Support DRTM RIT protection

- Added mailbox scratch register 7 definition
- Added DRTM functions
- Added set/clear security switch register functions
- Added additional security switch bit definitions
- Added secureboot extended library to host DRTM functions
- Inhibited TPM start command in DRTM flow
- Added new config options for DRTM and DRTM RIT protection
- Added new DRTM attribute to indicate if DRTM is active
- Added new DRTM attribute to hold DRTM payload address
- Added new DRTM attribute to initiate DRTM in lieu of loading payload
- Updated target service init to determine DRTM settings
- Updated host start payload step to initiate DRTM if conditions are met
- Updated host MPIPL service to verify DRTM payload and clean up DRTM HW state
- Updated host gard step to verify DRTM HW state
- Rerouted PCR extensions to PCR 17 in DRTM boot
- Use locality 2 for all PCR extensions in DRTM boot
- Inhibit extension logging (for now) in DRTM boot
- Only extend seperator to PCR 17 in DRTM boot

Change-Id: Id52c36c3a64ca002571396d605caa308d9dc0199
RTC: 157140
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/35633
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Timothy R. Block <block@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>

src/include/usr/initservice/mboxRegs.H

@@ -5,7 +5,7 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* Contributors Listed Below - COPYRIGHT 2015,2016                        */
+/* Contributors Listed Below - COPYRIGHT 2015,2017                        */
 /* [+] International Business Machines Corp.                              */
 /*                                                                        */
 /*                                                                        */
@@ -99,6 +99,16 @@ namespace SPLESS
         } PACKED;
     };
 
+    // Mailbox Scratch Register 7
+    union MboxScratch7_t
+    {
+        uint32_t data32;
+        struct
+        {
+            uint32_t drtmPayloadAddrMb   :32;   //0
+        } PACKED;
+    };
+
     // Mailbox Scratch Register 8
     union MboxScratch8_t
     {

