Skip to content

Commit

Permalink
Disable Attribute Overrides in Secure Mode
Browse files Browse the repository at this point in the history 
This commit disables attribute overrides during the IPL and at Runtime
when the system has security enabled.

Change-Id: Ia56b11fc1450c8e11be27c90c0de179038273873
RTC: 163094
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/40735
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
  • Loading branch information
@mabaiocchi @dcrowell77
mabaiocchi authored and dcrowell77 committed Jun 7, 2017
1 parent 449f2ba commit 94eff06
Show file tree
Hide file tree
Showing 6 changed files with 156 additions and 56 deletions.
3 changes: 1 addition & 2 deletions src/include/usr/secureboot/service.H
View file
Expand Up @@ -83,12 +83,11 @@ namespace SECUREBOOT

/** @brief Determines if Secureboot is enabled.
*/
#if defined(CONFIG_SECUREBOOT) && !defined(__HOSTBOOT_RUNTIME)
#if defined(CONFIG_SECUREBOOT)
bool enabled();
#else
inline bool enabled() { return false; };
#endif
//@fixme-RTC:163094-Remove RUNTIME check once the code is there

/** @brief Get security switch register value
* @par Detailed Description:
Expand Down
4 changes: 3 additions & 1 deletion src/include/usr/targeting/common/targreasoncodes.H
View file
Expand Up @@ -5,7 +5,7 @@
/* */
/* OpenPOWER HostBoot Project */
/* */
/* Contributors Listed Below - COPYRIGHT 2012,2016 */
/* Contributors Listed Below - COPYRIGHT 2012,2017 */
/* [+] International Business Machines Corp. */
/* */
/* */
Expand Down Expand Up @@ -47,6 +47,7 @@ enum TargetingModuleId
TARG_PARSE_ATTR_SECT_HEADER = 0x07,
TARG_MSG_SERVICE_TASK = 0x08,
TARG_CREATE_VMM_SECTIONS = 0x09,
TARG_APPLY_ATTR_OVER = 0x0A,
};

enum TargetingReasonCode
Expand All @@ -70,6 +71,7 @@ enum TargetingReasonCode
TARG_RC_WRITE_ATTR_OVER_WRONG_PNOR_SEC = TARG_COMP_ID | 0x11,
TARG_RC_WRITE_ATTR_OVER_NO_TANK_LAYER = TARG_COMP_ID | 0x12,
TARG_RC_MM_BLOCK_MAP_FAIL = TARG_COMP_ID | 0x13,
TARG_RC_APPLY_ATTR_OVER_NOT_ALLOWED = TARG_COMP_ID | 0x14,
};

}; // End TARGETING namespace
Expand Down
8 changes: 3 additions & 5 deletions src/usr/pnor/pnor_common.C
View file
Expand Up @@ -385,12 +385,10 @@ errlHndl_t PNOR::extendHash(uint64_t i_addr,

bool PNOR::isInhibitedSection(const uint32_t i_section)
{
// TODO securebootp9 for now we won't be inhibiting overrides
#ifdef CONFIG_SECUREBOOT
// return (i_section == ATTR_PERM ||
// i_section == ATTR_TMP) &&
// SECUREBOOT::enabled();
return false;
return (i_section == ATTR_PERM ||
i_section == ATTR_TMP) &&
SECUREBOOT::enabled();
#else
return false;
#endif
Expand Down
46 changes: 30 additions & 16 deletions src/usr/pnor/runtime/rt_pnor.C
View file
Expand Up @@ -40,6 +40,7 @@
#include <util/align.H>
#include <runtime/customize_attrs_for_payload.H>
#include <securerom/ROM.H>
#include <config.h>

// Trace definition
extern trace_desc_t* g_trac_pnor;
Expand Down Expand Up @@ -109,9 +110,9 @@ void PNOR::getPnorInfo( PnorInfo_t& o_pnorInfo )
o_pnorInfo.mmioOffset = LPC_SFC_MMIO_OFFSET | LPC_FW_SPACE;

