Skip to content

Commit

Permalink
Add Encryption Enabled bit to NV_STATUS_FLAG
Browse files Browse the repository at this point in the history 
- 0x10: Contents are encrypted
Set when encryption is enabled
Clear when encryption is disabled
Attribute comments should match HDAT

Change-Id: I52805f6c8c3f303ce29cf8b8534304dfd0a09821
RTC:214625
Reviewed-on: http://rchgit01.rchland.ibm.com/gerrit1/82638
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Matt Derksen <mderkse1@us.ibm.com>
Reviewed-by: Roland Veloz <rveloz@us.ibm.com>
Reviewed-by: Daniel M Crowell <dcrowell@us.ibm.com>
  • Loading branch information
@cvswen @dcrowell77
cvswen authored and dcrowell77 committed Aug 27, 2019
1 parent 80f6d1d commit d8db346
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 13 deletions.
4 changes: 4 additions & 0 deletions src/include/usr/isteps/nvdimm/nvdimm.H
View file
Expand Up @@ -252,6 +252,8 @@ bool nvDimmCheckHealthStatusOnSystem();
* NVDIMM_ENCRYPTION_ERROR - set encryption state
* Note: fatal error will stay with target preventing
* PROTECTED status until power is cycled again
* ENCRYPTION_ENABLED - contents of nvdimm are encrypted
* ENCRYPTION_DISABLED - contents of nvdimm are not encrypted
*/
enum nvdimm_protection_t
{
Expand All @@ -262,6 +264,8 @@ enum nvdimm_protection_t
NVDIMM_FATAL_HW_ERROR = 4,
NVDIMM_RISKY_HW_ERROR = 5,
NVDIMM_ENCRYPTION_ERROR = 6,
ENCRYPTION_ENABLED = 7,
ENCRYPTION_DISABLED = 8,
/* deprecated, still used by PRD */
UNPROTECTED_BECAUSE_ERROR = 4,
};
Expand Down
42 changes: 38 additions & 4 deletions src/usr/isteps/nvdimm/nvdimm.C
View file
Expand Up @@ -120,9 +120,10 @@ static constexpr uint8_t ENCRYPTION_STATUS_ENABLED = 0x1F;
static constexpr uint8_t NV_STATUS_OR_MASK = 0xFB;
static constexpr uint8_t NV_STATUS_AND_MASK = 0x04;
static constexpr uint8_t NV_STATUS_UNPROTECTED_SET = 0x01;
static constexpr uint8_t NV_STATUS_UNPROTECTED_CLEAR = 0xFE;
static constexpr uint8_t NV_STATUS_POSSIBLY_UNPROTECTED_SET = 0x40;
static constexpr uint8_t NV_STATUS_POSSIBLY_UNPROTECTED_CLEAR = 0xBF;
static constexpr uint8_t NV_STATUS_UNPROTECTED_CLR = 0xFE;
static constexpr uint8_t NV_STATUS_ENCRYPTION_SET = 0x10;
static constexpr uint8_t NV_STATUS_ENCRYPTION_CLR = 0xEF;
static constexpr uint8_t NV_STATUS_POSSIBLY_UNPROTECTED_SET = 0x40;

// NVDIMM key consts
static constexpr size_t NUM_KEYS_IN_ATTR = 3;
Expand Down Expand Up @@ -3122,6 +3123,13 @@ bool nvdimm_encrypt_enable(TargetHandleList &i_nvdimmList)
else
{
TRACFCOMP(g_trac_nvdimm, "nvdimm_encrypt_enable() nvdimm[%X] encryption is enabled 0x%.02x",get_huid(l_nvdimm),l_encStatus.whole);

l_err = notifyNvdimmProtectionChange(l_nvdimm,
ENCRYPTION_ENABLED);
if (l_err)
{
errlCommit(l_err, NVDIMM_COMP_ID);
}
}
}
}while(0);
Expand Down Expand Up @@ -3329,6 +3337,13 @@ bool nvdimm_crypto_erase(TargetHandleList &i_nvdimmList)
else
{
TRACFCOMP(g_trac_nvdimm,"nvdimm_crypto_erase() nvdimm[%X] erase complete 0x%.02x",get_huid(l_nvdimm),l_encStatus.whole);

l_err = notifyNvdimmProtectionChange(l_nvdimm,
ENCRYPTION_DISABLED);
if (l_err)
{
errlCommit(l_err, NVDIMM_COMP_ID);
}
}
}
}while(0);
Expand Down Expand Up @@ -3403,6 +3418,8 @@ errlHndl_t notifyNvdimmProtectionChange(Target* i_target,

// If we change the armed state, need to tell FSP
bool l_armed_change = false;
bool l_set_encryption = false;
bool l_clr_encryption = false;

switch (i_state)
{
Expand All @@ -3429,6 +3446,11 @@ errlHndl_t notifyNvdimmProtectionChange(Target* i_target,
case NVDIMM_ENCRYPTION_ERROR:
l_armed_state.encryption_error_detected = 1;
break;
case ENCRYPTION_ENABLED:
l_set_encryption = true;
break;
case ENCRYPTION_DISABLED:
l_clr_encryption = true;
}

// Set the attribute and send it to the FSP if needed
Expand All @@ -3447,7 +3469,7 @@ errlHndl_t notifyNvdimmProtectionChange(Target* i_target,
l_armed_state.occ_active &&
!l_armed_state.fatal_error_detected)
{
l_nv_status &= NV_STATUS_UNPROTECTED_CLEAR;
l_nv_status &= NV_STATUS_UNPROTECTED_CLR;
}

// Set bit 0 if unprotected nv state
Expand All @@ -3456,6 +3478,18 @@ errlHndl_t notifyNvdimmProtectionChange(Target* i_target,
l_nv_status |= NV_STATUS_UNPROTECTED_SET;
}

// Set bit 4 if encryption enabled
if (l_set_encryption)
{
l_nv_status |= NV_STATUS_ENCRYPTION_SET;
}

// Clear bit 4 if encryption disabled
if (l_clr_encryption)
{
l_nv_status &= NV_STATUS_ENCRYPTION_CLR;
}

// Set bit 6 if risky error
if (l_armed_state.risky_error_detected)
{
Expand Down
19 changes: 10 additions & 9 deletions src/usr/targeting/common/xmltohb/attribute_types.xml
View file
Expand Up @@ -5359,15 +5359,16 @@
NVDIMM status flag. This is used to record the status and
later report to OPAL/PHYP. Possible values:

0x01 - SCM device unable to persist memory contents
0x02 - SCM device failed to persist memory contents
0x04 - SCM device contents are persisted from previous IPL
0x08 - SCM device contents are not persisted from previous IPL
0x10 - SCM device memory life remaining is critically low
0x20 - SCM device will be garded off next IPL due to failure
0x40 - SCM contents cannot persist due to current platform health status
0x80 - SCM device unable to persist memory contents, certain conditions
NOTE: set for virtual SCM devices, does not persist across reboot
0x01: Unable to preserve future contents
0x02: Failed to preserve contents
0x04: Contents preserved
0x08: Contents not preserved
0x10: Contents are encrypted
0x20: Reserved
0x40: Error detected, but save/restore might work
0x80: Reserved
0xFF: Memory is invalid
NOTE: set for virtual SCM devices, does not persist across reboot
</description>
<simpleType>
<uint8_t>
Expand Down

0 comments on commit d8db346

Please sign in to comment.