Replace HB_SECURITY_MODE attribute with SECUREBOOT API equivalent

The HB_SECURITY_MODE attribute will now be a variable managed by secureboot. The FAPI attribue SECURITY_MODE that maps to the HB version will now call to that variable in the SECUREBOOT API. Change-Id: I7e42c3f2e355feeb0d49aa6a998960bc5409bfa2 RTC:178643 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/45167 Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
open-power · Aug 31, 2017 · e1678bf · e1678bf
1 parent 45d359f
commit e1678bf
Show file tree

Hide file tree

Showing 7 changed files with 101 additions and 33 deletions.
diff --git a/src/include/usr/fapi2/attribute_service.H b/src/include/usr/fapi2/attribute_service.H
@@ -276,6 +276,25 @@ ReturnCode fapiAttrGetBadDqBitmap( const Target<TARGET_TYPE_ALL>& i_fapiTarget,
 ReturnCode fapiAttrSetBadDqBitmap( const Target<TARGET_TYPE_ALL>& i_fapiTarget,
                                    ATTR_BAD_DQ_BITMAP_Type (&i_data) );
 
+/// @brief This function is called by the FAPI_ATTR_GET macro when getting
+/// the SECURITY_MODE attribute. It should not be called directly.
+///
+/// @param[out] o_securityMode   Provides the attribute contents to the caller
+/// @return ReturnCode           Always FAPI2_RC_SUCCESS, this cannot fail.
+///                              If a toplevel target cannot be found then
+///                              an assert triggers in the platform call
+///
+ReturnCode platGetSecurityMode(uint8_t & o_securityMode);
+
+/// @brief This function is called by the FAPI_ATTR_SET macro when setting
+/// the SECURITY_MODE attribute. It should not be called directly. There are no
+/// parameters. This is intentional as setting this attribute is not supported
+/// from FAPI or FAPI runtime code. A FAPI INFO trace will be printed explaining
+/// this.
+///
+/// @return ReturnCode           Always FAPI2_RC_SUCCESS, this cannot fail.
+ReturnCode platSetSecurityMode();
+
 // -----------------------------------------------------------------------------
 // End TODO: End to be supported functions
 // -----------------------------------------------------------------------------
@@ -381,4 +400,16 @@ fapiToTargeting::ID, sizeof(VAL), &(VAL))
     ? fapi2::ReturnCode() : \
     fapi2::platAttrSvc::fapiAttrSetBadDqBitmap(TARGET, VAL)
 
+//------------------------------------------------------------------------------
+// MACRO to route ATTR_SECURITY_MODE access to the correct HB function
+//------------------------------------------------------------------------------
+#define ATTR_SECURITY_MODE_GETMACRO(ID, TARGET, VAL) \
+    AttrOverrideSync::getAttrOverrideFunc(ID, TARGET, &VAL)\
+    ? fapi2::ReturnCode() : \
+    fapi2::platAttrSvc::platGetSecurityMode(VAL)
+#define ATTR_SECURITY_MODE_SETMACRO(ID, TARGET, VAL) \
+    AttrOverrideSync::getAttrOverrideFunc(ID, TARGET, &VAL)\
+    ? fapi2::ReturnCode() : \
+    fapi2::platAttrSvc::platSetSecurityMode()
+
 #endif // ATTRIBUTESERVICE_H_
diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H
@@ -305,6 +305,25 @@ namespace SECUREBOOT
     /* Definition in securerommgr.H */
     bool secureRomValidPolicy();
 
+    /*
+     *  @brief Gets the current SBE security mode value from the secureboot
+     *         subsystem
+     *
+     *  @return uint8_t returns 0 if SBE should check for security disable
+     *                  requests, 1 if not
+     */
+    uint8_t getSbeSecurityMode();
+
+    /*
+     *  @brief Sets the current SBE security mode value in the secureboot
+     *         subsystem
+     *
+     *  @param[in] uint8_t The value to set the security mode to. Will accept a
+     *                     a value of 0 if SBE should check for security disable
+     *                     requests and 1 if not. All other values are not
+     *                     allowed and will be rejected via an assert.
+     */
+    void setSbeSecurityMode(uint8_t i_sbeSecurityMode);
 
 }
 

diff --git a/src/usr/fapi2/attribute_service.C b/src/usr/fapi2/attribute_service.C
@@ -62,6 +62,8 @@
 #include <targeting/common/util.H>
 #include <../memory/lib/shared/mss_const.H>
 
+#include <secureboot/service.H>
+
 //******************************************************************************
 // Implementation
 //******************************************************************************
@@ -1281,6 +1283,29 @@ ReturnCode fapiAttrSetBadDqBitmap(
     return l_rc;
 }
 
+//******************************************************************************
+// fapi::platAttrSvc::platGetSecurityMode function
+//******************************************************************************
+ReturnCode platGetSecurityMode(uint8_t & o_securityMode)
+{
+    #ifndef __HOSTBOOT_RUNTIME
+    o_securityMode = SECUREBOOT::getSbeSecurityMode();
+    #else
+    o_securityMode = 0xFF;
+    FAPI_INF("Get SECURITY_MODE not supported from hostboot runtime");
+    #endif
+    return fapi2::ReturnCode();
+}
+
+//******************************************************************************
+// fapi::platAttrSvc::platSetSecurityMode function
+//******************************************************************************
+ReturnCode platSetSecurityMode()
+{
+    FAPI_INF("Set SECURITY_MODE ignored when called from FAPI code");
+    return fapi2::ReturnCode();
+}
+
 } // End platAttrSvc namespace
 
