From 713f7f024c4545362d304914f7979e0c5128f0b2 Mon Sep 17 00:00:00 2001
From: Ilya Smirnov <ismirno@us.ibm.com>
Date: Wed, 21 Mar 2018 09:27:16 -0500
Subject: Secure Boot: Close SBE Security Backdoor

During a key transition process from dev to prod keys the
lab override bit does not get unset and does not get customized
into SBE at the time of the transition. Only when the system
reaches istep 10.2 with prod keys does the bit get reset. This
change customizes the bit at the time of the transition, which
ensures the system is secure all the way through IPL with prod
keys.

Change-Id: I1343d2dd95aa4549b92e46ebcb9df142303c1f0b
RTC: 188958
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/56127
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
---
 src/usr/sbe/sbe_update.C | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'src/usr/sbe')

diff --git a/src/usr/sbe/sbe_update.C b/src/usr/sbe/sbe_update.C
index fc1057d2f..cf27fac16 100644
--- a/src/usr/sbe/sbe_update.C
+++ b/src/usr/sbe/sbe_update.C
@@ -5845,7 +5845,7 @@ errlHndl_t secureKeyTransition()
         l_errl = l_nestedConHdr.setHeader(l_pVaddr);
         if(l_errl)
         {
-             TRACFCOMP( g_trac_sbe, ERR_MRK"secureKeyTransition() - setheader failed");
+            TRACFCOMP( g_trac_sbe, ERR_MRK"secureKeyTransition() - setheader failed");
             break;
         }
         // Get pointer to first element of hwKeyHash from header.
@@ -5855,6 +5855,18 @@ errlHndl_t secureKeyTransition()
                sizeof(g_hw_keys_hash_transition_data));
         // Indicate a key transition is required
         g_do_hw_keys_hash_transition = true;
+
+        bool l_hw_lab_override_flag = l_nestedConHdr.sb_flags()->hw_lab_override;
+        TRACFCOMP(g_trac_sbe, "Overriding the Lab Security Backdoor Bit due to"
+                  " key transition; new Security Backdoor Enabled bit is %d",
+                  l_nestedConHdr.sb_flags()->hw_lab_override);
+        l_errl = SECUREBOOT::setSbeSecurityMode(!l_hw_lab_override_flag);
+        if(l_errl)
+        {
+            TRACFCOMP(g_trac_sbe, ERR_MRK"secureKeyTransition() - could not"
+                      " set SBE security mode.");
+            break;
+        }
     }
     if(l_loaded)
     {
-- 
cgit v1.2.1