src/include/usr/secureboot/drtm.H

@@ -0,0 +1,156 @@
+/* IBM_PROLOG_BEGIN_TAG                                                   */
+/* This is an automatically generated prolog.                             */
+/*                                                                        */
+/* $Source: src/include/usr/secureboot/drtm.H $                           */
+/*                                                                        */
+/* OpenPOWER HostBoot Project                                             */
+/*                                                                        */
+/* Contributors Listed Below - COPYRIGHT 2013,2017                        */
+/* [+] International Business Machines Corp.                              */
+/*                                                                        */
+/*                                                                        */
+/* Licensed under the Apache License, Version 2.0 (the "License");        */
+/* you may not use this file except in compliance with the License.       */
+/* You may obtain a copy of the License at                                */
+/*                                                                        */
+/*     http://www.apache.org/licenses/LICENSE-2.0                         */
+/*                                                                        */
+/* Unless required by applicable law or agreed to in writing, software    */
+/* distributed under the License is distributed on an "AS IS" BASIS,      */
+/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or        */
+/* implied. See the License for the specific language governing           */
+/* permissions and limitations under the License.                         */
+/*                                                                        */
+/* IBM_PROLOG_END_TAG                                                     */
+
+#ifndef __SECUREBOOT_DRTM_H
+#define __SECUREBOOT_DRTM_H
+
+#include <initservice/mboxRegs.H>
+#include <config.h>
+#include <errl/errlentry.H>
+#include <errl/errlmanager.H>
+#include <vector>
+#include <secureboot/settings.H>
+#include <targeting/common/targetservice.H>
+
+namespace SECUREBOOT
+{
+
+namespace DRTM
+{
+
+/**
+ *  @brief Determine HW DRTM state and cache for code to use
+ *
+ *  @par Detailed Description:
+ *      Reads DRTM related scratch registers, attributes, and proc chip security
+ *      settings to determine the DRTM state, and caches DRTM settings in
+ *      attributes for use by the code.  It will return an error log if a DRTM
+ *      consistency violation is detected.
+ *
+ *  @param[in] i_scratchReg7 Value of scratch register 7
+ *  @param[in] i_scratchReg8 Value of scratch register 8
+ *
+ *  @return errHndl_t Error log handle indicating success or failure
+ *  @retval nullptr Discovered/configured DRTM state successfully
+ *  @retval !nullptr Error log providing failure details
+ */
+errlHndl_t discoverDrtmState(
+    const INITSERVICE::SPLESS::MboxScratch7_t& i_scratchReg7,
+    const INITSERVICE::SPLESS::MboxScratch8_t& i_scratchReg8);
+
+/**
+ *  @brief Returns whether this is a DRTM MPIPL or not
+ *
+ *  @param[out] o_isDrtmMpipl Returns whether this is a DRTM MPIPL or not
+ */
+void isDrtmMpipl(bool& o_isDrtmMpipl);
+
+/**
+ *  @brief Determines whether DRTM HW settings are consistent across all
+ *      processors in a node
+ *
+ *  @par Detailed Description:
+ *      Ensures that, when coming up in a DRTM MPIPL, the L4A, LQA, and SUL bits
+ *      are set + LLP and LLS are clear in the processor security register for
+ *      all processors in a node. If this is not the case, it returns an error
+ *      log. Must only be called after FSI path is established and presence
+ *      detect has been confirmed.
+ *
+ *  @return errHndl_t Error log handle indicating success or failure
+ *  @retval nullptr All processors in node have correct DRTM HW signature
+ *  @retval !nullptr Error log providing failure details
+ */
+errlHndl_t validateDrtmHwSignature();
+
+/**
+ *  @brief Validates and extends the DRTM payload
+ *
+ *  @par Detailed Description:
+ *      When coming up in a DRTM MPIPL, locates the DRTM payload preserved in
+ *      memory, validates its secure signature, and extends its measurement to
+ *      TPM dynamic PCR range / dynamic log.
+ *
+ *  @return errHndl_t Error log handle indicating success or failure
+ *  @retval nullptr Validated/extended the DRTM payload
+ *  @retval !nullptr Error log providing failure details
+ */
+errlHndl_t validateDrtmPayload();
+
+/**
+ *  @brief Completes the DRTM sequence
+ *
+ *  @par Detailed Description:
+ *      Completes the DRTM sequence by clearing the LQA and L4A security switch
+ *      register bits on all the functional processors
+ *
+ *  @return errHndl_t Error log handle indicating success or failure
+ *  @retval nullptr Completed DRTM HW sequencing
+ *  @retval !nullptr Error log providing failure details
+ */
+errlHndl_t completeDrtm();
+
+#ifdef CONFIG_DRTM_TRIGGERING
+/**
+ *  @brief Initiates a DRTM sequence
+ *
+ *  @par Detailed Description:
+ *      Initiates a DRTM sequence.  This pins the task running this code to the
+ *      master processor and sets the LLP bit (for master proc chip) and LLS bit
+ *      (for non-masters) on every processor, setting the LL bit for the
+ *      processor this task is running on last, so that it doesn't get clobbered
+ *      by the SBE core quiesce logic.  It also sets up the master processor
+ *      scratch registers to indicate presence and address of the DRTM payload.
+ *      If successful, the function will never return becaue the core it's
+ *      running on will be quiesced by SBE.
+ *
+ *  @note: Only valid for RIT protection
+ *
+ *  @return errHndl_t Error log handle indicating success or failure
+ *  @retval nullptr Not possible; on success the function never returns.
+ *  @retval !nullptr Error log providing failure details
+ */
+errlHndl_t initiateDrtm();
+
+/**
+ *  @brief Updates DRTM related scratch registers with DRTM payload details
+ *
+ *  @par Detailed Description:
+ *      Updates scratch register 7+8 to record details of the DRTM payload
+ *      preserved in memory. This should be called prior to initiating the
+ *      DRTM late launch sequence.
+ *
+ *  @note: Only valid for RIT protection
+ *
+ *  @param[in] i_drtmPayloadAddrMb DRTM payload physical address in MB
+ */
+void setDrtmPayloadPhysAddrMb(uint32_t i_drtmPayloadPhysAddrMb);
+#endif
+
+} // End DRTM namespace
+
+} // End SECUREBOOT namespace
+
+#endif // End __SECUREBOOT_DRTM_H
+