//Using sys target
TARGETING::Target* sys = NULL;
TARGETING::Target* sys = nullptr;
TARGETING::targetService().getTopLevelTarget( sys );
assert(sys != NULL);
assert(sys != nullptr);

o_pnorInfo.norWorkarounds = sys->getAttr<
TARGETING::ATTR_PNOR_FLASH_WORKAROUNDS>();
Expand Down Expand Up @@ -154,24 +155,37 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section,
PNOR::SectionInfo_t& o_info)
{
TRACFCOMP(g_trac_pnor, ENTER_MRK"RtPnor::getSectionInfo");
errlHndl_t l_err = NULL;
errlHndl_t l_err = nullptr;
do
{
if (i_section == PNOR::INVALID_SECTION)
bool l_inhibited = false;
#ifdef CONFIG_SECUREBOOT
l_inhibited = PNOR::isInhibitedSection(i_section);
#endif
if (i_section == PNOR::INVALID_SECTION || l_inhibited)
{
TRACFCOMP(g_trac_pnor, "RtPnor::getSectionInfo: Invalid Section"
" %d", (int)i_section);
#ifdef CONFIG_SECUREBOOT
if (l_inhibited)
{
TRACFCOMP(g_trac_pnor, "RtPnor::getSectionInfo: "
"attribute overrides inhibited by secureboot");
}
#endif
/*@
* @errortype
* @moduleid PNOR::MOD_RTPNOR_GETSECTIONINFO
* @reasoncode PNOR::RC_RTPNOR_INVALID_SECTION
* @userdata1 PNOR::SectionId
* @devdesc invalid section passed to getSectionInfo
* @userdata2 Inhibited by secureboot
* @devdesc invalid section passed to getSectionInfo or
* section prohibited by secureboot
*/
l_err = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_UNRECOVERABLE,
PNOR::MOD_RTPNOR_GETSECTIONINFO,
PNOR::RC_RTPNOR_INVALID_SECTION,
i_section, 0,true);
i_section, l_inhibited, true);
break;
}

Expand Down Expand Up @@ -199,8 +213,8 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section,
bool l_ecc = (iv_TOC[i_section].integrity&FFS_INTEG_ECC_PROTECT) ?
true : false;

void* l_pWorking = NULL;
void* l_pClean = NULL;
void* l_pWorking = nullptr;
void* l_pClean = nullptr;

//find the section in the map first
if(iv_pnorMap.find(i_section) != iv_pnorMap.end())
Expand Down Expand Up @@ -263,7 +277,7 @@ errlHndl_t RtPnor::getSectionInfo(PNOR::SectionId i_section,
errlHndl_t RtPnor::flush( PNOR::SectionId i_section)
{
TRACFCOMP(g_trac_pnor, ENTER_MRK"RtPnor::flush");
errlHndl_t l_err = NULL;
errlHndl_t l_err = nullptr;
do
{
if (i_section == PNOR::INVALID_SECTION)
Expand Down Expand Up @@ -388,8 +402,8 @@ errlHndl_t RtPnor::readFromDevice (uint64_t i_procId,
TRACFCOMP(g_trac_pnor, ENTER_MRK"RtPnor::readFromDevice: i_offset=0x%X, "
"i_procId=%d sec=%d size=0x%X ecc=%d", i_offset, i_procId, i_section,
i_size, i_ecc);
errlHndl_t l_err = NULL;
uint8_t* l_eccBuffer = NULL;
errlHndl_t l_err = nullptr;
uint8_t* l_eccBuffer = nullptr;
do
{

