Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openpower-dbus-interfaces / bd2f0cb4123e024fd1cbd9d867bdbe9a7639335e^! / .
commitbd2f0cb4123e024fd1cbd9d867bdbe9a7639335e[log] [tgz]
authorJayashankar Padath <jayashankar.padath@in.ibm.com>Tue Jul 30 14:05:35 2019 +0530
committerJayashankar Padath <jayashankar.padath@in.ibm.com>Fri Aug 09 23:33:32 2019 +0530
treea6c39a83ecdf23fc31e32eb1827b8d8dbe45c1bd
parent84a750aeee62b90a5817f4eea39562d2f277cd63 [diff]
New property to clear or reset the security keys

Defining a new property which can be used as a bit mask to indicate
clearing certain security keys or resetting those values back to its
default from the system by the host. This will be mapped to a new IPMI
sensor. Setting this property does not guarantee a successful operation
as additional conditions like the physical presence pin or jumper
settings will be checked by the host to clear/reset the sensitive data.

Some of customer use cases include clearing OS platform key, clearing
system security officer certificate and resetting the system key value
back to its default state.

An external user should be able to update the value using ipmitool.

Signed-off-by: Jayashankar Padath <jayashankar.padath@in.ibm.com>
Change-Id: Ifdabc76e1e64fd3a47ecd775d7de1776b630e501

diff --git a/org/open_power/Control/TPM/SecurityKeys.interface.yaml b/org/open_power/Control/TPM/SecurityKeys.interface.yaml
new file mode 100644
index 0000000..89f46a4
--- /dev/null
+++ b/org/open_power/Control/TPM/SecurityKeys.interface.yaml

@@ -0,0 +1,26 @@
+description: >
+    Settings to clear or reset the security keys.
+
+properties:
+    - name: ClearHostSecurityKeys
+      type: byte
+      description: >
+          This is a bit mask used to specify clearing different security keys
+          or resetting those values back to default by the host. Setting this
+          property does not guarantee a successful operation as additional
+          conditions will be checked by the host to clear/reset the sensitive
+          data. This property will be mapped to a new IPMI sensor.
+
+          The new property is having an integer value and the default value
+          will be zero. The end operation is determined by the bit value set
+          and some of the customer use cases which maps to bit value are
+
+          Bit 0 - Clear All : Clear/reset all the sensitive data controlled by
+                  platform firmware from the system. System can generate new
+                  data to re-enable the affected functions if required
+          Bit 1 - Clear OS PK : This directs OPAL to clear the OS platform key
+          Bit 2 - Clear PEF SSO : This directs OPAL/PEF to clear the
+                  System Security Officer certificate
+          Bit 3 - Clear PowerVM System Key : This directs PowerVM to reset the
+                  system key back to the default state
+          Bit 4-6 - Reserved