genPnorImages: Add VERSION to signed partitions

Mark VERSION as a signed partition and also check for it in the IPMI FRU setup. Change-Id: I6e8690c4f34d1f5ce92750960e6c73afcbf0a8e9 CQ:SW416159 Signed-off-by: Samuel Mendoza-Jonas <sjonas@au1.ibm.com> Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/61439 Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
open-power · Oct 16, 2018 · cd40032 · cd40032
1 parent ce1ebd1
commit cd40032
Show file tree

Hide file tree

Showing 7 changed files with 128 additions and 11 deletions.
diff --git a/src/build/buildpnor/genPnorImages.pl b/src/build/buildpnor/genPnorImages.pl
@@ -522,6 +522,7 @@ sub manipulateImages
         $isNormalSecure ||= ($eyeCatch eq "IMA_CATALOG");
         $isNormalSecure ||= ($eyeCatch eq "TESTRO");
         $isNormalSecure ||= ($eyeCatch eq "TESTLOAD");
+        $isNormalSecure ||= ($eyeCatch eq "VERSION");
 
         my $isSpecialSecure = ($eyeCatch eq "HBB");
         $isSpecialSecure ||= ($eyeCatch eq "HBD");

diff --git a/src/include/usr/pnor/pnorif.H b/src/include/usr/pnor/pnorif.H
@@ -81,6 +81,25 @@ errlHndl_t getSideInfo (SideId i_side, SideInfo_t& o_info);
 errlHndl_t getSectionInfo( SectionId i_section,
                            SectionInfo_t& o_info );
 
+#ifndef __HOSTBOOT_RUNTIME
+/**
+ *  @brief Returns whether requested section is available or not
+ *
+ *  @par Detailed Description:
+ *      Returns whether requested section is available or not.  Resource
+ *      provider must be functional, section ID must be valid, section must
+ *      not be inhibited by secure boot, and section must exist in the PNOR
+ *      to be considered available.
+ *
+ *  @param[in] i_section PNOR section to check for availability
+ *
+ *  @return boolean Whether section is available or not
+ *  @retval true Section is available
+ *  @retval false Section is not available
+ */
+bool isSectionAvailable(PNOR::SectionId i_section);
+#endif
+
 #ifdef CONFIG_SECUREBOOT
 /**
  *  @brief Loads requested PNOR section to secure virtual address space

diff --git a/src/usr/errl/errlentry.C b/src/usr/errl/errlentry.C
@@ -48,6 +48,7 @@
 #include <errl/errludattribute.H>
 #include <errl/errludstate.H>
 #include <trace/interface.H>
+#include <config.h>
 
 #include "../trace/entry.H"
 #include <util/align.H>
@@ -667,16 +668,21 @@ void ErrlEntry::addHbBuildId()
 
 void ErrlEntry::addVersionInfo()
 {
+
+// Start of IPL only block; runtime does not support secure loading of
+// partitions
+#ifndef __HOSTBOOT_RUNTIME
+
     // Version section of PNOR is only available to OpenPOWER systems.
-    if (!INITSERVICE::spBaseServicesEnabled())
+    if (   !INITSERVICE::spBaseServicesEnabled()
+        && PNOR::isSectionAvailable(PNOR::VERSION))
     {
-        //TODO: CQ:SW416159 Uncomment when merged
-        // bool l_secureSectionLoaded = false;
-        errlHndl_t l_errl = nullptr/*, l_errl_loadSecureSection = nullptr*/;
+        bool l_secureSectionLoaded = false;
+        errlHndl_t l_errl = nullptr, l_errl_loadSecureSection = nullptr;
 
         do
         {
-/* TODO: CQ:SW416159 Uncomment when merged
+
 #ifdef CONFIG_SECUREBOOT
             l_errl_loadSecureSection = PNOR::loadSecureSection(PNOR::VERSION);
             if (l_errl_loadSecureSection)
@@ -698,7 +704,7 @@ void ErrlEntry::addVersionInfo()
                 l_secureSectionLoaded = true;
             }
 #endif
-*/
+
             // Get PNOR Version
             PNOR::SectionInfo_t l_pnorVersionInfo;
             l_errl = getSectionInfo(PNOR::VERSION, l_pnorVersionInfo);
@@ -737,7 +743,6 @@ void ErrlEntry::addVersionInfo()
             ErrlUserDetailsString(l_pVersionString).addToLog(this);
         } while(0);
 
-/* TODO: CQ:SW416159 Uncomment when merged
 #ifdef CONFIG_SECUREBOOT
         if (l_secureSectionLoaded)
         {
@@ -757,9 +762,11 @@ void ErrlEntry::addVersionInfo()
             }
         }
 #endif
-*/
+
     }
 
+#endif // End of IPL only block
+
 }
 
 enum {

diff --git a/src/usr/ipmiext/ipmifruinv.C b/src/usr/ipmiext/ipmifruinv.C
@@ -8,6 +8,7 @@
 /* Contributors Listed Below - COPYRIGHT 2014,2018                        */
 /* [+] International Business Machines Corp.                              */
 /* [+] Jim Yuan                                                           */
+/* [+] Maxim Polyakov                                                     */
 /*                                                                        */
 /*                                                                        */
 /* Licensed under the Apache License, Version 2.0 (the "License");        */
@@ -1389,7 +1390,7 @@ errlHndl_t systemFwIpmiFruInv::buildBoardInfoArea(std::vector<uint8_t> &io_data)
 errlHndl_t systemFwIpmiFruInv::buildProductInfoArea(std::vector<uint8_t>
                                                                        &io_data)
 {
-    errlHndl_t l_errl = NULL;
+    errlHndl_t l_errl = nullptr, l_errl_version = nullptr;
 
     do {
         //Set formatting data that goes at the beginning of the record
@@ -1404,6 +1405,16 @@ errlHndl_t systemFwIpmiFruInv::buildProductInfoArea(std::vector<uint8_t>
                     &l_data[0],
                     &l_data[0] + (uint8_t(sizeof(l_data) / sizeof(uint8_t))));
 
