From cd400323aa493e656fb839202d6f6414a3b040af Mon Sep 17 00:00:00 2001 From: Samuel Mendoza-Jonas Date: Wed, 27 Jun 2018 13:35:35 +1000 Subject: genPnorImages: Add VERSION to signed partitions Mark VERSION as a signed partition and also check for it in the IPMI FRU setup. Change-Id: I6e8690c4f34d1f5ce92750960e6c73afcbf0a8e9 CQ:SW416159 Signed-off-by: Samuel Mendoza-Jonas Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/61439 Reviewed-by: Nicholas E. Bofferding Tested-by: Jenkins Server Tested-by: Jenkins OP Build CI Tested-by: FSP CI Jenkins Tested-by: Jenkins OP HW Reviewed-by: Michael Baiocchi Reviewed-by: Daniel M. Crowell --- src/usr/errl/errlentry.C | 23 ++++++++++++++-------- src/usr/ipmiext/ipmifruinv.C | 47 +++++++++++++++++++++++++++++++++++++++++++- src/usr/pnor/pnor_utils.C | 3 ++- src/usr/pnor/pnorrp.C | 25 +++++++++++++++++++++++ src/usr/pnor/pnorrp.H | 21 +++++++++++++++++++- 5 files changed, 108 insertions(+), 11 deletions(-) (limited to 'src/usr') diff --git a/src/usr/errl/errlentry.C b/src/usr/errl/errlentry.C index b1715ad41..072a31ac1 100644 --- a/src/usr/errl/errlentry.C +++ b/src/usr/errl/errlentry.C @@ -48,6 +48,7 @@ #include #include #include +#include #include "../trace/entry.H" #include @@ -667,16 +668,21 @@ void ErrlEntry::addHbBuildId() void ErrlEntry::addVersionInfo() { + +// Start of IPL only block; runtime does not support secure loading of +// partitions +#ifndef __HOSTBOOT_RUNTIME + // Version section of PNOR is only available to OpenPOWER systems. - if (!INITSERVICE::spBaseServicesEnabled()) + if ( !INITSERVICE::spBaseServicesEnabled() + && PNOR::isSectionAvailable(PNOR::VERSION)) { - //TODO: CQ:SW416159 Uncomment when merged - // bool l_secureSectionLoaded = false; - errlHndl_t l_errl = nullptr/*, l_errl_loadSecureSection = nullptr*/; + bool l_secureSectionLoaded = false; + errlHndl_t l_errl = nullptr, l_errl_loadSecureSection = nullptr; do { -/* TODO: CQ:SW416159 Uncomment when merged + #ifdef CONFIG_SECUREBOOT l_errl_loadSecureSection = PNOR::loadSecureSection(PNOR::VERSION); if (l_errl_loadSecureSection) @@ -698,7 +704,7 @@ void ErrlEntry::addVersionInfo() l_secureSectionLoaded = true; } #endif -*/ + // Get PNOR Version PNOR::SectionInfo_t l_pnorVersionInfo; l_errl = getSectionInfo(PNOR::VERSION, l_pnorVersionInfo); @@ -737,7 +743,6 @@ void ErrlEntry::addVersionInfo() ErrlUserDetailsString(l_pVersionString).addToLog(this); } while(0); -/* TODO: CQ:SW416159 Uncomment when merged #ifdef CONFIG_SECUREBOOT if (l_secureSectionLoaded) { @@ -757,9 +762,11 @@ void ErrlEntry::addVersionInfo() } } #endif -*/ + } +#endif // End of IPL only block + } enum { diff --git a/src/usr/ipmiext/ipmifruinv.C b/src/usr/ipmiext/ipmifruinv.C index 8e49ed7ba..e3518e20a 100644 --- a/src/usr/ipmiext/ipmifruinv.C +++ b/src/usr/ipmiext/ipmifruinv.C @@ -8,6 +8,7 @@ /* Contributors Listed Below - COPYRIGHT 2014,2018 */ /* [+] International Business Machines Corp. */ /* [+] Jim Yuan */ +/* [+] Maxim Polyakov */ /* */ /* */ /* Licensed under the Apache License, Version 2.0 (the "License"); */ @@ -1389,7 +1390,7 @@ errlHndl_t systemFwIpmiFruInv::buildBoardInfoArea(std::vector &io_data) errlHndl_t systemFwIpmiFruInv::buildProductInfoArea(std::vector &io_data) { - errlHndl_t l_errl = NULL; + errlHndl_t l_errl = nullptr, l_errl_version = nullptr; do { //Set formatting data that goes at the beginning of the record @@ -1404,6 +1405,16 @@ errlHndl_t systemFwIpmiFruInv::buildProductInfoArea(std::vector &l_data[0], &l_data[0] + (uint8_t(sizeof(l_data) / sizeof(uint8_t)))); +#ifdef CONFIG_SECUREBOOT + l_errl_version = PNOR::loadSecureSection(PNOR::VERSION); + if (l_errl_version) + { + TRACFCOMP(g_trac_ipmi, + "buildProductInfoArea: Failed to load secure VERSION"); + break; + } +#endif + //Get PNOR Version Here PNOR::SectionInfo_t l_pnorInfo; l_errl = getSectionInfo( PNOR::VERSION , l_pnorInfo); @@ -1535,6 +1546,40 @@ errlHndl_t systemFwIpmiFruInv::buildProductInfoArea(std::vector } while(0); +#ifdef CONFIG_SECUREBOOT + if (l_errl_version == nullptr) + { + l_errl_version = unloadSecureSection(PNOR::VERSION); + if (l_errl_version) + { + TRACFCOMP(g_trac_ipmi, + "buildProductInfoArea: Failed to unload secure VERSION"); + if (l_errl) + { + errlCommit(l_errl_version, IPMI_COMP_ID); + } + else + { + l_errl = l_errl_version; + l_errl_version = nullptr; + } + } + } + else + { + if (l_errl) + { + errlCommit(l_errl_version, IPMI_COMP_ID); + } + else + { + l_errl = l_errl_version; + l_errl_version = nullptr; + } + } +#endif + + //Finalize section formatting postFormatProcessing(io_data); diff --git a/src/usr/pnor/pnor_utils.C b/src/usr/pnor/pnor_utils.C index 6174f6e60..3e2d64c83 100644 --- a/src/usr/pnor/pnor_utils.C +++ b/src/usr/pnor/pnor_utils.C @@ -377,7 +377,8 @@ bool PNOR::isEnforcedSecureSection(const uint32_t i_section) i_section == WOFDATA || i_section == MEMD || i_section == CAPP || - i_section == TESTLOAD; + i_section == TESTLOAD || + i_section == VERSION; #endif #else return false; diff --git a/src/usr/pnor/pnorrp.C b/src/usr/pnor/pnorrp.C index 1df1f7001..c9a5e5336 100644 --- a/src/usr/pnor/pnorrp.C +++ b/src/usr/pnor/pnorrp.C @@ -95,6 +95,14 @@ errlHndl_t PNOR::getSectionInfo( PNOR::SectionId i_section, return Singleton::instance().getSectionInfo(i_section,o_info); } +/** + * @brief Returns whether a given section is available or not + */ +bool PNOR::isSectionAvailable(const PNOR::SectionId i_section) +{ + return Singleton::instance().isSectionAvailable(i_section); +} + /** * @brief Clear pnor section */ @@ -394,6 +402,23 @@ errlHndl_t PnorRP::getSideInfo( PNOR::SideId i_side, return l_err; } +/** + * @brief Returns whether a given section is available or not + */ +bool PnorRP::isSectionAvailable(const PNOR::SectionId i_section) +{ + bool available = false; + uint64_t rc = 0; + if( (!didStartupFail(rc)) + && (i_section < PNOR::NUM_SECTIONS) + && (!isInhibitedSection(i_section)) + && (iv_TOC[i_section].size != 0)) + { + available = true; + } + return available; +} + /** * @brief Return the size and address of a given section of PNOR data */ diff --git a/src/usr/pnor/pnorrp.H b/src/usr/pnor/pnorrp.H index f3519b576..9ab654678 100644 --- a/src/usr/pnor/pnorrp.H +++ b/src/usr/pnor/pnorrp.H @@ -5,7 +5,7 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2011,2017 */ +/* Contributors Listed Below - COPYRIGHT 2011,2018 */ /* [+] Google Inc. */ /* [+] International Business Machines Corp. */ /* */ @@ -79,6 +79,25 @@ class PnorRP errlHndl_t getSectionInfo( PNOR::SectionId i_section, PNOR::SectionInfo_t& o_info ); +#ifndef __HOSTBOOT_RUNTIME + /** + * @brief Returns whether requested section is available or not + * + * @par Detailed Description: + * Returns whether requested section is available or not. Resource + * provider must be functional, section ID must be valid, section must + * not be inhibited by secure boot, and section must exist in the PNOR + * to be considered available. + * + * @param[in] i_section PNOR section to check for availability + * + * @return boolean Whether section is available or not + * @retval true Section is available + * @retval false Section is not available + */ + bool isSectionAvailable(PNOR::SectionId i_section); +#endif + /** * @brief Clears the specified PNOR section with all FF's (w/ good ECC) * -- cgit v1.2.1