Expand Down Expand Up @@ -587,8 +601,8 @@ errlHndl_t RtPnor::writeToDevice( uint64_t i_procId,
TRACFCOMP(g_trac_pnor, ENTER_MRK"RtPnor::writeToDevice: i_offset=0x%X, "
"i_procId=%d sec=%d size=0x%X ecc=%d", i_offset, i_procId, i_section,
i_size, i_ecc);
errlHndl_t l_err = NULL;
uint8_t* l_eccBuffer = NULL;
errlHndl_t l_err = nullptr;
uint8_t* l_eccBuffer = nullptr;

do
{
Expand Down Expand Up @@ -804,7 +818,7 @@ RtPnor& RtPnor::getInstance()
errlHndl_t RtPnor::getSideInfo( PNOR::SideId i_side,
PNOR::SideInfo_t& o_info)
{
errlHndl_t l_err = NULL;
errlHndl_t l_err = nullptr;

do {
// We only support the working side at runtime
Expand Down Expand Up @@ -850,10 +864,10 @@ errlHndl_t RtPnor::getSideInfo( PNOR::SideId i_side,
errlHndl_t RtPnor::clearSection(PNOR::SectionId i_section)
{
TRACFCOMP(g_trac_pnor, "RtPnor::clearSection Section id = %d", i_section);
errlHndl_t l_errl = NULL;
errlHndl_t l_errl = nullptr;
const uint64_t CLEAR_BYTE = 0xFF;
uint8_t* l_buf = new uint8_t[PAGESIZE]();
uint8_t* l_eccBuf = NULL;
uint8_t* l_eccBuf = nullptr;

do
{
Expand Down
52 changes: 52 additions & 0 deletions src/usr/secureboot/runtime/rt_secureboot.C
View file
Expand Up @@ -32,9 +32,60 @@
#include <config.h>

#include "common/securetrace.H"
#include <secureboot/service.H>
#include <secureboot/secure_reasoncodes.H>

#include <errl/errlmanager.H>
#include <runtime/rt_targeting.H>
#include <targeting/common/commontargeting.H>
#include <targeting/common/targetservice.H>
#include <devicefw/userif.H>


namespace SECUREBOOT
{
using namespace TARGETING;

#if defined(CONFIG_SECUREBOOT) && defined(__HOSTBOOT_RUNTIME)
bool enabled()
{
errlHndl_t l_errl = nullptr;
uint64_t l_regValue = 0;
size_t l_size = sizeof(l_regValue);

TargetService& tS = targetService();
Target* masterProcChipTargetHandle = nullptr;

do
{
l_errl = tS.queryMasterProcChipTargetHandle(
masterProcChipTargetHandle);

if (l_errl)
{
errlCommit(l_errl, SECURE_COMP_ID);
break;
}

l_errl = deviceRead(masterProcChipTargetHandle,
&l_regValue, l_size,
DEVICE_SCOM_ADDRESS(
static_cast<uint64_t>(ProcSecurity::SwitchRegister)));
if (l_errl)
{
errlCommit(l_errl, SECURE_COMP_ID);
break;
}

assert(l_size == sizeof(l_regValue));
} while (0);

// if there was an error l_regValue is zero, so we return false.
// Unfortunately this is all we can do. These shouldn't fail.

return l_regValue & static_cast<uint64_t>(ProcSecurity::SabBit);
}
#endif

int verify_container(
const void* i_pContainer,
Expand All @@ -59,6 +110,7 @@ int verify_container(
return rc;
}


struct registerSecurebootRt
{
registerSecurebootRt()
Expand Down
99 changes: 67 additions & 32 deletions src/usr/targeting/runtime/attrPlatOverride_rt.C
View file
Expand Up @@ -31,6 +31,10 @@
#include <targeting/common/trace.H>
#include <errl/errlmanager.H>
#include <initservice/initserviceif.H>
#include <config.h>
#include <secureboot/service.H>
#include <targeting/common/targreasoncodes.H>
#include <devicefw/userif.H>

using namespace TARGETING;

Expand All @@ -45,45 +49,76 @@ int apply_attr_override(uint8_t* i_data,

TRACFCOMP(g_trac_targeting, "enter apply_attr_override");

