From patchwork Thu Aug 31 07:42:50 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
X-Patchwork-Id: 808108
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.ozlabs.org (lists.ozlabs.org [103.22.144.68])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3xjZBD2c0Mz9sRW
	for <incoming@patchwork.ozlabs.org>;
	Thu, 31 Aug 2017 17:43:48 +1000 (AEST)
Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	by lists.ozlabs.org (Postfix) with ESMTP id 3xjZBD1qNJzDqgk
	for <incoming@patchwork.ozlabs.org>;
	Thu, 31 Aug 2017 17:43:48 +1000 (AEST)
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com
	[148.163.158.5])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by lists.ozlabs.org (Postfix) with ESMTPS id 3xjZ9X22fpzDqTm
	for <skiboot@lists.ozlabs.org>; Thu, 31 Aug 2017 17:43:12 +1000 (AEST)
Received: from pps.filterd (m0098416.ppops.net [127.0.0.1])
	by mx0b-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id
	v7V7cg4J022736
	for <skiboot@lists.ozlabs.org>; Thu, 31 Aug 2017 03:43:09 -0400
Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149])
	by mx0b-001b2d01.pphosted.com with ESMTP id 2cpca8f9mh-1
	(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)
	for <skiboot@lists.ozlabs.org>; Thu, 31 Aug 2017 03:43:09 -0400
Received: from localhost
	by e31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <skiboot@lists.ozlabs.org> from <cclaudio@linux.vnet.ibm.com>;
	Thu, 31 Aug 2017 01:43:08 -0600
Received: from b03cxnp08028.gho.boulder.ibm.com (9.17.130.20)
	by e31.co.us.ibm.com (192.168.1.131) with IBM ESMTP SMTP Gateway:
	Authorized Use Only! Violators will be prosecuted;
	Thu, 31 Aug 2017 01:43:06 -0600
Received: from b03ledav005.gho.boulder.ibm.com
	(b03ledav005.gho.boulder.ibm.com [9.17.130.236])
	by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with
	ESMTP id v7V7h5Nw32112810
	for <skiboot@lists.ozlabs.org>; Thu, 31 Aug 2017 00:43:05 -0700
Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id C837FBE03A
	for <skiboot@lists.ozlabs.org>; Thu, 31 Aug 2017 01:43:05 -0600 (MDT)
Received: from legolas.ibm.com (unknown [9.85.193.48])
	by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP id 3CD5BBE038
	for <skiboot@lists.ozlabs.org>; Thu, 31 Aug 2017 01:43:05 -0600 (MDT)
From: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
To: skiboot@lists.ozlabs.org
Date: Thu, 31 Aug 2017 04:42:50 -0300
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1504165372-15971-1-git-send-email-cclaudio@linux.vnet.ibm.com>
References: <1504165372-15971-1-git-send-email-cclaudio@linux.vnet.ibm.com>
X-TM-AS-GCONF: 00
x-cbid: 17083107-8235-0000-0000-00000C331D94
X-IBM-SpamModules-Scores: 
X-IBM-SpamModules-Versions: BY=3.00007640; HX=3.00000241; KW=3.00000007;
	PH=3.00000004; SC=3.00000226; SDB=6.00910104; UDB=6.00456514;
	IPR=6.00690384;
	BA=6.00005562; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009;
	ZB=6.00000000;
	ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00016938;
	XFM=3.00000015; UTC=2017-08-31 07:43:07
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 17083107-8236-0000-0000-00003D746434
Message-Id: <1504165372-15971-4-git-send-email-cclaudio@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, ,
	definitions=2017-08-31_02:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
	spamscore=0 suspectscore=1
	malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
	adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000
	definitions=main-1708310118
Subject: [Skiboot] [PATCH 3/5] hdata/spira: add ibm,secureboot node
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
	<mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
	<mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
	<skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

This adds the ibm,secureboot node in P9 systems.

The information provided by the ibm,secureboot node is stored in the
iplparams_sysparams structure, however it is populated only when
hdif->version >= 0x60.

Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
---
 hdata/spira.c | 32 ++++++++++++++++++++++++++++++++
 hdata/spira.h | 15 +++++++++------
 2 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/hdata/spira.c b/hdata/spira.c
index 220ae9e..92da94b 100644
--- a/hdata/spira.c
+++ b/hdata/spira.c
@@ -24,6 +24,7 @@
 #include <fsp-mdst-table.h>
 #include <fsp-attn.h>
 #include <fsp-leds.h>
+#include <libstb/container.h>
 
 #include "hdata.h"
 #include "hostservices.h"
@@ -849,6 +850,34 @@ static void add_nmmu(void)
 	}
 }
 
+static void dt_init_secureboot_node(const struct iplparams_sysparams *sysparams)
+{
+	struct dt_node *node;
+	u16 sys_sec_setting;
+	u16 hw_key_hash_size;
+
+	node = dt_new(dt_root, "ibm,secureboot");
+	assert(node);
+
+	dt_add_property_string(node, "compatible", "ibm,secureboot-v2");
+
+	sys_sec_setting = be16_to_cpu(sysparams->sys_sec_setting);
+	if (sys_sec_setting & SEC_CONTAINER_SIG_CHECKING)
+		dt_add_property(node, "secure-enabled", NULL, 0);
+	if (sys_sec_setting & SEC_HASHES_EXTENDED_TO_TPM)
+		dt_add_property(node, "trusted-enabled", NULL, 0);
+
+	hw_key_hash_size = be16_to_cpu(sysparams->hw_key_hash_size);
+	dt_add_property_cells(node, "hw-key-hash-size", hw_key_hash_size);
+	if (hw_key_hash_size)
+		dt_add_property(node, "hw-key-hash", sysparams->hw_key_hash,
+				hw_key_hash_size);
+
+	if (be16_to_cpu(sysparams->sys_attributes) & SYS_ATTR_MULTIPLE_TPM)
+		prlog(PR_WARNING, "Multiple TPM set, but not supported\n");
+}
+
+
 static void add_iplparams_sys_params(const void *iplp, struct dt_node *node)
 {
 	const struct iplparams_sysparams *p;
@@ -935,6 +964,9 @@ static void add_iplparams_sys_params(const void *iplp, struct dt_node *node)
 	sys_attributes = be32_to_cpu(p->sys_attributes);
 	if (sys_attributes & SYS_ATTR_RISK_LEVEL)
 		dt_add_property(node, "elevated-risk-level", NULL, 0);
+
+	if (version >= 0x60)
+		dt_init_secureboot_node(p);
 }
 
 static void add_iplparams_ipl_params(const void *iplp, struct dt_node *node)
diff --git a/hdata/spira.h b/hdata/spira.h
index 78ff33d..0056887 100644
--- a/hdata/spira.h
+++ b/hdata/spira.h
@@ -355,6 +355,7 @@ struct iplparams_sysparams {
 	__be32		abc_bus_speed;
 	__be32		wxyz_bus_speed;
 	__be32		sys_eco_mode;
+#define SYS_ATTR_MULTIPLE_TPM PPC_BIT32(0)
 #define SYS_ATTR_RISK_LEVEL PPC_BIT32(3)
 	__be32		sys_attributes;
 	__be32		mem_scrubbing;
@@ -369,12 +370,14 @@ struct iplparams_sysparams {
 	uint8_t		split_core_mode;	/* >= 0x5c */
 	uint8_t		reserved[3];
 	uint8_t		sys_vendor[64];		/* >= 0x5f */
-	/* >= 0x60 */
-	__be16		sys_sec_setting;
-	__be16		tpm_config_bit;
-	__be16		tpm_drawer;
-	__be16		reserved2;
-	uint8_t		hw_key_hash[64];
+#define SEC_CONTAINER_SIG_CHECKING PPC_BIT16(0)
+#define SEC_HASHES_EXTENDED_TO_TPM PPC_BIT16(1)
+	__be16		sys_sec_setting;	/* >= 0x60 */
+#define TPM_CONFIG_TPM_REQUIRED PPC_BIT16(0)
+	__be16		tpm_config_bit;		/* >= 0x60 */
+	__be16		tpm_drawer;		/* >= 0x60 */
+	__be16		hw_key_hash_size;	/* >= 0x60 */
+	uint8_t		hw_key_hash[64];	/* >= 0x60 */
 	uint8_t		sys_family_str[64];	/* vendor,name */
 	uint8_t		sys_type_str[64];	/* vendor,type */
 } __packed;