From 6a040451c75c888ad1ecca9e10988c119cbbba84 Mon Sep 17 00:00:00 2001 From: Mike Baiocchi Date: Tue, 15 Aug 2017 10:44:28 -0500 Subject: Fix SECUREBOOT runtime interfaces and tests This commit fixes the SECUREBOOT::allowAttrOverrides() function and also allows for more accurate secureboot testing at runtime. Change-Id: Ife86bd3f6311247438dd68a1a191d5de86892512 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/44635 Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Reviewed-by: Marshall J. Wilks Reviewed-by: Nicholas E. Bofferding Tested-by: FSP CI Jenkins Tested-by: Jenkins OP HW Reviewed-by: Daniel M. Crowell --- src/usr/secureboot/runtime/rt_secureboot.C | 25 +++++------- .../secureboot/runtime/test/testsecureboot_rt.H | 46 ++++++++++++++++++++++ 2 files changed, 56 insertions(+), 15 deletions(-) (limited to 'src/usr/secureboot') diff --git a/src/usr/secureboot/runtime/rt_secureboot.C b/src/usr/secureboot/runtime/rt_secureboot.C index 2277cce29..0c24c3875 100644 --- a/src/usr/secureboot/runtime/rt_secureboot.C +++ b/src/usr/secureboot/runtime/rt_secureboot.C @@ -40,7 +40,6 @@ #include #include #include -#include namespace SECUREBOOT { @@ -95,20 +94,16 @@ bool allowAttrOverrides() if (enabled()) { // Check attribute to see if overrides are allowed in secure mode - if ( Util::isTargetingLoaded() ) - { - TARGETING::TargetService& tS = TARGETING::targetService(); - TARGETING::Target* sys = nullptr; - (void) tS.getTopLevelTarget( sys ); - assert(sys, "SECUREBOOT::allowAttrOverrides() system target is NULL"); - - retVal = sys->getAttr< - TARGETING::ATTR_ALLOW_ATTR_OVERRIDES_IN_SECURE_MODE>(); - - SB_INF("SECUREBOOT::allowAttrOverrides: " - "Inside Attr check: retVal=0x%X", - retVal); - } + TARGETING::TargetService& tS = TARGETING::targetService(); + TARGETING::Target* sys = nullptr; + (void) tS.getTopLevelTarget( sys ); + assert(sys, "SECUREBOOT::allowAttrOverrides() system target is NULL"); + + retVal = sys->getAttr< + TARGETING::ATTR_ALLOW_ATTR_OVERRIDES_IN_SECURE_MODE>(); + + SB_INF("SECUREBOOT::allowAttrOverrides: Inside Attr check: retVal=0x%X", + retVal); } else { diff --git a/src/usr/secureboot/runtime/test/testsecureboot_rt.H b/src/usr/secureboot/runtime/test/testsecureboot_rt.H index 4173c0855..a7bd93830 100644 --- a/src/usr/secureboot/runtime/test/testsecureboot_rt.H +++ b/src/usr/secureboot/runtime/test/testsecureboot_rt.H @@ -35,8 +35,13 @@ #include #include +#include +#include +#include + #include "common/securetrace.H" #include +#include class SecurebootRtTestSuite: public CxxTest::TestSuite { @@ -100,8 +105,44 @@ class SecurebootRtTestSuite: public CxxTest::TestSuite { SB_ENTER("SecurebootRtTestSuite::testBaseInterfaces"); + errlHndl_t l_errl = nullptr; + do { + // Runtime scom tests return zeroed buffers unless a write is + // performed first, so write Security register. + uint64_t l_regValue = 0; + size_t l_size = sizeof(l_regValue); + + TARGETING::TargetService& tS = TARGETING::targetService(); + TARGETING::Target* masterProcChipTargetHandle = nullptr; + + l_errl = tS.queryMasterProcChipTargetHandle(masterProcChipTargetHandle); + + if (l_errl) + { + TS_FAIL("SecurebootRtTestSuite::testBaseInterfaces: Failed to get masterProcChipTargetHandle"); + break; + } + + // Set SAB and SUL + l_regValue |= static_cast(SECUREBOOT::ProcSecurity::SabBit); + l_regValue |= static_cast(SECUREBOOT::ProcSecurity::SULBit); + l_errl = deviceWrite( + masterProcChipTargetHandle, + &l_regValue, l_size, + DEVICE_SCOM_ADDRESS( + static_cast( + SECUREBOOT::ProcSecurity::SwitchRegister))); + + if (l_errl) + { + TS_FAIL("SecurebootRtTestSuite::testBaseInterfaces: Failed to Write Security Switch Register"); + break; + } + assert(l_size == sizeof(l_regValue)); + + SB_INF("SECUREBOOT::enabled() = %d", SECUREBOOT::enabled()); SB_INF("SECUREBOOT::allowAttrOverrides() = %d", @@ -109,6 +150,11 @@ class SecurebootRtTestSuite: public CxxTest::TestSuite } while(0); + if (l_errl) + { + errlCommit(l_errl, SECURE_COMP_ID); + } + SB_EXIT("SecurebootRtTestSuite::testBaseInterfaces"); } -- cgit v1.2.1