Disable Ring Overrides in Secure Mode

This commit disables ring overrides during the IPL and at Runtime when the system has security enabled. Change-Id: Ic3b0db92994a61d4ba6e28858bcd6fde59be6a23 RTC: 163094 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/40818 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Marshall J. Wilks <mjwilks@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
open-power · Jun 8, 2017 · 4c586e2 · 4c586e2
1 parent 72a32a1
commit 4c586e2
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 16 deletions.
diff --git a/src/usr/isteps/pm/pm_common.C b/src/usr/isteps/pm/pm_common.C
@@ -1056,23 +1056,15 @@ namespace HBPM
             break;
 #endif
 
-            // No overrides in secure mode
-            if( SECUREBOOT::enabled() )
-            {
-                TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace,
-                           INFO_MRK"getRingOvd(): No overrides in secure mode");
-                break;
-            }
-
             PNOR::SectionInfo_t l_pnorRingOvd;
             l_err = PNOR::getSectionInfo(PNOR::RINGOVD, l_pnorRingOvd);
             if(l_err)
             {
                 delete l_err;
                 l_err = NULL;
                 TRACFCOMP( ISTEPS_TRACE::g_trac_isteps_trace,
-                           INFO_MRK"getRingOvd(): RINGOVD section not found, "
-                           "it is optional");
+                           INFO_MRK"getRingOvd(): RINGOVD section not found or "
+                           "is blocked in secure mode. it is optional");
                 break;
             }
             if(l_pnorRingOvd.size == 0)

diff --git a/src/usr/pnor/pnor_common.C b/src/usr/pnor/pnor_common.C
@@ -387,7 +387,8 @@ bool PNOR::isInhibitedSection(const uint32_t i_section)
 {
 #ifdef CONFIG_SECUREBOOT
     return (i_section == ATTR_PERM ||
-            i_section == ATTR_TMP) &&
+            i_section == ATTR_TMP  ||
+            i_section == RINGOVD ) &&
             SECUREBOOT::enabled();
 #else
     return false;

diff --git a/src/usr/pnor/pnorrp.C b/src/usr/pnor/pnorrp.C
@@ -509,17 +509,17 @@ errlHndl_t PnorRP::getSectionInfo( PNOR::SectionId i_section,
             || l_inhibited
         )
         {
-            TRACFCOMP( g_trac_pnor, "PnorRP::getSectionInfo> Invalid Section Requested : i_section=%d", i_section );
+            TRACFCOMP( g_trac_pnor, "PnorRP::getSectionInfo> Invalid Section Requested : i_section=%d (%s)", i_section, SectionIdToString(id));
             #ifdef CONFIG_SECUREBOOT
             if (l_inhibited)
             {
                 TRACFCOMP( g_trac_pnor, "PnorRP::getSectionInfo> "
-                "attribute override inhibited by secureboot");
+                "attribute overrides inhibited by secureboot");
             }
             #endif
             uint64_t size = iv_TOC[i_section].size;
-            TRACFCOMP(g_trac_pnor, "o_info={ id=%d, size=%d }",
-                             iv_TOC[i_section].id, size );
+            TRACFCOMP(g_trac_pnor, "o_info={ id=%d, size=%d , name=%s}",
+                             iv_TOC[i_section].id, size, SectionIdToString(id) );
             /*@
              * @errortype
              * @moduleid         PNOR::MOD_PNORRP_GETSECTIONINFO

diff --git a/src/usr/pnor/test/pnorrptest.H b/src/usr/pnor/test/pnorrptest.H
@@ -41,6 +41,7 @@
 #include <sys/mm.h>
 #include <targeting/common/targetservice.H>
 #include <devicefw/userif.H>
+#include <config.h>
 #include <pnor/ecc.H>
 #include "../pnorrp.H"
 #include "../pnor_common.H"
@@ -78,7 +79,18 @@ class PnorRpTest : public CxxTest::TestSuite
 
         for( uint64_t idx = 0; idx < numSections; idx++)
         {
+            // RINGOVD is not supported when secureboot is enabled, but rather
+            // than looking for the expected fail like non-test code does, just
+            // skip testing RINGOVD in this scenario
+            if ( ( testSections[idx] == PNOR::RINGOVD ) &&
+                 ( SECUREBOOT::enabled() ) )
+            {
+                TRACFCOMP(g_trac_pnor, "PnorRpTest::test_sectionInfo> Skipping RINGOVD since Security is enabled");
+                continue;
+            }
+
             total++;
+
             errhdl = PNOR::getSectionInfo( testSections[idx], info );
             if( errhdl )
             {

diff --git a/src/usr/sbe/sbe_update.C b/src/usr/sbe/sbe_update.C
@@ -896,14 +896,16 @@ namespace SBE
         PNOR::SectionInfo_t l_pnorRingOvd;
 
         do {
+
             l_err = PNOR::getSectionInfo(PNOR::RINGOVD, l_pnorRingOvd);
             if(l_err)
             {
                 delete l_err;
                 l_err = NULL;
                 TRACFCOMP( g_trac_sbe,
                            ERR_MRK"ringOvd():Error trying to read RINGOVD "
-                           "from PNOR.  It is optional, continuing");
+                           "from PNOR. Could be blocked in secure mode. "
+                           "It is optional, continuing");
                 io_ovdImgSize = 0;
                 break;
             }