From 5d80e1109dd59bbf00f5fd58dc5e7a960cac6346 Mon Sep 17 00:00:00 2001 From: Sachin Gupta Date: Fri, 15 Jun 2018 06:25:01 -0500 Subject: Support for greylist In this commit support is added to parse bit mask and create data structure in sbe. Change-Id: Ia7a532de138dbd879d2bf5d54ce5d315884d0469 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/60761 Tested-by: Jenkins Server Tested-by: FSP CI Jenkins Reviewed-by: RAJA DAS Reviewed-by: Shakeeb A. Pasha B K Reviewed-by: Sachin Gupta (cherry picked from commit a2139de912b1513f0a1f0c5967aa1e6b413961b2) Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/60675 --- src/build/security/securityRegListGen.py | 64 ++++++++++++++++++++++++++++++-- src/sbefw/core/sbeSecurity.C | 27 +++++++++++++- src/sbefw/core/sbeSecurity.H | 13 +++++++ 3 files changed, 100 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/build/security/securityRegListGen.py b/src/build/security/securityRegListGen.py index 75316b21..e25c8e74 100644 --- a/src/build/security/securityRegListGen.py +++ b/src/build/security/securityRegListGen.py @@ -44,8 +44,10 @@ TAG_CHIPLET = 'Chiplet' TAG_CHIPLET_RANGE = 'Chiplet Id - range' TAG_VERSION = 'Version' TAG_TYPE = 'Type' +TAG_BIT_MASK = 'Bit Mask' TAG_NAME_WHITELIST = 'write_whitelist' +TAG_NAME_GREYLIST = 'write_greylist' TAG_NAME_BLACKLIST = 'read_blacklist' def usage(): @@ -84,7 +86,7 @@ def remove_zeroes(list): out_list += [a] return out_list -def gen_file(whitelist_tables, blacklist_tables): +def gen_file(whitelist_tables, blacklist_tables, greyList): global GEN_FILE header = ("#ifndef __SBE_SECURITY_GEN_H\n"+ @@ -174,6 +176,32 @@ namespace """+namespace+""" } }""") + greylist_addr_type = "uint32_t" + greylist_mask_type = "uint64_t" + body += (""" +namespace GREYLIST +{ + /* + table 1: + Address = 4 byte + Mask = 8 byte + */ + map_t< """+greylist_addr_type+""", """+greylist_mask_type+""" > _t1[] = { +"""+s_greylist_table_gen(greyList)+""" + }; + + table< map_t< """+greylist_addr_type+""", """+greylist_mask_type+""" > > t1 = + {sizeof(_t1)/sizeof(map_t< """+greylist_addr_type+""", """+greylist_mask_type+""" >), + 0xFFFFFFFF, + _t1}; + + bool isPresent(uint32_t i_addr, uint64_t i_mask) + { + return SBE_SECURITY::_is_present + < """+greylist_addr_type+""", """+greylist_mask_type+"""> + (t1, i_addr, i_mask); + } +}""") footer = "\n#endif //__SBE_SECURITY_GEN_H" with open(GEN_FILE, 'w') as o_f: @@ -498,7 +526,18 @@ def s_table3_gen(id, table): print str_table3 return str_table3 +def s_greylist_table_gen( greyList): + # write greylist string + str_table = "" + for ele in greyList: + str_table += '{0x%08x, 0x%016xull}, ' % (ele[0], ele[1]) + str_table = str_table[:-1] + if(VERBOSE): + print " greylist table" + print str_table + return str_table def main(argv): + try: opts, args = getopt.getopt(sys.argv[1:], "f:o:wbidvhW:B:", @@ -547,6 +586,7 @@ def main(argv): version = 'unknown' whitelist = [] blacklist = [] + greylist = [] with open(SECURITY_LIST, 'rbU') as f: reader = csv.DictReader(f) for idx, row in enumerate(reader): @@ -561,6 +601,12 @@ def main(argv): base_addr = int(base_addr, 16) if(VERBOSE): print "base["+'0x%08x' % base_addr + "]" + bit_mask = row[TAG_BIT_MASK].strip() + if not bit_mask: + bit_mask = 0 + else: + bit_mask = int( bit_mask.lower().split('0x')[-1], 16) + chiplet_range = row[TAG_CHIPLET_RANGE].split('-') # Empty range field considered as error if(chiplet_range[0] == ''): @@ -581,7 +627,16 @@ def main(argv): expanded_line = get_effective_address(row[TAG_CHIPLET], expanded_line) if(VERBOSE): print