src/include/usr/secureboot/secure_reasoncodes.H

@@ -38,6 +38,7 @@ namespace SECUREBOOT
         MOD_SECURE_ROM_CLEANUP          = 0x04,
         MOD_SECURE_ROM_SHA512           = 0x05,
         MOD_SECURE_READ_REG             = 0x06,
+        MOD_SECURE_WRITE_REG            = 0x07,
    };
 
     enum SECUREReasonCode

src/include/usr/secureboot/service.H

@@ -48,20 +48,6 @@ typedef uint8_t PAGE_TABLE_ENTRY_t[HASH_PAGE_TABLE_ENTRY_SIZE];
 
 namespace SECUREBOOT
 {
-    // these constants represent the scom addresses and masks we need
-    // to obtain secure boot settings from the system
-    enum class ProcSecurity : uint64_t
-    {
-        SabBit = 0x8000000000000000ull,
-        SwitchRegister = 0x00010005ull,
-    };
-
-    enum class ProcCbsControl : uint64_t
-    {
-        JumperStateBit = 0x0400000000000000ull,
-        StatusRegister = 0x00050001ull,
-    };
-
     /** @brief Perform initialization of Secureboot for the Base image.
      *
      *  - Copy secure header from original location.
@@ -107,6 +93,47 @@ namespace SECUREBOOT
             TARGETING::Target* i_targ
                 = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL);
 
+    /**
+     *  @brief  Clear specified bits in the processor security switch register
+     *
+     *  @par Detailed Description:
+     *      Clears the specified bits in the processor security switch register.
+     *
+     *  @param[in] i_bits Vector of ProcSecurity (bit) enums
+     *  @param[in] i_pTarget Processor target to write.  Must be either
+     *      the master processor target sentinel or valid processor target.
+     *      Must not be NULL.
+     *
+     *  @return errHndl_t Error log handle indicating success or failure
+     *  @retval nullptr  Cleared specified security switch register bits
+     *      successfully
+     *  @retval !nullptr Error log providing failure details
+     */
+    errlHndl_t clearSecuritySwitchBits(
+        const std::vector<SECUREBOOT::ProcSecurity>& i_bits,
+              TARGETING::Target*                     i_pTarget =
+              TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL);
+
+    /**
+     *  @brief  Set specified bits in the processor security switch register
+     *
+     *  @par Detailed Description:
+     *      Sets the specified bits in the processor security switch register.
+     *
+     *  @param[in] i_bits Vector of ProcSecurity (bit) enums
+     *  @param[in] i_pTarget Processor target to write.  Must be either
+     *      the master processor target sentinel or valid processor target.
+     *      Must not be NULL.
+     *
+     *  @return errHndl_t Error log handle indicating success or failure
+     *  @retval nullptr  Set specified security switch register bits
+     *      successfully
+     *  @retval !nullptr Error log providing failure details
+     */
+    errlHndl_t setSecuritySwitchBits(
+        const std::vector<SECUREBOOT::ProcSecurity>& i_bits,
+              TARGETING::Target*                     i_pTarget =
+              TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL);
 
     /** @brief Returns the state of the secure jumper as reported by the
      *      given processor.

src/include/usr/secureboot/settings.H

@@ -29,6 +29,7 @@
 #include <targeting/common/target.H>
 #include <targeting/common/targetservice.H>
 #include <cstdint>
+#include <vector>
 
 namespace SECUREBOOT
 {
@@ -38,6 +39,39 @@ namespace SECUREBOOT
         SECURITY_ASSERTED = 0b1,
     };
 