// Clear fapi and targeting attribute override tanks. The tanks are
// expected to be empty. The passed overrides are added, not updated
// in place.
AttributeTank * l_pAttributeTank =
&fapi2::theAttrOverrideSync().iv_overrideTank;
if ((*l_pAttributeTank).attributesExist())
{
TRACFCOMP(g_trac_targeting, "apply_attr_override:"
" clear FAPI attribute overrides");
(*l_pAttributeTank).clearAllAttributes();
}
l_pAttributeTank = &Target::theTargOverrideAttrTank();
if ((*l_pAttributeTank).attributesExist())
{
TRACFCOMP(g_trac_targeting, "apply_attr_override:"
" clear targeting attribute overrides");
(*l_pAttributeTank).clearAllAttributes();
}
bool l_allowOverrides = true;

// Pass attribute override blob as a pnor section
PNOR::SectionInfo_t l_sectionInfo;
l_sectionInfo.vaddr = (uint64_t)i_data;
l_sectionInfo.size = i_size;
l_sectionInfo.id = PNOR::ATTR_TMP;
l_sectionInfo.name = "Runtime TMP";
#ifdef CONFIG_SECUREBOOT
l_allowOverrides = !SECUREBOOT::enabled();
#endif

// Process attribute overrides
l_errl = TARGETING::getAttrOverrides(l_sectionInfo);
if (l_errl)
if (l_allowOverrides)
{
TRACFCOMP(g_trac_targeting, "apply_attr_override:"
" getAttrOverrides failed");
errlCommit(l_errl, TARG_COMP_ID);
rc = -1;
// Clear fapi and targeting attribute override tanks. The tanks are
// expected to be empty. The passed overrides are added, not updated
// in place.
AttributeTank * l_pAttributeTank =
&fapi2::theAttrOverrideSync().iv_overrideTank;
if ((*l_pAttributeTank).attributesExist())
{
TRACFCOMP(g_trac_targeting, "apply_attr_override:"
" clear FAPI attribute overrides");
(*l_pAttributeTank).clearAllAttributes();
}
l_pAttributeTank = &Target::theTargOverrideAttrTank();
if ((*l_pAttributeTank).attributesExist())
{
TRACFCOMP(g_trac_targeting, "apply_attr_override:"
" clear targeting attribute overrides");
(*l_pAttributeTank).clearAllAttributes();
}

// Pass attribute override blob as a pnor section
PNOR::SectionInfo_t l_sectionInfo;
l_sectionInfo.vaddr = (uint64_t)i_data;
l_sectionInfo.size = i_size;
l_sectionInfo.id = PNOR::ATTR_TMP;
l_sectionInfo.name = "Runtime TMP";

// Process attribute overrides
l_errl = TARGETING::getAttrOverrides(l_sectionInfo);
if (l_errl)
{
TRACFCOMP(g_trac_targeting, "apply_attr_override:"
" getAttrOverrides failed");
errlCommit(l_errl, TARG_COMP_ID);
rc = -1;
}
}
else
{
TRACFCOMP(g_trac_targeting, "apply_attr_override succeed");
#ifdef CONFIG_SECUREBOOT
TRACFCOMP(g_trac_targeting, "apply_attr_override: skipping override"
" due to SECUREBOOT enablement");

/* @
* @errortype
* @moduleid TARG_APPLY_ATTR_OVER
* @reasoncode TARG_RC_APPLY_ATTR_OVER_NOT_ALLOWED
* @devdesc PnorRP::getSectionInfo> Skipping attribute override
* because of secureboot enablement
* @custdesc Attributes overrides are not allowed in secure mode.
*/
l_errl = new ERRORLOG::ErrlEntry(ERRORLOG::ERRL_SEV_INFORMATIONAL,
TARG_APPLY_ATTR_OVER,
TARG_RC_APPLY_ATTR_OVER_NOT_ALLOWED,
0,
0,
true /* Add HB SW Callout */);
l_errl->collectTrace(TARG_COMP_NAME);
errlCommit(l_errl, TARG_COMP_ID);
rc = -1;
#endif
}

return rc;
}

Expand Down

0 comments on commit 94eff06

Please sign in to comment.