 } // End fapi2 namespace
diff --git a/src/usr/pnor/spnorrp.C b/src/usr/pnor/spnorrp.C
@@ -803,14 +803,11 @@ errlHndl_t PNOR::unloadSecureSection(const SectionId i_section)
 void SPnorRP::processLabOverride(
     const sb_flags_t& i_flags) const
 {
-    TARGETING::Target* pSys = nullptr;
-    TARGETING::targetService().getTopLevelTarget(pSys);
-    assert(pSys != nullptr,"System target was nullptr.");
-    // ATTR_HB_SECURITY_MODE attribute values are inverted with respect to the
+    // Secure boot sbe security mode values are inverted with respect to the
     // lab override flag for the same logical meaning
-    TARGETING::ATTR_HB_SECURITY_MODE_type securityMode =
+    uint8_t securityMode =
         !(i_flags.hw_lab_override);
-    pSys->setAttr<TARGETING::ATTR_HB_SECURITY_MODE>(securityMode);
+    SECUREBOOT::setSbeSecurityMode(securityMode);
     TRACFCOMP(g_trac_pnor,INFO_MRK "Set lab security override policy to %s.",
         securityMode ? "*NO* override" : "override if requested");
 }

diff --git a/src/usr/secureboot/base/service.C b/src/usr/secureboot/base/service.C
@@ -74,6 +74,17 @@ struct SecureRegisterValues
     uint64_t data;
 };
 
+/*
+ * HB specific secureboot setting which is aliased to the FAPI attribute
+ * ATTR_SECURITY_MODE and customized into the SBE image.  If 0b0, SBE
+ * will disable proc security (via SAB bit) if mailbox scratch register 3
+ * bit 6 is set.  Otherwise, if 0b1, SBE will not override proc security.
+ * TODO RTC 170650: When SBE image is signed in all environments, set
+ *     default to 0b1 and rely on SBE signing header to configure the final
+ *     value.
+ */
+uint8_t g_sbeSecurityMode = 0;
+
 /**
  *  @brief Retrieve values of Security Registers of the processors in the system
  *
@@ -600,4 +611,16 @@ bool allowAttrOverrides()
 };
 #endif
 
+uint8_t getSbeSecurityMode()
+{
+    return g_sbeSecurityMode;
+}
+
+void setSbeSecurityMode(uint8_t i_sbeSecurityMode)
+{
+    assert(i_sbeSecurityMode == 0 || i_sbeSecurityMode == 1,
+        "SBE Security Mode can only be set to 0 or 1");
+    g_sbeSecurityMode = i_sbeSecurityMode;
+}
+
 } //namespace SECUREBOOT
diff --git a/src/usr/targeting/common/xmltohb/attribute_types_hb.xml b/src/usr/targeting/common/xmltohb/attribute_types_hb.xml
@@ -1017,32 +1017,6 @@
     <hbOnly/>
 </attribute>
 
-<attribute>
-    <id>HB_SECURITY_MODE</id>
-    <description>
-        HB specific attribute which is aliased to the FAPI attribute
-        ATTR_SECURITY_MODE and customized into the SBE image.  If 0b0, SBE
-        will disable proc security (via SAB bit) if mailbox scratch register 3
-        bit 6 is set.  Otherwise, if 0b1, SBE will not override proc security.
-        TODO RTC 170650: When SBE image is signed in all environments, set
-            default to 0b1 and rely on SBE signing header to configure the final
-            value,  This may require hbOnly support for volatile attributes.
-    </description>
-    <simpleType>
-        <uint8_t>
-            <default>0x00</default>
-        </uint8_t>
-    </simpleType>
-    <persistency>volatile-zeroed</persistency>
-    <writeable/>
-    <readable/>
-   <hwpfToHbAttrMap>
-        <id>ATTR_SECURITY_MODE</id>
-        <macro>DIRECT</macro>
-    </hwpfToHbAttrMap>
-    <hbOnly/>
-</attribute>
-
 <attribute>
     <id>ALLOW_ATTR_OVERRIDES_IN_SECURE_MODE</id>
     <description>

diff --git a/src/usr/targeting/common/xmltohb/target_types_hb.xml b/src/usr/targeting/common/xmltohb/target_types_hb.xml
@@ -45,7 +45,6 @@
     <attribute><id>DRTM_PAYLOAD_ADDR_MB_HB</id></attribute>
     <attribute><id>FORCE_PRE_PAYLOAD_DRTM</id></attribute>
     <attribute><id>HB_RSV_MEM_NEXT_SECTION</id></attribute>
-    <attribute><id>HB_SECURITY_MODE</id></attribute>
     <attribute><id>ALLOW_ATTR_OVERRIDES_IN_SECURE_MODE</id></attribute>
     <attribute><id>HIDDEN_ERRLOGS_ENABLE</id></attribute>
 </targetTypeExtension>