summaryrefslogtreecommitdiffstats
path: root/src/sbefw/core/securityAlgo.H
diff options
context:
space:
mode:
Diffstat (limited to 'src/sbefw/core/securityAlgo.H')
-rw-r--r--src/sbefw/core/securityAlgo.H307
1 files changed, 307 insertions, 0 deletions
diff --git a/src/sbefw/core/securityAlgo.H b/src/sbefw/core/securityAlgo.H
new file mode 100644
index 00000000..43e96447
--- /dev/null
+++ b/src/sbefw/core/securityAlgo.H
@@ -0,0 +1,307 @@
+/* IBM_PROLOG_BEGIN_TAG */
+/* This is an automatically generated prolog. */
+/* */
+/* $Source: src/sbefw/core/securityAlgo.H $ */
+/* */
+/* OpenPOWER sbe Project */
+/* */
+/* Contributors Listed Below - COPYRIGHT 2019 */
+/* [+] International Business Machines Corp. */
+/* */
+/* */
+/* Licensed under the Apache License, Version 2.0 (the "License"); */
+/* you may not use this file except in compliance with the License. */
+/* You may obtain a copy of the License at */
+/* */
+/* http://www.apache.org/licenses/LICENSE-2.0 */
+/* */
+/* Unless required by applicable law or agreed to in writing, software */
+/* distributed under the License is distributed on an "AS IS" BASIS, */
+/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */
+/* implied. See the License for the specific language governing */
+/* permissions and limitations under the License. */
+/* */
+/* IBM_PROLOG_END_TAG */
+#ifndef __SECURITY_ALGO_H
+#define __SECURITY_ALGO_H
+
+#include <stdint.h>
+#include <stddef.h>
+
+/*
+ Whitelist , Blacklist and Greylist are part of the Security validation
+ of any register. Each list has been sub divided into 3 tables [t1, t2 and
+ t3] as mentioned bellow. Table data will be used on security algorithm to
+ validates register address is part of Whitelist, Blacklist and Greylist
+ or not.
+
+ # -----------------------------------------------------------------#
+ # Step 1: [register list] #
+ # || #
+ # \/ #
+ # {base_address1 : [chiplet range1, chiplet range2]} #
+ #..................................................................#
+ # Eg: [01ABCDEF, 02ABCDEF, 04ABCDEF, 05ABCDEF, 10UVWXYZ, 11UVWXYZ] #
+ # || #
+ # \/ #
+ # {ABCDEF : [0102, 0405], UVWXYZ : [1011]} #
+ # -----------------------------------------------------------------#
+ # Step 2: {base_address1 : [chiplet range1, chiplet range2]} #
+ # || #
+ # \/ #
+ # {chiplet range1 : [base_address1, base_address2]} #
+ #..................................................................#
+ # Eg: {ABCDEF : [0102, 0405], UVWXYZ : [0405, 1020]} #
+ # || #
+ # \/ #
+ # {0102 : [ABCDEF], 0405 : [ABCDEF, UVWXYZ], 1020 : [UVWXYZ]} #
+ # -----------------------------------------------------------------#
+ # Step 3: {chiplet range1 : [base_address1, base_address2]} #
+ # || #
+ # \/ #
+ # {chiplet range1 : {key1 : [base_addr1, base_Addr2]}} #
+ #..................................................................#
+ # Eg: {0102 : [ABCDEF], 0405 : [ABCDEF, UVWXYZ], 1020 : [UVWXYZ]} #
+ # || #
+ # \/ #
+ # {0102 : {AB : [CDEF]}, #
+ # 0405 : {AB : [CDEF], UV : [WXYZ]}, #
+ # 1020 : {UV : [WXYZ]}} #
+ # -----------------------------------------------------------------#