+    // these constants represent the scom addresses and masks we need
+    // to obtain secure boot settings from the system
+    enum class ProcSecurity : uint64_t
+    {
+        SabBit   = 0x8000000000000000ull, // Secure access (mirrored)
+        LLPBit   = 0x4000000000000000ull, // Late launch primary
+        LLSBit   = 0x2000000000000000ull, // Late launch secondary
+        LQABit   = 0x1000000000000000ull, // Local quiesce achieved
+        SULBit   = 0x0800000000000000ull, // Security update lock
+        L4ABit   = 0x0400000000000000ull, // Locality 4 access
+        SDBBit   = 0x0200000000000000ull, // Secure chip debug mode
+        CMFSIBit = 0x0100000000000000ull, // cMFSI access protection
+        ABUSBit  = 0x0080000000000000ull, // Abus mailbox protection
+        RNGBit   = 0x0040000000000000ull, // Random number generator lock
+        // Spare = 0x0020000000000000ull,
+        // Spare = 0x0010000000000000ull,
+        TDPBit   = 0x0008000000000000ull, // TPM deconfig protection
+        // Spare = 0x0004000000000000ull,
+        // Spare = 0x0002000000000000ull,
+        // Spare = 0x0001000000000000ull,
+
+        SwitchRegister = 0x00010005ull,
+        SwitchRegisterClear = 0x00010006ull,
+    };
+
+    enum class ProcCbsControl : uint64_t
+    {
+        SabBit         = 0x0800000000000000ull, // Secure access
+        JumperStateBit = 0x0400000000000000ull, // Secure jumper
+
+        StatusRegister = 0x00050001ull,
+    };
+
     /** @class Settings
      *
      *  @brief Caches and parses the hardware settings for Secureboot.
@@ -58,6 +92,23 @@ namespace SECUREBOOT
                 TARGETING::Target* i_targ
                     = TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL) const;
 
+            /**
+             *  @brief Clear bits in the processor security swith register.  See
+             *      full documentation in service.H.
+             */
+            errlHndl_t clearSecuritySwitchBits(
+                const std::vector<SECUREBOOT::ProcSecurity>& i_bits,
+                      TARGETING::Target*                     i_pTarget =
+                      TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL) const;
+            /**
+             *  @brief Set bits in the processor security swith register.  See
+             *      full documentation in service.H.
+             */
+            errlHndl_t setSecuritySwitchBits(
+                const std::vector<SECUREBOOT::ProcSecurity>& i_bits,
+                      TARGETING::Target*                     i_pTarget =
+                      TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL) const;
+
             /** @brief Returns the state of the secure jumper as reported by the
              *      given processor.  See wrapper in Secureboot's service.H
              *      for documenation.
@@ -91,6 +142,28 @@ namespace SECUREBOOT
                                            const uint64_t i_scomAddress,
                                             uint64_t& o_regValue) const;
 
+            /**
+             *  @brief  Write a generic security related register
+             *
+             *  @par Detailed Description:
+             *      Writes a given security register given a proc target, SCOM
+             *      address, and value.
+             *
+             *  @param[in] i_pTarget Processor target to write.  Must be either
+             *      the master processor target sentinel or valid processor
+             *      target. Must not be NULL.
+             *  @param[in] i_scomAddress SCOM address to write
+             *  @param[in] i_data Data to write to given SCOM address
+             *
+             *  @return errHndl_t Error log handle indicating success or failure
+             *  @retval nullptr  Wrote data to SCOM address successfully
+             *  @retval !nullptr Error log providing failure details
+             */
+            errlHndl_t writeSecurityRegister(
+                       TARGETING::Target* i_pTarget,
+                       uint64_t           i_scomAddress,
+                       uint64_t           i_data) const;
+
             /** Cached secure boot enabled value */
             bool iv_enabled;
     };

src/makefile

@@ -198,7 +198,7 @@ EXTENDED_MODULES += p9_stop_util
 EXTENDED_MODULES += isteps_mss
 EXTENDED_MODULES += p9_cpuWkup
 EXTENDED_MODULES += $(if $(CONFIG_ENABLE_HDAT_IN_HOSTBOOT),hdat)
-
+EXTENDED_MODULES += $(if $(CONFIG_SECUREBOOT),secureboot_ext)
 
 #***************************************
 # Working test modules

src/usr/i2c/tpmdd.C

@@ -795,7 +795,7 @@ errlHndl_t tpmWrite ( void * i_buffer,
                 {
                     TRACFCOMP(g_trac_tpmdd,
                               ERR_MRK"tpmWrite(): I2C Write-Offset! "
-                              "p/e/dA=%d/%d/0x%X, OP=%d, ",
+                              "p/e/dA=%d/%d/0x%X, OP=%d, "
                               "offset=0x%X, aS=%d, len=%d",
                               i_tpmInfo.port,
                               i_tpmInfo.engine, i_tpmInfo.devAddr,