Add Security Settings User Details to Error Logs

Change-Id: Ife4a19ea7f94670143b701f740c80f991f924601 RTC:165693 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/41904 Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
open-power · Jul 10, 2017 · 775aa58 · 775aa58
1 parent bd0a3c7
commit 775aa58
Show file tree

Hide file tree

Showing 9 changed files with 191 additions and 16 deletions.
diff --git a/src/include/usr/secureboot/secure_reasoncodes.H b/src/include/usr/secureboot/secure_reasoncodes.H
@@ -67,6 +67,7 @@ namespace SECUREBOOT
         SECURE_UDT_NO_FORMAT          = 0x0,
         SECURE_UDT_SYSTEM_HW_KEY_HASH = 0x1,
         SECURE_UDT_TARGET_HW_KEY_HASH = 0x2,
+        SECURE_UDT_SECURITY_SETTINGS  = 0x3,
     };
 
 }

diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H
@@ -284,6 +284,14 @@ namespace SECUREBOOT
      */
     void addSecurityRegistersToErrlog(errlHndl_t & io_err);
 
+    /**
+     * @brief Common handler for adding all relevant secureboot information to
+     *        the user details section of an error log
+     * @param[in/out] io_err  Error Log to add secure info to.
+     *                        Must not be nullptr.
+     */
+    void addSecureUserDetailsToErrolog(errlHndl_t & io_err);
+
 }
 
 #endif
diff --git a/src/usr/isteps/istep10/call_host_update_redundant_tpm.C b/src/usr/isteps/istep10/call_host_update_redundant_tpm.C
@@ -205,11 +205,8 @@ void handleProcessorSecurityError(TARGETING::Target* i_pProc,
 
     ERRORLOG::ErrlUserDetailsTarget(i_pProc).addToLog(err);
 
-    SECUREBOOT::addSecurityRegistersToErrlog(err);
-
-    sha2_hash_t sysHash = {0};
-    SECUREBOOT::getHwKeyHash(sysHash);
-    SECUREBOOT::UdSystemHwKeyHash(sysHash).addToLog(err);
+    // Add Security related user details
+    SECUREBOOT::addSecureUserDetailsToErrolog(err);
 
     // add hashes to log and traces
     for(auto& hsh : i_hashes)

diff --git a/src/usr/secureboot/base/service.C b/src/usr/secureboot/base/service.C
@@ -181,16 +181,8 @@ void handleSecurebootFailure(errlHndl_t &io_err, bool i_waitForShutdown)
     io_err->addProcedureCallout(HWAS::EPUB_PRC_FW_VERIFICATION_ERR,
                                HWAS::SRCI_PRIORITY_HIGH);
 
-    // Add security register values
-    addSecurityRegistersToErrlog(io_err);
-
-    // Add HW Keys' Hash to trace and the error log
-    SHA512_t hash = {0};
-    getHwKeyHash(hash);
-
-    SB_INF_BIN("HwKeyHash", &hash, sizeof(hash));
-
-    UdSystemHwKeyHash( hash ).addToLog(io_err);
+    // Add Security related user details
+    addSecureUserDetailsToErrolog(io_err);
 
     io_err->collectTrace(SECURE_COMP_NAME,MAX_ERROR_TRACE_SIZE);
 
@@ -556,4 +548,21 @@ void addSecurityRegistersToErrlog(errlHndl_t & io_err)
     return;
 }
 
+void addSecureUserDetailsToErrolog(errlHndl_t & io_err)
+{
+    // Add Security Settings
+    UdSecuritySettings().addToLog(io_err);
+
+    // Add security register values
+    addSecurityRegistersToErrlog(io_err);
+
+    // Add System HW Keys' Hash
+    SHA512_t hash = {0};
+    getHwKeyHash(hash);
+    SB_INF_BIN("Sys HwKeyHash", &hash, sizeof(hash));
+    UdSystemHwKeyHash( hash ).addToLog(io_err);
+
+    //Note: adding UdTargetHwKeyHash left to Extended image
+}
+
 } //namespace SECUREBOOT
diff --git a/src/usr/secureboot/base/settings.C b/src/usr/secureboot/base/settings.C
@@ -160,7 +160,7 @@ namespace SECUREBOOT
         auto l_errl = readSecurityRegister(i_pProc,
                     static_cast<uint64_t>(ProcSecurity::SwitchRegister),
                     o_regValue);
-        SB_INF("getSecuritySwitch() err_rc:%.4X huid:%.8X reg:%.16llX",
+        SB_INF("getSecuritySwitch() err_rc:0x%.4X huid:0x%.8X reg:0x%.16llX",
             ERRL_GETRC_SAFE(l_errl), get_huid(i_pProc), o_regValue);
 