+ # Step 4: {chiplet range1 : {key1 : [base_addr1, base_Addr2]}} #
+ # || #
+ # \/ #
+ # table1, table2, table3 #
+ #..................................................................#
+ # Eg: {0102 : {AB : [CD, EF]}, #
+ # 0405 : {AB : [CD, EF], UV : [WX, YZ]}, #
+ # 1020 : {UV : [WX, YZ]}} #
+ # || #
+ # \/ #
+ # table1: {0102 : 1, 0405 : 3, 1020 : 4} #
+ # table2: {AB : 2, AB : 4, UV : 6, UV : 8} #
+ # table3: {CD, EF, CD, EF, WX, YZ, WX, YZ} #
+ # -----------------------------------------------------------------#
+
+
+ table 1:
+ keys = 2byte - (start , end) of
+ the ranges in bit 0-7 of the 32-bit address
+ values = running count of the paths to table2
+
+ for example - if ranges are 0x20-0x37, 0x01-0x01, 0x10-0x17 and has
+ 1, 2 and 3 paths respectively to table 2
+ then table 1 will have {0x20,0x37} = 01, {0x01,0x01} = 3, {0x10,0x17} = 7
+
+ 1 byte for running count - we are good with uint8_t till the
+ total paths are less than 256
+
+ table 2
+ keys = unique 1 byte numbers having same prefix for each
+ range in table 1 key - bit 8-15 from a 32-bit address
+ values = running count of paths from each of the keys
+
+ for example - if element a has 1 path, b has 0 and c has 3 paths
+ then table 1 will have a = 1, b = 1, c = 4
+
+ 1 byte for key
+ 1 byte for number of paths
+ We are good with uint8_t,
+ till the number of paths to table 3 from each key is less than 256
+
+ table 3
+ values = 2 byte value bit 16-31 of the 32-bit address
+
+ */
+
+#define WHITELIST_TABLE1_MASK 0xFF000000
+#define WHITELIST_TABLE2_MASK 0x00FF0000
+#define WHITELIST_TABLE3_MASK 0x0000FFFF
+#define BLACKLIST_TABLE1_MASK 0xFF000000
+#define BLACKLIST_TABLE2_MASK 0x00FF0000
+#define BLACKLIST_TABLE3_MASK 0x0000FFFF
+#define GREYLIST_TABLE1_MASK 0xFFFFFFFF
+
+#ifndef __PPE__
+ #pragma pack(1)
+#endif
+ // struct range_t and map_t are supporting data types in SecurityAlgo
+ // type to define a range
+ struct range_t
+ {
+ int32_t start;
+ int32_t end;
+ };
+ // key-value map used for the tables
+ struct map_t
+ {
+ bool key;
+ int32_t value;
+ };
+
+ /*@brief Format of T1 table date */
+ typedef struct
+ {
+ uint8_t key_start;
+ uint8_t key_end;
+ uint8_t value;
+ } _t1_t; // Total 3 bytes
+
+ /*@brief Format of T2 table date */
+ typedef struct
+ {
+ uint8_t key;
+ uint16_t value;
+ } _t2_t; // Total 3 bytes
+
+ /*@brief Format of T3 table date */
+ typedef struct
+ {
+ uint16_t value;
+ } _t3_t; // Total 2 bytes
+
+
+ /*@brief Format of Grey list table date */
+ typedef struct
+ {
+ uint32_t key;
+ uint64_t value;
+ } _gl_t1_t; // Total 12 bytes
+
+
+ // table data structure
+ /* @brief Format of White / Black list table-1 */
+ typedef struct
+ {
+ uint32_t size;
+ uint32_t mask;
+ _t1_t *table;
+ } _t1_table_t;
+
+ /* @brief Format of White / Black list table-2 */
+ typedef struct
+ {
+ uint32_t size;
+ uint32_t mask;
+ _t2_t *table;
+ } _t2_table_t;
+
+ /* @brief Format of White / Black list table-3 */
+ typedef struct
+ {
+ uint32_t size;
+ uint32_t mask;
+ _t3_t *table;
+ } _t3_table_t;
+
+ /* @brief Format of Grey list table-1 */
+ typedef struct
+ {
+ uint32_t size;
+ uint32_t mask;
+ _gl_t1_t *table;
+ } _gl_t1_table_t;
+
+ /* @brief Format of SecurityList dump header */
+ typedef struct
+ {
+ uint16_t wl_t1_count;
+ uint16_t wl_t2_count;
+ uint16_t wl_t3_count;
+ uint16_t bl_t1_count;
+ uint16_t bl_t2_count;
+ uint16_t bl_t3_count;
+ uint16_t gl_t1_count;
+ } sec_header_dump_t;
+
+ // Security Access Types
+ typedef enum
+ {
+ READ_ACCESS = 0,
+ WRITE_ACCESS
+ } secAccessType;
+
+ typedef struct GenSecurityListTables
+ {
+ GenSecurityListTables(){}
+ _t1_table_t wl_t1;
+ _t2_table_t wl_t2;
+ _t3_table_t wl_t3;
+
+ _t1_table_t bl_t1;
+ _t2_table_t bl_t2;
+ _t3_table_t bl_t3;
+
+ _gl_t1_table_t gl_t1;
+ } GenSecurityListTables_t;
+#ifndef __PPE__
+ #pragma pack()
+#endif
+
+ static struct GenSecurityListTables secListTableSupport;
+ // size of GenericFspMboxMessage_t header size
+ constexpr size_t SEC_LIST_TABLE_HDR_SIZE = sizeof(sec_header_dump_t);
+
+ /* @brief isAllowed - Public function used for address verification
+ * for a given type of access
+ *
+ * @param[in] i_addr - given address to verify
+ * @param[in] i_mask - mask for data
+ * @param[in] i_type - access type - READ/WRITE
+ *
+ * @return - boolean to denote if the access on the address
+ * is allowed or not
+ *
+ bool _isAllowed(const uint32_t i_addr, const uint64_t i_mask,
+ accessType i_type);
+
+ * @brief _is_present - Look up tables to find if the given
+ * address ii present
+ * @param[in] table1 - table 1 - map with a range and running count
+ * @param[in] table2 - table 2 - map with value and running count
+ * @param[in] table3 - table 3 - array with values
+ * @param[in] i_addr - given address to look up
+ *
+ * @return - boolean to denote if the address in present
+ * in the list of tables
+ */
+
+ bool _is_present( const _t1_table_t &table1,
+ const _t2_table_t &table2,
+ const _t3_table_t &table3,
+ const uint32_t i_addr);
+
+ /* @brief _is_present - Look up tables to find if the given
+ * address with mask is present
+ * @param[in] table1 - table 1 - map with a range and running count
+ * @param[in] i_addr - given address to look up
+ * @param[in] mask - mask to look up
+ *
+ * @return - boolean to denote if the address in present
+ */
+ bool _is_present(const _gl_t1_table_t &table1,
+ const uint32_t i_addr,
+ const uint64_t i_mask);
+
+ /* @brief securityAccessTablesInit - Public function used for
+ * init all white, black and grey list table data
+ * @param[in] i_i_buf - tables data
+ *
+ * @return - boolean to denote if the access on the table
+ * data is allowed or not
+ */
+ bool securityAccessTablesInit(const void * i_buf );
+
+ /* @brief isAccessAllowed - Public function used for address verification
+ * for a given type of access
+ *
+ * @param[in] i_addr - given address to verify
+ * @param[in] i_mask - mask for data
+ * @param[in] i_type - access type - READ_ACCESS / WRITE_ACCESS
+ *
+ * @return - boolean to denote if the access on the address
+ * is allowed or not
+ */
+ bool isAccessAllowed(const uint32_t i_addr, const uint64_t i_mask,
+ secAccessType i_type);
+#endif //__SECURITY_ALGO_H
OpenPOWER on IntegriCloud