s_list_hex("range:", expanded_range, 8) - if(row[TAG_TYPE].strip().lower() == TAG_NAME_WHITELIST): + if(row[TAG_TYPE].strip().lower() == TAG_NAME_GREYLIST): + if(( bit_mask == 0 ) or ( bit_mask == 0xffffffffffffffff)): + exit(PRINT_AND_EXIT, "Wrong mask for Greylist") + greylist_line = expanded_line + if(VERBOSE): + print s_list_hex("greylist_line:", greylist_line, 8) + print "mask:", bit_mask + for ele in greylist_line: + greylist.append((ele, bit_mask)) + elif(row[TAG_TYPE].strip().lower() == TAG_NAME_WHITELIST): whitelist_line = expanded_line if(VERBOSE): print s_list_hex("whitelist_line:", whitelist_line, 8) @@ -602,6 +657,8 @@ def main(argv): blacklist = remove_duplicates(blacklist) blacklist = remove_zeroes(blacklist) blacklist.sort() + greylist = remove_duplicates(greylist) + greylist.sort() if(print_info == 'version'): exit(PRINT_AND_EXIT, "security list version ["+version+"]") @@ -617,6 +674,7 @@ def main(argv): print "security list version ["+version+"]" print "Whitelist len ["+s_list_len(whitelist)+"]" print "Blacklist len ["+s_list_len(blacklist)+"]" + print "Greylist len ["+s_list_len(greylist)+"]" whitelist_tables = get_tables("Whitelist", whitelist) blacklist_tables = get_tables("Blacklist", blacklist) @@ -627,7 +685,7 @@ def main(argv): exit(PRINT_AND_EXIT, "blacklist_table["+str(bt-1)+"]" + str(blacklist_tables[bt-1])) # Generate output file - gen_file(whitelist_tables, blacklist_tables) + gen_file(whitelist_tables, blacklist_tables, greylist) exit(SUCCESS) diff --git a/src/sbefw/core/sbeSecurity.C b/src/sbefw/core/sbeSecurity.C index 3e0090df..af083337 100644 --- a/src/sbefw/core/sbeSecurity.C +++ b/src/sbefw/core/sbeSecurity.C @@ -5,7 +5,8 @@ /* */ /* OpenPOWER sbe Project */ /* */ -/* Contributors Listed Below - COPYRIGHT 2017 */ +/* Contributors Listed Below - COPYRIGHT 2017,2018 */ +/* [+] International Business Machines Corp. */ /* */ /* */ /* Licensed under the Apache License, Version 2.0 (the "License"); */ @@ -139,6 +140,30 @@ bool _is_present(const table< map_t< range_t, M1_U > > &table1, #undef SBE_FUNC } +template +bool _is_present(const table< map_t< T1, T2 > > &table1, + const T1 i_addr, + const T2 i_mask) +{ +#define SBE_FUNC "SBE_SECURITY::_is_present " + SBE_ENTER(SBE_FUNC"Searching address/mask table"); + bool ret = false; + for(size_t i = 0; i < table1.size; i++) + { + // Not using mask in table for search + if((table1.table[i].key == i_addr) && + (( i_mask & (~table1.table[i].value)) == 0 )) + { + SBE_DEBUG(SBE_FUNC" table1:found addr[0x%x] table index[%d]", + i_addr, i); + ret = true; + break; + } + } + SBE_EXIT(SBE_FUNC); + return ret; +#undef SBE_FUNC +} bool isAllowed(const uint32_t i_addr, accessType type) { bool ret = true; diff --git a/src/sbefw/core/sbeSecurity.H b/src/sbefw/core/sbeSecurity.H index f9aa627f..6312aefe 100644 --- a/src/sbefw/core/sbeSecurity.H +++ b/src/sbefw/core/sbeSecurity.H @@ -88,5 +88,18 @@ namespace SBE_SECURITY const table< map_t > &table2, const table< T3 > &table3, const uint32_t i_addr); + + /* @brief _is_present - Look up tables to find if the given + * address with mask is present + * @param[in] table1 - table 1 - map with a range and running count + * @param[in] i_addr - given address to look up + * @param[in] mask - mask to look up + * + * @return - boolean to denote if the address in present + */ + template + bool _is_present(const table< map_t< T1, T2 > > &table1, + const T1 i_addr, + const T2 i_mask); } #endif //__SBE_SECURITY_H -- cgit v1.2.1