diff options
| author | spashabk-in <shakeebbk@in.ibm.com> | 2017-05-25 05:48:51 -0500 |
|---|---|---|
| committer | Sachin Gupta <sgupta2m@in.ibm.com> | 2017-10-04 00:41:48 -0400 |
| commit | 4b8ed3f80f35d4de9e913f1fee92a0a95e8f8834 (patch) | |
| tree | 35206384c3b93e4a8cbe54410e5df6bd98ed8799 /src/sbefw | |
| parent | fcecddd101106826ad916ce91b5dd79ede53cd0b (diff) | |
| download | talos-sbe-4b8ed3f80f35d4de9e913f1fee92a0a95e8f8834.tar.gz talos-sbe-4b8ed3f80f35d4de9e913f1fee92a0a95e8f8834.zip | |
[Whitelist/Blacklist] - Algorithm implementation
Added data structures for the tables
Added framework for Security algorithm implementation
Added generated file for the security table
Implemented the source code for the algorithm
Incremental size with current csv - 1500bytes
Change-Id: Ifb9f2ee4a406c61488c0f3ccaab58318126550f1
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/41821
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Sachin Gupta <sgupta2m@in.ibm.com>
Reviewed-by: RAJA DAS <rajadas2@in.ibm.com>
Diffstat (limited to 'src/sbefw')
| -rw-r--r-- | src/sbefw/sbeSecurity.C | 141 | ||||
| -rw-r--r-- | src/sbefw/sbeSecurity.H | 91 |
2 files changed, 232 insertions, 0 deletions
diff --git a/src/sbefw/sbeSecurity.C b/src/sbefw/sbeSecurity.C new file mode 100644 index 00000000..0085fc41 --- /dev/null +++ b/src/sbefw/sbeSecurity.C @@ -0,0 +1,141 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/sbefw/sbeSecurity.C $ */ +/* */ +/* OpenPOWER sbe Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2017 */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +#include "sbeSecurity.H" +#include "sbetrace.H" + +#include "sbeSecurityGen.H" + +namespace SBE_SECURITY +{ + +// Figure out at compile time, the number of shifts required for the mask +constexpr uint32_t get_shift_len(uint32_t mask, uint8_t shifts = 0) +{ + return ((mask>>shifts) & 0x01) ? (shifts) : (get_shift_len(mask, ++shifts)); +} + +template <typename Func> +map_t<bool, uint32_t> binary_search( + const uint32_t search_key, + range_t<uint64_t, uint32_t> x_range, + Func get_element) +{ + map_t<bool, uint32_t> ret = {false, 0}; // found=false + + while((x_range.start <= x_range.end) && + (ret.key == false)) + { + uint32_t midpoint = (x_range.start + x_range.end) / 2; + uint32_t ele = get_element(midpoint); + if(search_key == ele) + { + ret.key = true; + ret.value = midpoint; + } + else if(search_key < ele) + { + x_range.end = midpoint - 1; + } + else + { + x_range.start = midpoint + 1; + } + } + return ret; +} + +template <typename M1_T, typename M1_U, + typename M2_T, typename M2_U, + typename T3> +bool _is_present(const table< map_t< range_t<M1_T>, M1_U > > &table1, + const table< map_t<M2_T, M2_U> > &table2, + const table< T3 > &table3, + const uint32_t i_addr) +{ +#define SBE_FUNC "SBE_SECURITY::_is_present" + SBE_ENTER(SBE_FUNC); + for(size_t i = 0; i < table1.size; i++) + { + M1_U key = (i_addr & table1.mask) >> get_shift_len(table1.mask); + if((table1.table[i].key.start <= key) && + (table1.table[i].key.end >= key)) + { + SBE_DEBUG(SBE_FUNC" found key[0x%x] table index[%d]", key, i); + // Found the range where key might belong to + uint32_t search_key = (i_addr & table2.mask) >> + get_shift_len(table2.mask); + range_t<uint64_t, uint32_t> search_range = {}; + search_range.start = i ? table1.table[i-1].value : 0; + search_range.end = table1.table[i].value - 1; + map_t<bool, uint32_t> search_result = + binary_search( + search_key, + search_range, + [&table2](uint32_t midpoint) -> uint32_t { + return table2.table[midpoint].key; + }); + if(search_result.key == true) + { + // Found the key + search_range.start = (search_result.value ? + table2.table[search_result.value-1].value : 0); + search_range.end = + table2.table[search_result.value].value - 1; + search_key = (i_addr & table3.mask) >> + get_shift_len(table3.mask); + search_result = binary_search( + search_key, + search_range, + [&table3](uint32_t midpoint) -> uint32_t { + return table3.table[midpoint]; + }); + if(search_result.key == true) + { + // Found the number + return true; + } + } + } + } + SBE_EXIT(SBE_FUNC); + return false; +#undef SBE_FUNC +} + +bool isAllowed(const uint32_t i_addr, accessType type) +{ + bool ret = false; + if(type == WRITE) + ret = WHITELIST::isPresent(i_addr); + else if(type == READ) + ret = !BLACKLIST::isPresent(i_addr); + if(!ret) + { + SBE_INFO("SBE_SECURITY access[%d] denied addr[0x%08x]", + type, i_addr); + } + return ret; +} + +} // namespace SBE_SECURITY diff --git a/src/sbefw/sbeSecurity.H b/src/sbefw/sbeSecurity.H new file mode 100644 index 00000000..f115ffe3 --- /dev/null +++ b/src/sbefw/sbeSecurity.H @@ -0,0 +1,91 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/sbefw/sbeSecurity.H $ */ +/* */ +/* OpenPOWER sbe Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2017 */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +#ifndef __SBE_SECURITY_H +#define __SBE_SECURITY_H + +#include <stdint.h> + +namespace SBE_SECURITY +{ + typedef enum + { + READ = 0, + WRITE + } accessType; + + // type to define a range + template <typename T> + struct + { + T start; + T end; + } range; + + // key-value map used for the tables + template <typename T, typename U> + struct map_t + { + T key; + U value; + }; + + // table data structure + template <typename T> + struct table + { + uint8_t size; + uint32_t mask; + T *table; + }; + + /* @brief isAllowed - Public function used for address verification + * for a given type of access + * + * @param[in] i_addr - given address to verify + * @param[in] accessType - access type - READ/WRITE + * + * @return - boolean to denote if the access on the address + * is allowed or not + */ + bool isAllowed(const uint32_t i_addr, accessType type); + + /* @brief _is_present - Look up tables to find if the given + * address is present + * @param[in] table1 - table 1 - map with a range and running count + * @param[in] table2 - table 2 - map with value and running count + * @param[in] table3 - table 3 - array with values + * @param[in] i_addr - given address to look up + * + * @return - boolean to denote if the address in present + * in the list of tables + */ + template <typename M1_T, typename M1_U, + typename M2_T, typename M2_U, + typename T3> + bool _is_present(const table< map_t< range_t<M1_T>, M1_U > > &table1, + const table< map_t<M2_T, M2_U> > &table2, + const table< T3 > &table3, + const uint32_t i_addr); +} +#endif //__SBE_SECURITY_H |
