Secure Boot: Close SBE Security Backdoor

During a key transition process from dev to prod keys the
lab override bit does not get unset and does not get customized
into SBE at the time of the transition. Only when the system
reaches istep 10.2 with prod keys does the bit get reset. This
change customizes the bit at the time of the transition, which
ensures the system is secure all the way through IPL with prod
keys.

Change-Id: I1343d2dd95aa4549b92e46ebcb9df142303c1f0b
RTC: 188958
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/56127
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>

src/build/buildpnor/genPnorImages.pl

@@ -194,17 +194,29 @@
 }
 
 my $labSecurityOverrideFlag = 0;
+my $ktSecurityOverrideFlag = 0;
 if($labSecurityOverride)
 {
     if($signMode{$DEVELOPMENT})
     {
         $labSecurityOverrideFlag = LAB_SECURITY_OVERRIDE_FLAG;
+        if($keyTransition{$IMPRINT})
+        {
+            $ktSecurityOverrideFlag = LAB_SECURITY_OVERRIDE_FLAG;
+        }
+        elsif($keyTransition{$PRODUCTION})
+        {
+            # Key Transition flag will take precedence over the
+            # lab override flag.
+            $ktSecurityOverrideFlag = 0;
+        }
     }
     else
     {
         $labSecurityOverride = 0;
-        print "WARNING! Lab security override only valid in development/"
-            . "imprint mode, continuing with lab security override disabled.\n";
+        print "WARNING! Lab security override only valid in development-"
+            . "signed mode or during a key transition that installs development"
+            . " keys. Continuing with lab security override disabled.\n";
     }
 }
 
@@ -322,7 +334,7 @@
             file => "$bin_dir/$randPrefix.sbkt.outer.secureboot.hdr.bin"
         },
         inner => {
-            flags => sprintf("0x%08X", $buildFlag),
+            flags => sprintf("0x%08X", $buildFlag | $ktSecurityOverrideFlag),
             file => "$bin_dir/$randPrefix.sbkt.inner.secureboot.hdr.bin"
         }
     }

src/usr/pnor/spnorrp.C

@@ -1283,7 +1283,7 @@ errlHndl_t SPnorRP::processLabOverride(
         break;
     }
 
-    TRACFCOMP(g_trac_pnor,INFO_MRK "Set lab security override policy to %s.",
+    TRACFCOMP(g_trac_pnor,INFO_MRK "Set lab security override policy to \"%s\"",
         securityMode ? "*NO* override" : "override if requested");
     } while(0);
 

src/usr/sbe/sbe_update.C

@@ -5845,7 +5845,7 @@ errlHndl_t secureKeyTransition()
         l_errl = l_nestedConHdr.setHeader(l_pVaddr);
         if(l_errl)
         {
-             TRACFCOMP( g_trac_sbe, ERR_MRK"secureKeyTransition() - setheader failed");
+            TRACFCOMP( g_trac_sbe, ERR_MRK"secureKeyTransition() - setheader failed");
             break;
         }
         // Get pointer to first element of hwKeyHash from header.
@@ -5855,6 +5855,18 @@ errlHndl_t secureKeyTransition()
                sizeof(g_hw_keys_hash_transition_data));
         // Indicate a key transition is required
         g_do_hw_keys_hash_transition = true;
+
+        bool l_hw_lab_override_flag = l_nestedConHdr.sb_flags()->hw_lab_override;
+        TRACFCOMP(g_trac_sbe, "Overriding the Lab Security Backdoor Bit due to"
+                  " key transition; new Security Backdoor Enabled bit is %d",
+                  l_nestedConHdr.sb_flags()->hw_lab_override);
+        l_errl = SECUREBOOT::setSbeSecurityMode(!l_hw_lab_override_flag);
+        if(l_errl)
+        {
+            TRACFCOMP(g_trac_sbe, ERR_MRK"secureKeyTransition() - could not"
+                      " set SBE security mode.");
+            break;
+        }
     }
     if(l_loaded)
     {