From e1678bffbd5cba43911f7e6f670ac3c3bb68af39 Mon Sep 17 00:00:00 2001 From: Jaymes Wilks Date: Fri, 25 Aug 2017 14:18:38 -0500 Subject: [PATCH] Replace HB_SECURITY_MODE attribute with SECUREBOOT API equivalent The HB_SECURITY_MODE attribute will now be a variable managed by secureboot. The FAPI attribue SECURITY_MODE that maps to the HB version will now call to that variable in the SECUREBOOT API. Change-Id: I7e42c3f2e355feeb0d49aa6a998960bc5409bfa2 RTC:178643 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/45167 Reviewed-by: Michael Baiocchi Reviewed-by: Nicholas E. Bofferding Tested-by: Jenkins Server Tested-by: FSP CI Jenkins Tested-by: Jenkins OP Build CI Tested-by: Jenkins OP HW Reviewed-by: Daniel M. Crowell --- src/include/usr/fapi2/attribute_service.H | 31 +++++++++++++++++++ src/include/usr/secureboot/service.H | 19 ++++++++++++ src/usr/fapi2/attribute_service.C | 25 +++++++++++++++ src/usr/pnor/spnorrp.C | 9 ++---- src/usr/secureboot/base/service.C | 23 ++++++++++++++ .../common/xmltohb/attribute_types_hb.xml | 26 ---------------- .../common/xmltohb/target_types_hb.xml | 1 - 7 files changed, 101 insertions(+), 33 deletions(-) diff --git a/src/include/usr/fapi2/attribute_service.H b/src/include/usr/fapi2/attribute_service.H index a6e793914b7..f2102061046 100644 --- a/src/include/usr/fapi2/attribute_service.H +++ b/src/include/usr/fapi2/attribute_service.H @@ -276,6 +276,25 @@ ReturnCode fapiAttrGetBadDqBitmap( const Target& i_fapiTarget, ReturnCode fapiAttrSetBadDqBitmap( const Target& i_fapiTarget, ATTR_BAD_DQ_BITMAP_Type (&i_data) ); +/// @brief This function is called by the FAPI_ATTR_GET macro when getting +/// the SECURITY_MODE attribute. It should not be called directly. +/// +/// @param[out] o_securityMode Provides the attribute contents to the caller +/// @return ReturnCode Always FAPI2_RC_SUCCESS, this cannot fail. +/// If a toplevel target cannot be found then +/// an assert triggers in the platform call +/// +ReturnCode platGetSecurityMode(uint8_t & o_securityMode); + +/// @brief This function is called by the FAPI_ATTR_SET macro when setting +/// the SECURITY_MODE attribute. It should not be called directly. There are no +/// parameters. This is intentional as setting this attribute is not supported +/// from FAPI or FAPI runtime code. A FAPI INFO trace will be printed explaining +/// this. +/// +/// @return ReturnCode Always FAPI2_RC_SUCCESS, this cannot fail. +ReturnCode platSetSecurityMode(); + // ----------------------------------------------------------------------------- // End TODO: End to be supported functions // ----------------------------------------------------------------------------- @@ -381,4 +400,16 @@ fapiToTargeting::ID, sizeof(VAL), &(VAL)) ? fapi2::ReturnCode() : \ fapi2::platAttrSvc::fapiAttrSetBadDqBitmap(TARGET, VAL) +//------------------------------------------------------------------------------ +// MACRO to route ATTR_SECURITY_MODE access to the correct HB function +//------------------------------------------------------------------------------ +#define ATTR_SECURITY_MODE_GETMACRO(ID, TARGET, VAL) \ + AttrOverrideSync::getAttrOverrideFunc(ID, TARGET, &VAL)\ + ? fapi2::ReturnCode() : \ + fapi2::platAttrSvc::platGetSecurityMode(VAL) +#define ATTR_SECURITY_MODE_SETMACRO(ID, TARGET, VAL) \ + AttrOverrideSync::getAttrOverrideFunc(ID, TARGET, &VAL)\ + ? fapi2::ReturnCode() : \ + fapi2::platAttrSvc::platSetSecurityMode() + #endif // ATTRIBUTESERVICE_H_ diff --git a/src/include/usr/secureboot/service.H b/src/include/usr/secureboot/service.H index 0258b570602..4c4d43d3c75 100644 --- a/src/include/usr/secureboot/service.H +++ b/src/include/usr/secureboot/service.H @@ -305,6 +305,25 @@ namespace SECUREBOOT /* Definition in securerommgr.H */ bool secureRomValidPolicy(); + /* + * @brief Gets the current SBE security mode value from the secureboot + * subsystem + * + * @return uint8_t returns 0 if SBE should check for security disable + * requests, 1 if not + */ + uint8_t getSbeSecurityMode(); + + /* + * @brief Sets the current SBE security mode value in the secureboot + * subsystem + * + * @param[in] uint8_t The value to set the security mode to. Will accept a + * a value of 0 if SBE should check for security disable + * requests and 1 if not. All other values are not + * allowed and will be rejected via an assert. + */ + void setSbeSecurityMode(uint8_t i_sbeSecurityMode); } diff --git a/src/usr/fapi2/attribute_service.C b/src/usr/fapi2/attribute_service.C index 58d5e4b1e93..fea495705a5 100644 --- a/src/usr/fapi2/attribute_service.C +++ b/src/usr/fapi2/attribute_service.C @@ -62,6 +62,8 @@ #include #include <../memory/lib/shared/mss_const.H> +#include + //****************************************************************************** // Implementation //****************************************************************************** @@ -1281,6 +1283,29 @@ ReturnCode fapiAttrSetBadDqBitmap( return l_rc; } +//****************************************************************************** +// fapi::platAttrSvc::platGetSecurityMode function +//****************************************************************************** +ReturnCode platGetSecurityMode(uint8_t & o_securityMode) +{ + #ifndef __HOSTBOOT_RUNTIME + o_securityMode = SECUREBOOT::getSbeSecurityMode(); + #else + o_securityMode = 0xFF; + FAPI_INF("Get SECURITY_MODE not supported from hostboot runtime"); + #endif + return fapi2::ReturnCode(); +} + +//****************************************************************************** +// fapi::platAttrSvc::platSetSecurityMode function +//****************************************************************************** +ReturnCode platSetSecurityMode() +{ + FAPI_INF("Set SECURITY_MODE ignored when called from FAPI code"); + return fapi2::ReturnCode(); +} + } // End platAttrSvc namespace } // End fapi2 namespace diff --git a/src/usr/pnor/spnorrp.C b/src/usr/pnor/spnorrp.C index 0b298afeb12..c4fae6937ab 100644 --- a/src/usr/pnor/spnorrp.C +++ b/src/usr/pnor/spnorrp.C @@ -803,14 +803,11 @@ errlHndl_t PNOR::unloadSecureSection(const SectionId i_section) void SPnorRP::processLabOverride( const sb_flags_t& i_flags) const { - TARGETING::Target* pSys = nullptr; - TARGETING::targetService().getTopLevelTarget(pSys); - assert(pSys != nullptr,"System target was nullptr."); - // ATTR_HB_SECURITY_MODE attribute values are inverted with respect to the + // Secure boot sbe security mode values are inverted with respect to the // lab override flag for the same logical meaning - TARGETING::ATTR_HB_SECURITY_MODE_type securityMode = + uint8_t securityMode = !(i_flags.hw_lab_override); - pSys->setAttr(securityMode); + SECUREBOOT::setSbeSecurityMode(securityMode); TRACFCOMP(g_trac_pnor,INFO_MRK "Set lab security override policy to %s.", securityMode ? "*NO* override" : "override if requested"); } diff --git a/src/usr/secureboot/base/service.C b/src/usr/secureboot/base/service.C index 98a750c989c..d0e3b8f8981 100644 --- a/src/usr/secureboot/base/service.C +++ b/src/usr/secureboot/base/service.C @@ -74,6 +74,17 @@ struct SecureRegisterValues uint64_t data; }; +/* + * HB specific secureboot setting which is aliased to the FAPI attribute + * ATTR_SECURITY_MODE and customized into the SBE image. If 0b0, SBE + * will disable proc security (via SAB bit) if mailbox scratch register 3 + * bit 6 is set. Otherwise, if 0b1, SBE will not override proc security. + * TODO RTC 170650: When SBE image is signed in all environments, set + * default to 0b1 and rely on SBE signing header to configure the final + * value. + */ +uint8_t g_sbeSecurityMode = 0; + /** * @brief Retrieve values of Security Registers of the processors in the system * @@ -600,4 +611,16 @@ bool allowAttrOverrides() }; #endif +uint8_t getSbeSecurityMode() +{ + return g_sbeSecurityMode; +} + +void setSbeSecurityMode(uint8_t i_sbeSecurityMode) +{ + assert(i_sbeSecurityMode == 0 || i_sbeSecurityMode == 1, + "SBE Security Mode can only be set to 0 or 1"); + g_sbeSecurityMode = i_sbeSecurityMode; +} + } //namespace SECUREBOOT diff --git a/src/usr/targeting/common/xmltohb/attribute_types_hb.xml b/src/usr/targeting/common/xmltohb/attribute_types_hb.xml index 5d63a077a55..e660dcf77e1 100755 --- a/src/usr/targeting/common/xmltohb/attribute_types_hb.xml +++ b/src/usr/targeting/common/xmltohb/attribute_types_hb.xml @@ -1017,32 +1017,6 @@ - - HB_SECURITY_MODE - - HB specific attribute which is aliased to the FAPI attribute - ATTR_SECURITY_MODE and customized into the SBE image. If 0b0, SBE - will disable proc security (via SAB bit) if mailbox scratch register 3 - bit 6 is set. Otherwise, if 0b1, SBE will not override proc security. - TODO RTC 170650: When SBE image is signed in all environments, set - default to 0b1 and rely on SBE signing header to configure the final - value, This may require hbOnly support for volatile attributes. - - - - 0x00 - - - volatile-zeroed - - - - ATTR_SECURITY_MODE - DIRECT - - - - ALLOW_ATTR_OVERRIDES_IN_SECURE_MODE diff --git a/src/usr/targeting/common/xmltohb/target_types_hb.xml b/src/usr/targeting/common/xmltohb/target_types_hb.xml index a5fd2bd69ba..3c60a832c2e 100644 --- a/src/usr/targeting/common/xmltohb/target_types_hb.xml +++ b/src/usr/targeting/common/xmltohb/target_types_hb.xml @@ -45,7 +45,6 @@ DRTM_PAYLOAD_ADDR_MB_HB FORCE_PRE_PAYLOAD_DRTM HB_RSV_MEM_NEXT_SECTION - HB_SECURITY_MODE ALLOW_ATTR_OVERRIDES_IN_SECURE_MODE HIDDEN_ERRLOGS_ENABLE