         return l_errl;
@@ -265,6 +265,7 @@ namespace SECUREBOOT
                 TO_UINT64(get_huid(i_pTarget)),
                 true);
             pError->collectTrace(SECURE_COMP_NAME, ERROR_TRACE_SIZE);
+            addSecureUserDetailsToErrolog(pError);
             break;
         }
 
@@ -335,6 +336,7 @@ namespace SECUREBOOT
                                          TO_UINT64(get_huid(i_pProc)),
                                          true /* Add HB Software Callout */ );
             l_errl->collectTrace(SECURE_COMP_NAME, ERROR_TRACE_SIZE);
+            addSecureUserDetailsToErrolog(l_errl);
             break;
         }
 

diff --git a/src/usr/secureboot/common/errlud_secure.C b/src/usr/secureboot/common/errlud_secure.C
@@ -30,6 +30,7 @@
 #include <secureboot/service.H>
 #include <secureboot/secure_reasoncodes.H>
 #include "errlud_secure.H"
+#include <kernel/bltohbdatamgr.H>
 
 namespace SECUREBOOT
 {
@@ -121,5 +122,47 @@ UdTargetHwKeyHash::~UdTargetHwKeyHash()
 
 }
 
+//------------------------------------------------------------------------------
+//  SECURE Security Settings User Details
+//------------------------------------------------------------------------------
+UdSecuritySettings::UdSecuritySettings()
+{
+    // Set up Ud instance variables
+    iv_CompId = SECURE_COMP_ID;
+    iv_Version = SECURE_UDT_VERSION_1;
+    iv_SubSection = SECURE_UDT_SECURITY_SETTINGS;
+
+    char * l_pBuf = reinterpret_cast<char *>(reallocUsrBuf(
+                                                        sizeof(detailsLayout)));
+
+    detailsLayout * l_pDetailsLayout = reinterpret_cast<detailsLayout *>(l_pBuf);
+
+    //***** Version SECURE_UDT_VERSION_1 Memory Layout *****
+    // 1 byte   : Secure Access Bit
+    // 1 byte   : Security Override
+    // 1 byte   : Allow Attribute Overrides
+
+    l_pDetailsLayout->secAccessBit = 0xFF;
+    l_pDetailsLayout->secOverride = 0xFF;
+    l_pDetailsLayout->allowAttrOverride = 0xFF;
+
+#ifndef __HOSTBOOT_RUNTIME
+    // Only check BlToHbData if it is valid, otherwise fields defaulted to 0xFF
+    if (g_BlToHbDataManager.isValid())
+    {
+        l_pDetailsLayout->secAccessBit = g_BlToHbDataManager.getSecureAccessBit();
+        l_pDetailsLayout->secOverride = g_BlToHbDataManager.getSecurityOverride();
+        l_pDetailsLayout->allowAttrOverride = g_BlToHbDataManager.getAllowAttrOverrides();
+    }
+#endif
+
+}
+
+//------------------------------------------------------------------------------
+UdSecuritySettings::~UdSecuritySettings()
+{
+
+}
+
 } // end SECUREBOOT namespace
 
diff --git a/src/usr/secureboot/common/errlud_secure.H b/src/usr/secureboot/common/errlud_secure.H
@@ -125,6 +125,54 @@ class UdTargetHwKeyHash : public ERRORLOG::ErrlUserDetails
     UdTargetHwKeyHash& operator = (UdTargetHwKeyHash&&) = delete;
 };
 
