secure-boot: add service to run new secure check
Tested:
- Built image with new service installed and verified that when
QuiesceOnHwError was not set, we just got this:
Mar 18 16:09:46 p10bmc systemd[1]: Starting Phosphor BMC Security Check...
Mar 18 16:09:46 p10bmc phosphor-secure-boot-check[435]: bmc-secure-boot gpio found and indicates it is NOT enabled
Mar 18 16:09:46 p10bmc phosphor-secure-boot-check[435]: Read 0 from secure_boot
Mar 18 16:09:46 p10bmc phosphor-secure-boot-check[435]: Read 0 from abr_image
Mar 18 16:09:47 p10bmc systemd[1]: Finished Phosphor BMC Security Check.
- When QuiesceOnHwError was set, we got this:
Mar 18 16:37:10 p10bmc systemd[1]: Starting Phosphor BMC Security Check...
Mar 18 16:37:10 p10bmc phosphor-secure-boot-check[1001]: bmc-secure-boot gpio found and indicates it is NOT enabled
Mar 18 16:37:10 p10bmc phosphor-secure-boot-check[1001]: Read 0 from secure_boot
Mar 18 16:37:10 p10bmc phosphor-secure-boot-check[1001]: Read 0 from abr_image
Mar 18 16:37:10 p10bmc phosphor-secure-boot-check[1001]: The system is not secure
Mar 18 16:37:10 p10bmc systemd[1]: Finished Phosphor BMC Security Check.
AND a log:
"Severity" : {
"type" : "s",
"data" : "xyz.openbmc_project.Logging.Entry.Level.Warning"
},
"Message" : {
"type" : "s",
"data" : "xyz.openbmc_project.State.Error.SecurityCheckFail"
},
"EventId" : {
"type" : "s",
"data" : "BD8D3405 00000055 2E2D0010 00000000 00000000 00000000 00000000 00000000 00000000"
},
"AdditionalData" : {
"type" : "as",
"data" : [
"SECURE_BOOT_GPIO=0",
"SYSFS_ABR_IMAGE_VAL=0",
"SYSFS_SECURE_BOOT_VAL=0",
"_PID=1001"
]
},
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I6513280d30672907341b8f3fc583644ebec4cdc5
diff --git a/service_files/meson.build b/service_files/meson.build
index f6ff41a..18e33ea 100644
--- a/service_files/meson.build
+++ b/service_files/meson.build
@@ -14,7 +14,8 @@
'phosphor-clear-one-time@.service',
'phosphor-set-host-transition-to-off@.service',
'phosphor-set-host-transition-to-running@.service',
- 'phosphor-chassis-check-power-status@.service'
+ 'phosphor-chassis-check-power-status@.service',
+ 'phosphor-bmc-security-check.service'
]
foreach u : unit_files
diff --git a/service_files/phosphor-bmc-security-check.service b/service_files/phosphor-bmc-security-check.service
new file mode 100644
index 0000000..060ff2a
--- /dev/null
+++ b/service_files/phosphor-bmc-security-check.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Phosphor BMC Security Check
+Wants=obmc-mapper.target
+After=obmc-mapper.target
+Wants=xyz.openbmc_project.Settings.service
+After=xyz.openbmc_project.Settings.service
+
+
+[Service]
+ExecStart=/usr/bin/phosphor-secure-boot-check
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target