde59be6a23
RTC: 163094
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/40818
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
---
 src/usr/isteps/pm/pm_common.C  | 12 ++----------
 src/usr/pnor/pnor_common.C     |  3 ++-
 src/usr/pnor/pnorrp.C          |  8 ++++----
 src/usr/pnor/test/pnorrptest.H | 12 ++++++++++++
 src/usr/sbe/sbe_update.C       |  4 +++-
 5 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/src/usr/isteps/pm/pm_common.C b/src/usr/isteps/pm/pm_common.C
index 0335ebec4..5b0c9372d 100644
--- a/src/usr/isteps/pm/pm_common.C
+++ b/src/usr/isteps/pm/pm_common.C
@@ -1056,14 +1056,6 @@ namespace HBPM
             break;
 #endif
 
-            // No overrides in secure mode
-            if( SECUREBOOT::enabled() )
-            {
-                TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace,
-                           INFO_MRK"getRingOvd(): No overrides in secure mode");
-                break;
-            }
-
             PNOR::SectionInfo_t l_pnorRingOvd;
             l_err = PNOR::getSectionInfo(PNOR::RINGOVD, l_pnorRingOvd);
             if(l_err)
@@ -1071,8 +1063,8 @@ namespace HBPM
                 delete l_err;
                 l_err = NULL;
                 TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace,
-                           INFO_MRK"getRingOvd(): RINGOVD section not found, "
-                           "it is optional");
+                           INFO_MRK"getRingOvd(): RINGOVD section not found or "
+                           "is blocked in secure mode. it is optional");
                 break;
             }
             if(l_pnorRingOvd.size == 0)
diff --git a/src/usr/pnor/pnor_common.C b/src/usr/pnor/pnor_common.C
index 2c491d990..2eb710a16 100644
--- a/src/usr/pnor/pnor_common.C
+++ b/src/usr/pnor/pnor_common.C
@@ -387,7 +387,8 @@ bool PNOR::isInhibitedSection(const uint32_t i_section)
 {
 #ifdef CONFIG_SECUREBOOT
     return (i_section == ATTR_PERM ||
-            i_section == ATTR_TMP) &&
+            i_section == ATTR_TMP  ||
+            i_section == RINGOVD ) &&
             SECUREBOOT::enabled();
 #else
     return false;
diff --git a/src/usr/pnor/pnorrp.C b/src/usr/pnor/pnorrp.C
index 0326bb1e1..bd8609416 100644
--- a/src/usr/pnor/pnorrp.C
+++ b/src/usr/pnor/pnorrp.C
@@ -509,17 +509,17 @@ errlHndl_t PnorRP::getSectionInfo( PNOR::SectionId i_section,
             || l_inhibited
         )
         {
-            TRACFCOMP( g_trac_pnor, "PnorRP::getSectionInfo> Invalid Section Requested : i_section=%d", i_section );
+            TRACFCOMP( g_trac_pnor, "PnorRP::getSectionInfo> Invalid Section Requested : i_section=%d (%s)", i_section, SectionIdToString(id));
             #ifdef CONFIG_SECUREBOOT
             if (l_inhibited)
             {
                 TRACFCOMP( g_trac_pnor, "PnorRP::getSectionInfo> "
-                "attribute override inhibited by secureboot");
+                "attribute overrides inhibited by secureboot");
             }
             #endif
             uint64_t size = iv_TOC[i_section].size;
-            TRACFCOMP(g_trac_pnor, "o_info={ id=%d, size=%d }",
-                             iv_TOC[i_section].id, size );
+            TRACFCOMP(g_trac_pnor, "o_info={ id=%d, size=%d , name=%s}",
+                             iv_TOC[i_section].id, size, SectionIdToString(id) );
             /*@
              * @errortype
              * @moduleid         PNOR::MOD_PNORRP_GETSECTIONINFO
diff --git a/src/usr/pnor/test/pnorrptest.H b/src/usr/pnor/test/pnorrptest.H
index f3d94ef99..d42ce93a5 100644
--- a/src/usr/pnor/test/pnorrptest.H
+++ b/src/usr/pnor/test/pnorrptest.H
@@ -41,6 +41,7 @@
 #include <sys/mm.h>
 #include <targeting/common/targetservice.H>
 #include <devicefw/userif.H>
+#include <config.h>
 #include <pnor/ecc.H>
 #include "../pnorrp.H"
 #include "../pnor_common.H"
@@ -78,7 +79,18 @@ class PnorRpTest : public CxxTest::TestSuite
 
         for( uint64_t idx = 0; idx < numSections; idx++)
         {
+            // RINGOVD is not supported when secureboot is enabled, but rather
+            // than looking for the expected fail like non-test code does, just
+            // skip testing RINGOVD in this scenario
+            if ( ( testSections[idx] == PNOR::RINGOVD ) &&
+                 ( SECUREBOOT::enabled() ) )
+            {
+                TRACFCOMP(g_trac_pnor, "PnorRpTest::test_sectionInfo> Skipping RINGOVD since Security is enabled");
+                continue;
+            }
+
             total++;
+
             errhdl = PNOR::getSectionInfo( testSections[idx], info );
             if( errhdl )
             {
diff --git a/src/usr/sbe/sbe_update.C b/src/usr/sbe/sbe_update.C
index 1babff13d..d86fad7a2 100644
--- a/src/usr/sbe/sbe_update.C
+++ b/src/usr/sbe/sbe_update.C
@@ -896,6 +896,7 @@ namespace SBE
         PNOR::SectionInfo_t l_pnorRingOvd;
 
         do {
+
             l_err = PNOR::getSectionInfo(PNOR::RINGOVD, l_pnorRingOvd);
             if(l_err)
             {
@@ -903,7 +904,8 @@ namespace SBE
                 l_err = NULL;
                 TRACFCOMP( g_trac_sbe,
                            ERR_MRK"ringOvd():Error trying to read RINGOVD "
-                           "from PNOR.  It is optional, continuing");
+                           "from PNOR. Could be blocked in secure mode. "
+                           "It is optional, continuing");
                 io_ovdImgSize = 0;
                 break;
             }
-- 
cgit v1.2.1