commit 6b9421b9323cf0b9fa9a655140eed729915f4e94
author Andrew Geissler <geissonator@yahoo.com> Thu Feb 24 17:01:55 2022 -0600
committer Andrew Geissler <andrew@geissonator.com> Wed Apr 27 01:02:25 2022 +0000
tree 5ee137dc8353398a135152ef08fbe730a1d004e5
parent 5bcaee1f1991afa1a855f7a1c52f29fb73416c52

secure-boot: initial basic app to check gpio

The basic requirement is to utilize the new bmc-secure-boot GPIO
defined within this patch[1]. If the GPIO is found, then verify the
system is in secure mode by validating the GPIO reads 1. If it’s not
a 1, then log an error.

Similarly the code will also look at sysfs files created via the
kernel. An error will be logged if these sysfs files do not return
the expected security readings.

The above checks will only be run in a manufacturing environment.

See https://lists.ozlabs.org/pipermail/openbmc/2022-February/029479.html
for the mailing list discussion on this feature.

[1]: https://github.com/openbmc/docs/commit/d55349e10ec2432886b26b00322ef0eaff2b919a

Change-Id: I75ae6ba8541b6a13922ce6b45f82ee6cfca83b1d
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>

secure_boot_check.cpp

diff --git a/secure_boot_check.cpp b/secure_boot_check.cpp
new file mode 100644
index 0000000..4387839
--- /dev/null
+++ b/secure_boot_check.cpp
@@ -0,0 +1,26 @@
+#include "utils.hpp"
+
+#include <phosphor-logging/lg2.hpp>
+
+PHOSPHOR_LOG2_USING;
+
+int main()
+{
+    // Read the secure boot gpio
+    auto secureBootGpio =
+        phosphor::state::manager::utils::getGpioValue("bmc-secure-boot");
+    if (secureBootGpio == -1)
+    {
+        debug("bmc-secure-boot gpio not present or can not be read");
+    }
+    else if (secureBootGpio == 0)
+    {
+        info("bmc-secure-boot gpio found and indicates it is NOT enabled");
+    }
+    else
+    {
+        info("bmc-secure-boot found and indicates it is enabled");
+    }
+
+    return 0;
+}