|
46 | 46 | run-python-file (lookup-file hbfw/hb-simdebug.py) |
47 | 47 | } except { echo "ERROR: Failed to load Hostboot debug tools." } |
48 | 48 |
|
| 49 | +# Determine security state |
| 50 | +$hw_security=(shell "echo $SECURITY_HW_POLICY") |
| 51 | +if($hw_security == "") { |
| 52 | + # Assume default if not specified |
| 53 | + $hw_security = "0" |
| 54 | +} |
| 55 | + |
| 56 | +if(($hw_security != "1") and ($hw_security != "0")) { |
| 57 | + # Emit warning and assume default |
| 58 | + echo ("SECURITY: WARNING! Bad value "+ |
| 59 | + $hw_security+" for HW security policy, defaulting to 0") |
| 60 | + $hw_security = "0" |
| 61 | +} |
| 62 | +echo "SECURITY: HW security policy set to "+$hw_security |
| 63 | + |
| 64 | +$sw_security=(shell "echo $SECURITY_SW_POLICY") |
| 65 | +if($sw_security == "") { |
| 66 | + # Assume default if not specified |
| 67 | + $sw_security = "0" |
| 68 | +} |
49 | 69 |
|
| 70 | +if(($sw_security != "1") and ($sw_security != "0")) { |
| 71 | + # Emit warning and assume default |
| 72 | + echo ("SECURITY: WARNING! Bad value "+ |
| 73 | + $sw_security+" for SW security policy, defaulting to 0") |
| 74 | + $sw_security = "0" |
| 75 | +} |
| 76 | +echo "SECURITY: SW security policy set to "+$sw_security |
| 77 | + |
| 78 | +try { |
| 79 | + $len = python "len(os.environ['SECURITY_HW_KEYS_HASH'])" |
| 80 | + if($len == 128) { |
| 81 | + $hkh=python ("[os.environ['SECURITY_HW_KEYS_HASH'][i:i+8] for |
| 82 | + i in range(0, len(os.environ['SECURITY_HW_KEYS_HASH']), 8)]") |
| 83 | + echo "SECURITY: Using HW keys' hash override with value of "+$hkh |
| 84 | + } else { |
| 85 | + echo ("SECURITY: WARNING! HW key's hash override was not 128 bytes, "+ |
| 86 | + "using imprint value") |
| 87 | + } |
| 88 | +} except { |
| 89 | + # Override not present |
| 90 | +} |
| 91 | + |
| 92 | +if(not (defined hkh)) { |
| 93 | + # If no override, use the default imprint HW keys' hash |
| 94 | + $hkh=["40D487FF","7380ED6A", |
| 95 | + "D54775D5","795FEA0D", |
| 96 | + "E2F541FE","A9DB06B8", |
| 97 | + "466A42A3","20E65F75", |
| 98 | + "B4866546","0017D907", |
| 99 | + "515DC2A5","F9FC5095", |
| 100 | + "4D6EE0C9","B67D219D", |
| 101 | + "FB708535","1D01D6D1"] |
| 102 | + echo "SECURITY: Using imprint HW keys' hash with value of "+$hkh |
| 103 | +} |
| 104 | + |
| 105 | +# Load security state |
| 106 | +foreach $cc in (get-object-list p8_proc) { |
| 107 | + |
| 108 | + # Set HW security policy |
| 109 | + # "0"=jumper applied(security disabled, default) |
| 110 | + # "1"=jumper removed(security enabled) |
| 111 | + (($cc).proc_chip.regwrite "LOGIC" 0xFF481000 "0x00000000_0000000"+ |
| 112 | + $hw_security 64) |
| 113 | + |
| 114 | + # Set SW Security Policy |
| 115 | + # "0"=SBE open (no security, default) |
| 116 | + # "1"=SBE closed (no override of HW security) |
| 117 | + (($cc).proc_chip.regwrite "LOGIC" 0xFF481001 "0x00000000_0000000"+ |
| 118 | + $sw_security 64) |
| 119 | + |
| 120 | + # HW Key's Hash (for SEEPROM) |
| 121 | + ($cc).proc_chip.regwrite "LOGIC" 0xFF480008 "0x"+$hkh[0]+"_"+$hkh[1] 64 |
| 122 | + ($cc).proc_chip.regwrite "LOGIC" 0xFF480009 "0x"+$hkh[2]+"_"+$hkh[3] 64 |
| 123 | + ($cc).proc_chip.regwrite "LOGIC" 0xFF48000A "0x"+$hkh[4]+"_"+$hkh[5] 64 |
| 124 | + ($cc).proc_chip.regwrite "LOGIC" 0xFF48000B "0x"+$hkh[6]+"_"+$hkh[7] 64 |
| 125 | + ($cc).proc_chip.regwrite "LOGIC" 0xFF48000C "0x"+$hkh[8]+"_"+$hkh[9] 64 |
| 126 | + ($cc).proc_chip.regwrite "LOGIC" 0xFF48000D "0x"+$hkh[10]+"_"+$hkh[11] 64 |
| 127 | + ($cc).proc_chip.regwrite "LOGIC" 0xFF48000E "0x"+$hkh[12]+"_"+$hkh[13] 64 |
| 128 | + ($cc).proc_chip.regwrite "LOGIC" 0xFF48000F "0x"+$hkh[14]+"_"+$hkh[15] 64 |
| 129 | +} |
50 | 130 |
|
51 | 131 | ########################### WORKAROUNDS #################################### |
52 | 132 | # Setup the mailbox. |
|
0 commit comments