Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / intel-ipmi-oem / 849c319f95bfc5b76b1731cadbf95c24093aa53c^! / .
commit849c319f95bfc5b76b1731cadbf95c24093aa53c[log] [tgz]
authorarun-pm <arun.p.m@linux.intel.com>Wed Feb 12 18:10:32 2020 +0530
committerVernon Mauery <vernon.mauery@linux.intel.com>Thu Feb 20 16:26:03 2020 +0000
treee568924ec77564349dc6c0021063b6e6aa02ca78
parent737c42809ac72c2f643a7809ee01391cdf9f9391 [diff]
Adding KCS-SMM channel restriction

Added support to filter the SMM commands as per the updated whitelist
conf.

Tested:
When RestrictionMode is Provisioning
  Executed a blocked command on SMM and SystemInterface(Success).
When RestrictionMode is ProvisionedHostWhitelist
  Verified following condition over SMM channel
  1) Executed a command whitlisted on SMM channel(Success).
  2) Executed a command blocked on SMM channel(Denied with CC D5).
  Verified following condition over SystemInterface
  3) Executed a command whitlisted on SystemInterface(Success).
  4) Executed a command blocked on SystemInterface(Denied with CC D5).
When RestrictionMode is ProvisionedHostDisabled
  Executed an allowed command on both SMM and SystemInterface
(Denied with CC D5).

Change-Id: If99fd90ea9faf1d3440d10ecfc385ab3c907c736
Signed-off-by: Arun P. Mohanan <arun.p.m@linux.intel.com>

diff --git a/src/whitelist-filter.cpp b/src/whitelist-filter.cpp
index 099362c..f8c349d 100644
--- a/src/whitelist-filter.cpp
+++ b/src/whitelist-filter.cpp

@@ -54,6 +54,7 @@
 
     RestrictionMode::Modes restrictionMode = restrictionModeRestricted;
     bool postCompleted = false;
+    int channelSMM = -1;
     std::shared_ptr<sdbusplus::asio::connection> bus;
     std::unique_ptr<sdbusplus::bus::match::match> modeChangeMatch;
     std::unique_ptr<sdbusplus::bus::match::match> modeIntfAddedMatch;
@@ -66,6 +67,30 @@
         "xyz.openbmc_project.State.OperatingSystem.Status";
 };
 
+static inline uint8_t getSMMChannel()
+{
+    ipmi::ChannelInfo chInfo;
+
+    for (int channel = 0; channel < ipmi::maxIpmiChannels; channel++)
+    {
+        if (ipmi::getChannelInfo(channel, chInfo) != ipmi::ccSuccess)
+        {
+            continue;
+        }
+
+        if (static_cast<ipmi::EChannelMediumType>(chInfo.mediumType) ==
+                ipmi::EChannelMediumType::systemInterface &&
+            channel != ipmi::channelSystemIface)
+        {
+            log<level::INFO>("SMM channel number",
+                             entry("CHANNEL=%d", channel));
+            return channel;
+        }
+    }
+    log<level::ERR>("Unable to find SMM Channel Info");
+    return -1;
+}
+
 WhitelistFilter::WhitelistFilter()
 {
     bus = getSdBus();
@@ -77,6 +102,7 @@
                              return filterMessage(request);
                          });
 
+    channelSMM = getSMMChannel();
     // wait until io->run is going to fetch RestrictionMode
     post_work([this]() { postInit(); });
 }
@@ -307,7 +333,8 @@
         });
 
     // no special handling for non-system-interface channels
-    if (request->ctx->channel != ipmi::channelSystemIface)
+    if (!(request->ctx->channel == ipmi::channelSystemIface ||
+          request->ctx->channel == channelSMM))
     {
         if (!whitelisted)
         {