secure-boot: check sysfs debug settings
These aspeed-specific settings are provided via the kernels sysfs
filesystem. They provide information on the security of the BMC.
Follow on commits will check if the BMC is in manufacturing mode and log
an error if the system does not pass the security check.
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Iddcc09dc34133806abe33570c5422bde51981bdb
diff --git a/meson.build b/meson.build
index b267f40..de40c93 100644
--- a/meson.build
+++ b/meson.build
@@ -45,6 +45,10 @@
'BOOT_COUNT_MAX_ALLOWED', get_option('boot-count-max-allowed'))
conf.set(
'CLASS_VERSION', get_option('class-version'))
+conf.set_quoted(
+ 'SYSFS_SECURE_BOOT_PATH', get_option('sysfs-secure-boot-path'))
+conf.set_quoted(
+ 'SYSFS_ABR_IMAGE_PATH', get_option('sysfs-abr-image-path'))
if build_host_gpios.enabled()
conf.set_quoted(
'HOST_GPIOS_BUSNAME', get_option('host-gpios-busname'))
diff --git a/meson_options.txt b/meson_options.txt
index f042b64..64a5b7e 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -110,3 +110,12 @@
description : 'The host gpios Dbus root.',
)
+option('sysfs-secure-boot-path', type : 'string',
+ value : '/sys/kernel/debug/aspeed/sbc/secure_boot',
+ description : 'The sysfs path to the secure boot value.',
+)
+
+option('sysfs-abr-image-path', type : 'string',
+ value : '/sys/kernel/debug/aspeed/sbc/abr_image',
+ description : 'The sysfs path to the abr image value.',
+)
diff --git a/secure_boot_check.cpp b/secure_boot_check.cpp
index 4387839..598854e 100644
--- a/secure_boot_check.cpp
+++ b/secure_boot_check.cpp
@@ -1,7 +1,13 @@
+#include "config.h"
+
#include "utils.hpp"
#include <phosphor-logging/lg2.hpp>
+#include <filesystem>
+#include <fstream>
+#include <string>
+
PHOSPHOR_LOG2_USING;
int main()
@@ -22,5 +28,65 @@
info("bmc-secure-boot found and indicates it is enabled");
}
+ // Now read the /sys/kernel/debug/aspeed/ files
+ std::string dbgVal;
+ std::ifstream dbgFile;
+ int secureBootVal = -1;
+ int abrImage = -1;
+
+ dbgFile.exceptions(std::ifstream::failbit | std::ifstream::badbit |
+ std::ifstream::eofbit);
+
+ if (std::filesystem::exists(SYSFS_SECURE_BOOT_PATH))
+ {
+ try
+ {
+ dbgFile.open(SYSFS_SECURE_BOOT_PATH);
+ dbgFile >> dbgVal;
+ dbgFile.close();
+ info("Read {SECURE_BOOT_VAL} from secure_boot", "SECURE_BOOT_VAL",
+ dbgVal);
+ secureBootVal = std::stoi(dbgVal);
+ }
+ catch (std::exception& e)
+ {
+ error("Failed to read secure boot sysfs file: {ERROR}", "ERROR", e);
+ // just continue and error will be logged at end if in mfg mode
+ }
+ }
+ else
+ {
+ info("sysfs file secure_boot not present");
+ }
+
+ if (std::filesystem::exists(SYSFS_ABR_IMAGE_PATH))
+ {
+
+ try
+ {
+ dbgFile.open(SYSFS_ABR_IMAGE_PATH);
+ dbgFile >> dbgVal;
+ dbgFile.close();
+ info("Read {ABR_IMAGE_VAL} from abr_image", "ABR_IMAGE_VAL",
+ dbgVal);
+ abrImage = std::stoi(dbgVal);
+ }
+ catch (std::exception& e)
+ {
+ error("Failed to read abr image sysfs file: {ERROR}", "ERROR", e);
+ // just continue and error will be logged at end if in mfg mode
+ }
+ }
+ else
+ {
+ info("sysfs file abr_image not present");
+ }
+
+ if ((secureBootGpio != 1) || (secureBootVal != 1) || (abrImage != 0))
+ {
+ // TODO - Generate Error when in mfg mode
+ error("The system is not secure");
+ }
+
return 0;
}