+/**
+ * @class UdSecuritySettings
+ *
+ * Adds Security Settings to an error log as user detail data
+ */
+class UdSecuritySettings : public ERRORLOG::ErrlUserDetails
+{
+  public:
+    /**
+     *  @brief Constructor
+     */
+    UdSecuritySettings();
+
+    /**
+     *  @brief Destructor
+     */
+    virtual ~UdSecuritySettings();
+
+    /**
+     * Delete Copy Constructor
+     */
+    UdSecuritySettings(const UdSecuritySettings&) = delete;
+
+    /**
+     * Delete Copy Assignment
+     */
+    UdSecuritySettings& operator= (const UdSecuritySettings&) = delete;
+
+    /**
+     * Delete Move Constructor
+     */
+    UdSecuritySettings (UdSecuritySettings&&) = delete;
+
+    /**
+     * Delete Move Assignment
+     */
+    UdSecuritySettings& operator = (UdSecuritySettings&&) = delete;
+
+    private:
+        // Errl User Details layout
+        struct detailsLayout
+        {
+            uint8_t secAccessBit;
+            uint8_t secOverride;
+            uint8_t allowAttrOverride;
+        };
+
+};
 
 } // end SECUREBOOT namespace
 

diff --git a/src/usr/secureboot/common/plugins/errludP_secure.H b/src/usr/secureboot/common/plugins/errludP_secure.H
@@ -165,6 +165,70 @@ private:
     UdParserTargetHwKeyHash & operator=(const UdParserTargetHwKeyHash&);
 };
 
+/**
+ * @class UdParserSecuritySettings
+ *
+ * Parses UdSecuritySettings
+ */
+class UdParserSecuritySettings : public ERRORLOG::ErrlUserDetailsParser
+{
+  public:
+    /**
+     *  @brief Constructor
+     */
+    UdParserSecuritySettings() {}
+
+    /**
+     *  @brief Destructor
+     */
+    virtual ~UdParserSecuritySettings() {}
+
+    /**
+     *  @brief Parses string user detail data from an error log
+     *
+     *  @param  i_version Version of the data
+     *  @param  i_parse   ErrlUsrParser object for outputting information
+     *  @param  i_pBuffer Pointer to buffer containing detail data
+     *  @param  i_buflen  Length of the buffer
+     */
+    virtual void parse(errlver_t i_version,
+                       ErrlUsrParser & i_parser,
+                       void * i_pBuffer,
+                       const uint32_t i_buflen) const
+    {
+        //***** Version 1 Memory Layout *****
+        // 1 byte   : Secure Access Bit
+        // 1 byte   : Security Override
+        // 1 byte   : Allow Attribute Overrides
+
+        detailsLayout* l_databuf = static_cast<detailsLayout*>(i_pBuffer);
+
+        i_parser.PrintHeading("Security Settings");
+        if (i_version >= 1)
+        {
+            i_parser.PrintNumber("Secure Access Bit","0x%.2X",
+                                 l_databuf->secAccessBit);
+            i_parser.PrintNumber("Security Override","0x%.2X",
+                                 l_databuf->secOverride);
+            i_parser.PrintNumber("Allow Attribute Overrides","0x%.2X",
+                                 l_databuf->allowAttrOverride);
+        }
+    }
+
+  private:
+    // Disabled
+    UdParserSecuritySettings(const UdParserSecuritySettings&);
+    UdParserSecuritySettings & operator=(const UdParserSecuritySettings&);
+
+    // Errl User Details layout
+    struct detailsLayout
+    {
+        uint8_t secAccessBit;
+        uint8_t secOverride;
+        uint8_t allowAttrOverride;
+    };
+};
+
 
 
 } // end SECUREBOOT namespace

diff --git a/src/usr/secureboot/common/plugins/secureUdParserFactory.H b/src/usr/secureboot/common/plugins/secureUdParserFactory.H
@@ -41,6 +41,9 @@ namespace SECUREBOOT
 
                 registerParser<SECUREBOOT::UdParserTargetHwKeyHash>
                   (SECURE_UDT_TARGET_HW_KEY_HASH);
+
+                registerParser<SECUREBOOT::UdParserSecuritySettings>
+                  (SECURE_UDT_SECURITY_SETTINGS);
             }
 
         private: