commit 708723eb798b8c95868f3a476baf7323c21b02a5
author Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com> Sat Jun 15 01:04:41 2019 +0530
committer Brad Bishop <radsquirrel@gmail.com> Fri Aug 16 00:53:27 2019 +0000
tree 0dc9a7594c56df94b031d69a50784d3a5c772e91
parent b1636a87b992310fc374f6f7ff5f473040541385

[D-Bus Intf] Security modes property & intf update

Defined new values like ProvisionedHostWhitelist,
ProvisionedHostDisabled, Provisioning which defines
how commands received through Host (system) interface
has to be filtered. Also defined SpecialMode interfaces
to handle special cases like manufacturing and validation
mode in OpenBMC.

Note: Please refer Security mode design doc under review for more
details
https://gerrit.openbmc-project.xyz/#/c/openbmc/docs/+/21195/

Change-Id: I270e7d23ca2ed260f2d121e3844c2ca79150070e
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

xyz/openbmc_project/Control/Security/RestrictionMode.interface.yaml

diff --git a/xyz/openbmc_project/Control/Security/RestrictionMode.interface.yaml b/xyz/openbmc_project/Control/Security/RestrictionMode.interface.yaml
index 8e4fd8d..0baae0e 100644
--- a/xyz/openbmc_project/Control/Security/RestrictionMode.interface.yaml
+++ b/xyz/openbmc_project/Control/Security/RestrictionMode.interface.yaml
@@ -21,3 +21,19 @@
         - name: Blacklist
           description: >
             Prevent, if in the blacklist.
+        - name: Provisioning
+          description: >
+            Indicate that system is in provisioning mode
+            and all commands are allowed in system interface
+            in both pre and post BIOS boot.
+        - name: ProvisionedHostWhitelist
+          description: >
+            Commands in the whitelist will only be executed
+            through system interface after BIOS POST complete.
+            All KCS commands are supported before POST complete.
+        - name: ProvisionedHostDisabled
+          description: >
+            Commands through system interface are executed only
+            till BIOS POST complete notification, after
+            which system interface commands are blocked (except BIOS SMI
+            based ones).

xyz/openbmc_project/Control/Security/SpecialMode.interface.yaml

diff --git a/xyz/openbmc_project/Control/Security/SpecialMode.interface.yaml b/xyz/openbmc_project/Control/Security/SpecialMode.interface.yaml
new file mode 100644
index 0000000..6760076
--- /dev/null
+++ b/xyz/openbmc_project/Control/Security/SpecialMode.interface.yaml
@@ -0,0 +1,26 @@
+description: >
+    Implement to specify a special mode of operation
+
+properties:
+    - name: SpecialMode
+      type: enum[self.Modes]
+      description: >
+          The special mode.
+
+enumerations:
+    - name: Modes
+      description: >
+        Possible modes available.
+      values:
+        - name: None
+          description: >
+            BMC is under normal working condition.
+        - name: Manufacturing
+          description: >
+            Indicate that BMC is in manufacturing mode
+            and is allowed to perform any manufacturing related
+            activity
+        - name: ValidationUnsecure
+          description: >
+            Indicate that BMC is in validation mode, and can
+            execute any special validation related commands