diff --git a/src/build/mkrules/dist.targets.mk b/src/build/mkrules/dist.targets.mk index d64343f0f45..bef6756d4b6 100644 --- a/src/build/mkrules/dist.targets.mk +++ b/src/build/mkrules/dist.targets.mk @@ -270,6 +270,8 @@ fsp.tar_CONTENTS = \ $(call ROOTPATH_WILDCARD,obj/genfiles/plugins/prdf/*)) \ $(addsuffix :plugins/,\ $(call ROOTPATH_WILDCARD,src/usr/*/plugins/*)) \ + $(addsuffix :plugins/,\ + $(call ROOTPATH_WILDCARD,src/usr/secureboot/common/plugins/*)) \ src/build/debug/fsp-memdump.sh:src/build/debug/ \ obj/genfiles/hbfw_term_rc.H \ obj/genfiles/srcListing \ diff --git a/src/include/usr/secureboot/secure_reasoncodes.H b/src/include/usr/secureboot/secure_reasoncodes.H index 1609e1a5ffa..1e7cb797f0b 100644 --- a/src/include/usr/secureboot/secure_reasoncodes.H +++ b/src/include/usr/secureboot/secure_reasoncodes.H @@ -55,6 +55,18 @@ namespace SECUREBOOT // Reason codes 0xA0 - 0xEF reserved for trustedboot_reasoncodes.H }; + + enum UserDetailsTypes + { + // Version(s) + SECURE_UDT_VERSION_1 = 0x1, + + // Formats/User Detail Sections + SECURE_UDT_NO_FORMAT = 0x0, + SECURE_UDT_SYSTEM_HW_KEY_HASH = 0x1, + SECURE_UDT_TARGET_HW_KEY_HASH = 0x2, + }; + } #endif diff --git a/src/usr/secureboot/base/service.C b/src/usr/secureboot/base/service.C index 075a7313c39..673ec709ef5 100644 --- a/src/usr/secureboot/base/service.C +++ b/src/usr/secureboot/base/service.C @@ -45,6 +45,7 @@ #include #include "../common/securetrace.H" +#include "../common/errlud_secure.H" // Quick change for unit testing //#define TRACUCOMP(args...) TRACFCOMP(args) @@ -187,7 +188,16 @@ void handleSecurebootFailure(errlHndl_t &io_err, bool i_waitForShutdown) // Add security register values addSecurityRegistersToErrlog(io_err); - io_err->collectTrace(SECURE_COMP_NAME,ERROR_TRACE_SIZE); + + // Add HW Keys' Hash to trace and the error log + SHA512_t hash = {0}; + getHwKeyHash(hash); + + SB_INF_BIN("HwKeyHash", &hash, sizeof(hash)); + + UdSystemHwKeyHash( hash ).addToLog(io_err); + + io_err->collectTrace(SECURE_COMP_NAME,MAX_ERROR_TRACE_SIZE); errlCommit(io_err, SECURE_COMP_ID); diff --git a/src/usr/secureboot/common/common.mk b/src/usr/secureboot/common/common.mk index 3d9701a40e4..8e2b4f8d444 100644 --- a/src/usr/secureboot/common/common.mk +++ b/src/usr/secureboot/common/common.mk @@ -5,7 +5,7 @@ # # OpenPOWER HostBoot Project # -# Contributors Listed Below - COPYRIGHT 2016 +# Contributors Listed Below - COPYRIGHT 2016,2017 # [+] International Business Machines Corp. # # @@ -24,3 +24,5 @@ # IBM_PROLOG_END_TAG SECUREBOOT_COMMON_OBJS += securetrace.o +SECUREBOOT_COMMON_OBJS += errlud_secure.o + diff --git a/src/usr/secureboot/common/errlud_secure.C b/src/usr/secureboot/common/errlud_secure.C new file mode 100644 index 00000000000..660038b8e0a --- /dev/null +++ b/src/usr/secureboot/common/errlud_secure.C @@ -0,0 +1,125 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/common/errlud_secure.C $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2014,2017 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +/** + * @file errlud_secure.C + * + * @brief Implementation of classes to log SECUREBOOT FFDC + */ +#include +#include +#include "errlud_secure.H" + +namespace SECUREBOOT +{ + +//------------------------------------------------------------------------------ +// Enum defining MAGIC NUMBERS used for checks below +//------------------------------------------------------------------------------ +enum { + PARSER_SIZEOF_SHA512_t = 64, + PARSER_SIZEOF_UINT32_t = 4, + PARSER_SIZEOF_UINT8_t = 1, + PARSER_SIZEOF_TARGET_HKH_SECTION = 69, +}; + +//------------------------------------------------------------------------------ +// SECURE System HW Keys Hash User Details +//------------------------------------------------------------------------------ +UdSystemHwKeyHash::UdSystemHwKeyHash(const SHA512_t i_hash) +{ + // Set up Ud instance variables + iv_CompId = SECURE_COMP_ID; + iv_Version = SECURE_UDT_VERSION_1; + iv_SubSection = SECURE_UDT_SYSTEM_HW_KEY_HASH; + + //***** Memory Layout ***** + // 64 bytes : SHA512_t of Target HW Key Hash + + static_assert(sizeof(SHA512_t) == PARSER_SIZEOF_SHA512_t, "Expected SHA512_t size is 64 bytes"); + + char * l_pBuf = reinterpret_cast( + reallocUsrBuf(sizeof(SHA512_t)) ); + + memcpy(l_pBuf, i_hash, sizeof(SHA512_t)); + l_pBuf += sizeof(SHA512_t); +} + +//------------------------------------------------------------------------------ +UdSystemHwKeyHash::~UdSystemHwKeyHash() +{ + +} + +//------------------------------------------------------------------------------ +// SECURE Target HW Keys Hash User Details +//------------------------------------------------------------------------------ +UdTargetHwKeyHash::UdTargetHwKeyHash(const TARGETING::Target * i_target, + const uint8_t i_side, + const SHA512_t i_hash) +{ + // Set up Ud instance variables + iv_CompId = SECURE_COMP_ID; + iv_Version = SECURE_UDT_VERSION_1; + iv_SubSection = SECURE_UDT_TARGET_HW_KEY_HASH; + + //***** Memory Layout ***** + // 4 bytes : Target HUID + // 1 byte : SBE EEPROM (Primary or Backup) + // 64 bytes : SHA512_t of Target HW Key Hash + + static_assert(sizeof(uint32_t)==PARSER_SIZEOF_UINT32_t, "Expected sizeof(uint32_t) is 4"); + static_assert(sizeof(uint8_t)==PARSER_SIZEOF_UINT8_t, "Expected sizeof(uint8_t) is 1"); + static_assert(sizeof(SHA512_t) == PARSER_SIZEOF_SHA512_t, "Expected SHA512_t size is 64 bytes"); + static_assert((sizeof(uint32_t) + sizeof(uint8_t) + sizeof(SHA512_t)) == PARSER_SIZEOF_TARGET_HKH_SECTION, + "Expected Buffer length is 69 bytes"); + + char * l_pBuf = reinterpret_cast( + reallocUsrBuf(sizeof(uint32_t) + +sizeof(uint8_t) + +sizeof(SHA512_t))); + + uint32_t tmp32 = 0; + uint8_t tmp8 = 0; + + tmp32 = TARGETING::get_huid(i_target); + memcpy(l_pBuf, &tmp32, sizeof(tmp32)); + l_pBuf += sizeof(tmp32); + + tmp8 = static_cast(i_side); + memcpy(l_pBuf, &tmp8, sizeof(tmp8)); + l_pBuf += sizeof(tmp8); + + memcpy(l_pBuf, i_hash, sizeof(SHA512_t)); + l_pBuf += sizeof(SHA512_t); +} + +//------------------------------------------------------------------------------ +UdTargetHwKeyHash::~UdTargetHwKeyHash() +{ + +} + +} // end SECUREBOOT namespace + diff --git a/src/usr/secureboot/common/errlud_secure.H b/src/usr/secureboot/common/errlud_secure.H new file mode 100644 index 00000000000..60572ad69b7 --- /dev/null +++ b/src/usr/secureboot/common/errlud_secure.H @@ -0,0 +1,131 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/common/errlud_secure.H $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2017 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +#ifndef ERRL_UD_SECURE_H +#define ERRL_UD_SECURE_H + +/** + * @file errlud_secure.H + * + * Defines the classes that logs and parses various Secureboot data + */ + +#include +#include + +namespace SECUREBOOT +{ + +/** + * @class UdSystemHwKeyHash + * + * Adds System HW Keys Hash to an error log as user detail data + */ +class UdSystemHwKeyHash : public ERRORLOG::ErrlUserDetails +{ + public: + /** + * @brief Constructor + * + * @param i_hash System HW Keys Hash represented by SHA512 + */ + UdSystemHwKeyHash(const SHA512_t i_hash); + + /** + * @brief Destructor + */ + virtual ~UdSystemHwKeyHash(); + + /** + * Delete Copy Constructor + */ + UdSystemHwKeyHash(const UdSystemHwKeyHash&) = delete; + + /** + * Delete Copy Assignment + */ + UdSystemHwKeyHash& operator= (const UdSystemHwKeyHash&) = delete; + + /** + * Delete Move Constructor + */ + UdSystemHwKeyHash (UdSystemHwKeyHash&&) = delete; + + /** + * Delete Move Assignment + */ + UdSystemHwKeyHash& operator = (UdSystemHwKeyHash&&) = delete; + +}; + +/** + * @class UdTargetHwKeyHash + * + * Adds Target HW Keys Hash to an error log as user detail data + */ +class UdTargetHwKeyHash : public ERRORLOG::ErrlUserDetails +{ + public: + /** + * @brief Constructor + * + * @param i_target Processor Target containing HW Keys Hash + * @param i_side SEEPROM side used on the target: + * 0=SBE_PRIMARY, 1=SBE_BACKUP + * @param i_hash Target HW Keys Hash represented by SHA512 + */ + UdTargetHwKeyHash(const TARGETING::Target * i_target, + const uint8_t i_buflen, + const SHA512_t i_hash); + + /** + * @brief Destructor + */ + virtual ~UdTargetHwKeyHash(); + + /** + * Delete Copy Constructor + */ + UdTargetHwKeyHash(const UdTargetHwKeyHash&) = delete; + + /** + * Delete Copy Assignment + */ + UdTargetHwKeyHash& operator= (const UdTargetHwKeyHash&) = delete; + + /** + * Delete Move Constructor + */ + UdTargetHwKeyHash (UdTargetHwKeyHash&&) = delete; + + /** + * Delete Move Assignment + */ + UdTargetHwKeyHash& operator = (UdTargetHwKeyHash&&) = delete; +}; + + +} // end SECUREBOOT namespace + +#endif diff --git a/src/usr/secureboot/common/plugins/SECURE_COMP_ID_Parse.C b/src/usr/secureboot/common/plugins/SECURE_COMP_ID_Parse.C new file mode 100644 index 00000000000..63d2d8952b1 --- /dev/null +++ b/src/usr/secureboot/common/plugins/SECURE_COMP_ID_Parse.C @@ -0,0 +1,29 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/common/plugins/SECURE_COMP_ID_Parse.C $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2017 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +#include "errludparser.H" +#include "secureUdParserFactory.H" + +ERRL_MAKE_UD_PARSER(SECUREBOOT::UserDetailsParserFactory, hbfw::SECURE_COMP_ID) + diff --git a/src/usr/secureboot/common/plugins/errludP_secure.H b/src/usr/secureboot/common/plugins/errludP_secure.H new file mode 100644 index 00000000000..02305a4c1af --- /dev/null +++ b/src/usr/secureboot/common/plugins/errludP_secure.H @@ -0,0 +1,172 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/common/plugins/errludP_secure.H $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2017 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +#ifndef ERRL_UDP_SECURE_H +#define ERRL_UDP_SECURE_H + +/** + * @file errludP_secure.H + * + * Defines the ErrlUserDetailsParser classes that parse SECURE FFDC + */ + +#include "errluserdetails.H" +#include + +/** + * Some macros to manipulate data types cleanly + */ +#define TO_UINT8(ptr) (*(reinterpret_cast(ptr))) +#define TO_UINT32(ptr) (ntohl(*(reinterpret_cast(ptr)))) + +namespace SECUREBOOT +{ +/** + * Enum defining MAGIC NUMBER used below + */ +enum { + UDPARSER_SIZEOF_SHA512_t = 64, +}; + +/** + * @class UdParserSystemHwKeyHash + * + * Parses UdSystemHwKeyHash + */ +class UdParserSystemHwKeyHash : public ERRORLOG::ErrlUserDetailsParser +{ +public: + /** + * @brief Constructor + */ + UdParserSystemHwKeyHash() {} + + /** + * @brief Destructor + */ + virtual ~UdParserSystemHwKeyHash() {} + + /** + * @brief Parses string user detail data from an error log + * + * @param i_version Version of the data + * @param i_parse ErrlUsrParser object for outputting information + * @param i_pBuffer Pointer to buffer containing detail data + * @param i_buflen Length of the buffer + */ + virtual void parse(errlver_t i_version, + ErrlUsrParser & i_parser, + void * i_pBuffer, + const uint32_t i_buflen) const + { + const char* l_databuf = static_cast(i_pBuffer); + i_parser.PrintHeading("System HW Key Hash"); + + //***** Memory Layout ***** + // 64 bytes : SHA512_t of System HW Key Hash + + i_parser.PrintHexDump(l_databuf, UDPARSER_SIZEOF_SHA512_t); + l_databuf += UDPARSER_SIZEOF_SHA512_t; + } + +private: + // Disabled + UdParserSystemHwKeyHash(const UdParserSystemHwKeyHash&); + UdParserSystemHwKeyHash & operator=(const UdParserSystemHwKeyHash&); +}; + + +/** + * @class UdParserTargetHwKeyHash + * + * Parses UdTargetHwKeyHash + */ +class UdParserTargetHwKeyHash : public ERRORLOG::ErrlUserDetailsParser +{ +public: + /** + * @brief Constructor + */ + UdParserTargetHwKeyHash() {} + + /** + * @brief Destructor + */ + virtual ~UdParserTargetHwKeyHash() {} + + /** + * @brief Parses string user detail data from an error log + * + * @param i_version Version of the data + * @param i_parse ErrlUsrParser object for outputting information + * @param i_pBuffer Pointer to buffer containing detail data + * @param i_buflen Length of the buffer + */ + virtual void parse(errlver_t i_version, + ErrlUsrParser & i_parser, + void * i_pBuffer, + const uint32_t i_buflen) const + { + char* l_databuf = static_cast(i_pBuffer); + i_parser.PrintHeading("Target HW Key Hash"); + + //***** Memory Layout ***** + // 4 bytes : Target HUID + // 1 byte : SBE SEEPROM (Primary or Backup) + // 64 bytes : SHA512_t of Target HW Key Hash + + i_parser.PrintNumber("Target HUID","%.8lX",TO_UINT32(l_databuf)); + l_databuf += sizeof(uint32_t); + + uint8_t side = TO_UINT8(l_databuf); + l_databuf += sizeof(uint8_t); + + if( side == 0 ) + { + i_parser.PrintNumber("SBE_PRIMARY","%.2X",side); + } + else if( side == 1 ) + { + i_parser.PrintNumber("SBE_BACKUP","%.2X",side); + } + else + { + i_parser.PrintNumber("Unknown SBE","%.2X",side); + } + + i_parser.PrintHexDump(l_databuf, UDPARSER_SIZEOF_SHA512_t); + l_databuf += UDPARSER_SIZEOF_SHA512_t; + } + +private: + // Disabled + UdParserTargetHwKeyHash(const UdParserTargetHwKeyHash&); + UdParserTargetHwKeyHash & operator=(const UdParserTargetHwKeyHash&); +}; + + + +} // end SECUREBOOT namespace + +#endif diff --git a/src/usr/secureboot/common/plugins/secureUdParserFactory.H b/src/usr/secureboot/common/plugins/secureUdParserFactory.H new file mode 100644 index 00000000000..e3ab91d4880 --- /dev/null +++ b/src/usr/secureboot/common/plugins/secureUdParserFactory.H @@ -0,0 +1,55 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/common/plugins/secureUdParserFactory.H $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2017 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +#if !defined(_SECUREUDPARSERFACTORY_H) +#define _SECUREUDPARSERFACTORY_H + +#include "errludparserfactory.H" +#include "errludP_secure.H" + +namespace SECUREBOOT +{ + class UserDetailsParserFactory + : public ERRORLOG::ErrlUserDetailsParserFactory + { + public: + UserDetailsParserFactory() + { + registerParser + (SECURE_UDT_SYSTEM_HW_KEY_HASH); + + registerParser + (SECURE_UDT_TARGET_HW_KEY_HASH); + } + + private: + + UserDetailsParserFactory(const UserDetailsParserFactory &); + UserDetailsParserFactory & operator= + (const UserDetailsParserFactory &); + }; +}; + +#endif + diff --git a/src/usr/secureboot/common/securetrace.H b/src/usr/secureboot/common/securetrace.H index 7c7accb5432..4152f5aa792 100644 --- a/src/usr/secureboot/common/securetrace.H +++ b/src/usr/secureboot/common/securetrace.H @@ -38,9 +38,10 @@ namespace SECUREBOOT extern trace_desc_t* g_trac_secure; -// symbolic constant for the trace size +// symbolic constants for the trace size enum { - ERROR_TRACE_SIZE = 256, + ERROR_TRACE_SIZE = 256, // normal + MAX_ERROR_TRACE_SIZE = 512, // max }; }