+#ifdef CONFIG_SECUREBOOT
+        l_errl_version = PNOR::loadSecureSection(PNOR::VERSION);
+        if (l_errl_version)
+        {
+            TRACFCOMP(g_trac_ipmi,
+                    "buildProductInfoArea: Failed to load secure VERSION");
+            break;
+        }
+#endif
+
         //Get PNOR Version Here
         PNOR::SectionInfo_t l_pnorInfo;
         l_errl = getSectionInfo( PNOR::VERSION , l_pnorInfo);
@@ -1535,6 +1546,40 @@ errlHndl_t systemFwIpmiFruInv::buildProductInfoArea(std::vector<uint8_t>
 
     } while(0);
 
+#ifdef CONFIG_SECUREBOOT
+    if (l_errl_version == nullptr)
+    {
+        l_errl_version = unloadSecureSection(PNOR::VERSION);
+        if (l_errl_version)
+        {
+            TRACFCOMP(g_trac_ipmi,
+                    "buildProductInfoArea: Failed to unload secure VERSION");
+            if (l_errl)
+            {
+                errlCommit(l_errl_version, IPMI_COMP_ID);
+            }
+            else
+            {
+                l_errl = l_errl_version;
+                l_errl_version = nullptr;
+            }
+        }
+    }
+    else
+    {
+        if (l_errl)
+        {
+            errlCommit(l_errl_version, IPMI_COMP_ID);
+        }
+        else
+        {
+            l_errl = l_errl_version;
+            l_errl_version = nullptr;
+        }
+    }
+#endif
+
+
     //Finalize section formatting
     postFormatProcessing(io_data);
 

diff --git a/src/usr/pnor/pnor_utils.C b/src/usr/pnor/pnor_utils.C
@@ -377,7 +377,8 @@ bool PNOR::isEnforcedSecureSection(const uint32_t i_section)
                i_section == WOFDATA ||
                i_section == MEMD ||
                i_section == CAPP ||
-               i_section == TESTLOAD;
+               i_section == TESTLOAD ||
+               i_section == VERSION;
     #endif
 #else
     return false;

diff --git a/src/usr/pnor/pnorrp.C b/src/usr/pnor/pnorrp.C
@@ -95,6 +95,14 @@ errlHndl_t PNOR::getSectionInfo( PNOR::SectionId i_section,
     return Singleton<PnorRP>::instance().getSectionInfo(i_section,o_info);
 }
 
+/**
+ * @brief Returns whether a given section is available or not
+ */
+bool PNOR::isSectionAvailable(const PNOR::SectionId i_section)
+{
+    return Singleton<PnorRP>::instance().isSectionAvailable(i_section);
+}
+
 /**
  * @brief  Clear pnor section
  */
@@ -394,6 +402,23 @@ errlHndl_t PnorRP::getSideInfo( PNOR::SideId i_side,
     return l_err;
 }
 
+/**
+ *  @brief Returns whether a given section is available or not
+ */
+bool PnorRP::isSectionAvailable(const PNOR::SectionId i_section)
+{
+    bool available = false;
+    uint64_t rc = 0;
+    if(   (!didStartupFail(rc))
+       && (i_section < PNOR::NUM_SECTIONS)
+       && (!isInhibitedSection(i_section))
+       && (iv_TOC[i_section].size != 0))
+    {
+        available = true;
+    }
+    return available;
+}
+
 /**
  * @brief  Return the size and address of a given section of PNOR data
  */

diff --git a/src/usr/pnor/pnorrp.H b/src/usr/pnor/pnorrp.H
@@ -5,7 +5,7 @@
 /*                                                                        */
 /* OpenPOWER HostBoot Project                                             */
 /*                                                                        */
-/* Contributors Listed Below - COPYRIGHT 2011,2017                        */
+/* Contributors Listed Below - COPYRIGHT 2011,2018                        */
 /* [+] Google Inc.                                                        */
 /* [+] International Business Machines Corp.                              */
 /*                                                                        */
@@ -79,6 +79,25 @@ class PnorRP
     errlHndl_t getSectionInfo( PNOR::SectionId i_section,
                                PNOR::SectionInfo_t& o_info );
 
+#ifndef __HOSTBOOT_RUNTIME
+    /**
+     *  @brief Returns whether requested section is available or not
+     *
+     *  @par Detailed Description:
+     *      Returns whether requested section is available or not.  Resource
+     *      provider must be functional, section ID must be valid, section must
+     *      not be inhibited by secure boot, and section must exist in the PNOR
+     *      to be considered available.
+     *
+     *  @param[in] i_section PNOR section to check for availability
+     *
+     *  @return boolean Whether section is available or not
+     *  @retval true Section is available
+     *  @retval false Section is not available
+     */
+    bool isSectionAvailable(PNOR::SectionId i_section);
+#endif
+
     /**
      * @brief  Clears the specified PNOR section with all FF's (w/ good ECC)
      *