From 8e9d92bf3c8fc86ad2885db215ac9e87dcb6dceb Mon Sep 17 00:00:00 2001 From: spashabk-in Date: Tue, 23 Jan 2018 05:19:54 -0600 Subject: Check for disable scom filtering bit Disable scom filtering if the scom filtering disable bit is set Change-Id: I866275da3b05d340636e5e847eb63e14b3a67937 cmvc-prereq: 1046050 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/53854 Tested-by: Jenkins Server Tested-by: FSP CI Jenkins Reviewed-by: RAJA DAS Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/52428 Reviewed-by: Sachin Gupta --- src/sbefw/core/sbe_sp_intf.H | 1 + src/sbefw/core/sberegaccess.H | 19 +++++++++++++++++-- src/sbefw/core/sbeutil.H | 15 ++++++++++++--- src/test/testcases/test.xml | 3 ++- src/test/testcases/testSecurity.py | 9 +++++---- 5 files changed, 37 insertions(+), 10 deletions(-) diff --git a/src/sbefw/core/sbe_sp_intf.H b/src/sbefw/core/sbe_sp_intf.H index 4b6c7704..76895ae3 100644 --- a/src/sbefw/core/sbe_sp_intf.H +++ b/src/sbefw/core/sbe_sp_intf.H @@ -221,6 +221,7 @@ enum sbeSecondaryResponse SBE_SEC_BLACKLISTED_CHIPOP_ACCESS = 0x20, SBE_SEC_DMT_TIMEOUT = 0x21, SBE_SEC_SYSTEM_CHECKSTOP = 0x22, + SBE_SEC_BLACKLISTED_REG_ACCESS_BLOCKED = 0x23, }; /** diff --git a/src/sbefw/core/sberegaccess.H b/src/sbefw/core/sberegaccess.H index cff354b3..62d07d41 100644 --- a/src/sbefw/core/sberegaccess.H +++ b/src/sbefw/core/sberegaccess.H @@ -35,6 +35,7 @@ #include #include "sbestates.H" #include "sbeevents.H" +#include "fapi2.H" /** * @brief Utility singleton that SBEFW can use to read write various scratch @@ -257,6 +258,19 @@ class SbeRegAccess */ bool isSbeRegressionBit(); + /* + * @brief Get disable scom filtering bit + * + * @return scom filtering disable allowed + */ + bool disableScomFiltering() + { + fapi2::Target FAPI_SYSTEM; + uint8_t readData; + FAPI_ATTR_GET(fapi2::ATTR_SECURITY_MODE, FAPI_SYSTEM, readData); + return (!readData && + iv_disableScomFiltering); + } private: /** @@ -275,9 +289,10 @@ class SbeRegAccess uint64_t iv_fspAttached : 1; uint64_t iv_collectFFDC : 1; uint64_t iv_sendFFDC : 1; - uint64_t iv_mbx3DontCare1 : 6; + uint64_t iv_mbx3DontCare1 : 5; + uint64_t iv_disableScomFiltering : 1; uint64_t iv_disableInvalidScomAddrCheck : 1; - uint64_t iv_mbx3DontCare : 19; + uint64_t iv_mbx3DontCare2 : 19; uint64_t iv_mbx3Unused : 32; }; uint64_t iv_mbx3; diff --git a/src/sbefw/core/sbeutil.H b/src/sbefw/core/sbeutil.H index 9528eabd..73850ff7 100644 --- a/src/sbefw/core/sbeutil.H +++ b/src/sbefw/core/sbeutil.H @@ -49,10 +49,19 @@ if ((l_rc) != SBE_SEC_OPERATION_SUCCESSFUL) \ #define CHECK_SBE_SECURITY_RC_AND_BREAK_IF_NOT_SUCCESS(addr, op, resp) \ if (!SBE_SECURITY::isAllowed(addr, op)) \ { \ - resp->setStatus(SBE_PRI_UNSECURE_ACCESS_DENIED, \ - SBE_SEC_BLACKLISTED_REG_ACCESS); \ /* TODO via RTC 180983:Enable this once the BL/WL registers are settled */ \ - /*break;*/ \ + if(SbeRegAccess::theSbeRegAccess().disableScomFiltering()) \ + { \ + /* security override possible && scom filtering disabled */ \ + resp->setStatus(SBE_PRI_UNSECURE_ACCESS_DENIED, \ + SBE_SEC_BLACKLISTED_REG_ACCESS); \ + } \ + else \ + { \ + resp->setStatus(SBE_PRI_UNSECURE_ACCESS_DENIED, \ + SBE_SEC_BLACKLISTED_REG_ACCESS_BLOCKED); \ + break; \ + } \ } #define mfdec() \ diff --git a/src/test/testcases/test.xml b/src/test/testcases/test.xml index 31ab3cf4..8cc9842e 100755 --- a/src/test/testcases/test.xml +++ b/src/test/testcases/test.xml @@ -5,7 +5,7 @@ - + @@ -33,6 +33,7 @@ ../simics/targets/p9_nimbus/sbeTest/testPSUSetStashPair.xml ../simics/targets/p9_nimbus/sbeTest/testIstep.xml ../simics/targets/p9_nimbus/sbeTest/testSuspendIO.xml + ../simics/targets/p9_nimbus/sbeTest/testSecurity.xml ../simics/targets/p9_nimbus/sbeTest/testGeneric.xml ../simics/targets/p9_nimbus/sbeTest/testUnsecureMemRegions.xml diff --git a/src/test/testcases/testSecurity.py b/src/test/testcases/testSecurity.py index 2157cadb..1efda516 100644 --- a/src/test/testcases/testSecurity.py +++ b/src/test/testcases/testSecurity.py @@ -5,7 +5,7 @@ # # OpenPOWER sbe Project # -# Contributors Listed Below - COPYRIGHT 2017 +# Contributors Listed Below - COPYRIGHT 2017,2018 # [+] International Business Machines Corp. # # @@ -94,7 +94,7 @@ def main(): testScomUtil.getscom(0x0204001A) print "getscom success testcase - passed" # getscom failure - testScomUtil.getscom(eval(BLACKLISTED_REG_FOR_READ_TEST), [0x00, 0x05, 0x00, 0x0B]) + testScomUtil.getscom(eval(BLACKLISTED_REG_FOR_READ_TEST), [0x00, 0x05, 0x00, 0x23]) print "getscom failure testcase - passed" # putscom success testScomUtil.putscom(eval(WHITELISTED_REG_FOR_WRITE_TEST), testScomUtil.getscom(eval(WHITELISTED_REG_FOR_WRITE_TEST))) @@ -103,8 +103,9 @@ def main(): while(True): random_addr = struct.unpack('>L', os.urandom(4))[0] if random_addr not in [eval(a) for a in whitelist]: - testScomUtil.putscom(random_addr, 0, [0x00, 0x05, 0x00, 0x0B]) - break + if not ((random_addr & 0x80000000) or (random_addr & 0x00F00000)): + testScomUtil.putscom(random_addr, 0, [0x00, 0x05, 0x00, 0x23]) + break print "putscom failure testcase - passed" # modify scom success dataWritten = testScomUtil.getscom(0x00040006) -- cgit v1.2.1