Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / intel-ipmi-oem / edbb40812045f682ac22a7ef25bcafd1ddfcc0a8^! / .
commitedbb40812045f682ac22a7ef25bcafd1ddfcc0a8[log] [tgz]
authorYong Li <yong.b.li@linux.intel.com>Fri Mar 06 17:38:25 2020 +0800
committerVernon Mauery <vernon.mauery@linux.intel.com>Tue Mar 10 22:44:45 2020 +0000
treec609d91ac3d407a9f86a250c7077c0bacb999191
parent32825a23324c2cf051bb5608348b8ea2109a36b5 [diff]
Enable sensitive ME commands in MFG mode

If the system is in manufacturing mode, do not block these commands.

Tested:
In normal mode, command failed with 0xD4
ipmitool -H $BMCIP -U root -P 0penBmc -C 17 -I lanplus \
-t 0x2c -b 6 raw 0x2E 0x40 0x57 0x01 0x00 0 x30 0 0
Unable to send RAW command(channel=0x6 netfn=0x2e lun=0x0 cmd=0x40 rsp=0xd4)
Insufficient privilege level

Change to MFG mode, the above command get proper response:
 57 01 00

Signed-off-by: Yong Li <yong.b.li@linux.intel.com>
Change-Id: I6b1d1f85a1258b24ba9734891e6a7085a23d6694

diff --git a/src/bridgingcommands.cpp b/src/bridgingcommands.cpp
index 6749b00..e21a738 100644
--- a/src/bridgingcommands.cpp
+++ b/src/bridgingcommands.cpp

@@ -19,6 +19,7 @@
 #include <cstring>
 #include <ipmid/api.hpp>
 #include <ipmid/utils.hpp>
+#include <manufacturingcommands.hpp>
 #include <phosphor-logging/log.hpp>
 #include <sdbusplus/bus.hpp>
 #include <sdbusplus/bus/match.hpp>
@@ -201,6 +202,7 @@
 static constexpr bool isMeCmdAllowed(uint8_t netFn, uint8_t cmd)
 {
     constexpr uint8_t netFnMeOEM = 0x2E;
+    constexpr uint8_t netFnMeOEMGeneral = 0x3E;
     constexpr uint8_t cmdMeOemSendRawPeci = 0x40;
     constexpr uint8_t cmdMeOemAggSendRawPeci = 0x41;
     constexpr uint8_t cmdMeOemCpuPkgConfWrite = 0x43;
@@ -224,8 +226,8 @@
         case makeCmdKey(netFnMeOEM, cmdMeOemCpuPciConfWrite):
         case makeCmdKey(netFnMeOEM, cmdMeOemReadMemSmbus):
         case makeCmdKey(netFnMeOEM, cmdMeOemWriteMemSmbus):
-        case makeCmdKey(netFnMeOEM, cmdMeOemSlotIpmb):
-        case makeCmdKey(netFnMeOEM, cmdMeOemSlotI2cMasterWriteRead):
+        case makeCmdKey(netFnMeOEMGeneral, cmdMeOemSlotIpmb):
+        case makeCmdKey(netFnMeOEMGeneral, cmdMeOemSlotI2cMasterWriteRead):
         case makeCmdKey(netFnMeOEM, cmdMeOemSendRawPmbus):
         case makeCmdKey(netFnMeOEM, cmdMeOemUnlockMeRegion):
         case makeCmdKey(netFnMeOEM, cmdMeOemAggSendRawPmbus):
@@ -239,6 +241,8 @@
                                               ipmi_response_t response,
                                               ipmi_data_len_t dataLen)
 {
+    ipmi::Manufacturing mtm;
+
     if ((*dataLen < (sizeof(sSendMessageReq) + ipmbMinFrameLength)) ||
         (*dataLen > (sizeof(sSendMessageReq) + ipmbMaxFrameLength)))
     {
@@ -260,10 +264,13 @@
     }
 
     constexpr uint8_t shiftLUN = 2;
-    if (!isMeCmdAllowed((sendMsgReqData->Header.Req.rsNetFnLUN >> shiftLUN),
-                        sendMsgReqData->Header.Req.cmd))
+    if (mtm.getMfgMode() == ipmi::SpecialMode::none)
     {
-        return IPMI_CC_INVALID_FIELD_REQUEST;
+        if (!isMeCmdAllowed((sendMsgReqData->Header.Req.rsNetFnLUN >> shiftLUN),
+                            sendMsgReqData->Header.Req.cmd))
+        {
+            return IPMI_CC_INSUFFICIENT_PRIVILEGE;
+        }
     }
 
     // check allowed modes