secure-boot: check for manufacturing environment
This check is meant to be a "hey you didn't provision the system
correctly" type warning for the team building the system in a
manufacturing environment. There are other fundamental things that will
not work when a system is not secure. This check is just meant to be a
more user-friendly version so the team building the system can quickly
be notified that they've forgotten something.
There is no be-all "manufacturing environment" setting within OpenBMC so
utilize the one most often used within manufacturing to ensure a system
does not ship with any errors, the QuiesceOnHwError property.
Tested:
- Loaded application in QEMU, verified when QuiesceOnHwError was false
and security settings were incorrect, no journal entry error was made.
- Verified when QuiesceOnHwError was true, and security settings were
incorrect, that the "The system is not secure" entry was in the
journal.
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I558e28593f30a939a39fb5cc5e201047c0b9e47b
diff --git a/secure_boot_check.cpp b/secure_boot_check.cpp
index 598854e..2092cba 100644
--- a/secure_boot_check.cpp
+++ b/secure_boot_check.cpp
@@ -10,6 +10,42 @@
PHOSPHOR_LOG2_USING;
+constexpr auto PROPERTY_INTERFACE = "org.freedesktop.DBus.Properties";
+
+// Utilize the QuiesceOnHwError setting as an indication that the system
+// is operating in an environment where the user should be notified of
+// security settings (i.e. "Manufacturing")
+bool isMfgModeEnabled()
+{
+ auto bus = sdbusplus::bus::new_default();
+ std::string path = "/xyz/openbmc_project/logging/settings";
+ std::string interface = "xyz.openbmc_project.Logging.Settings";
+ std::string propertyName = "QuiesceOnHwError";
+ std::variant<bool> mfgModeEnabled;
+
+ std::string service =
+ phosphor::state::manager::utils::getService(bus, path, interface);
+
+ auto method = bus.new_method_call(service.c_str(), path.c_str(),
+ PROPERTY_INTERFACE, "Get");
+
+ method.append(interface, propertyName);
+
+ try
+ {
+ auto reply = bus.call(method);
+ reply.read(mfgModeEnabled);
+ }
+ catch (const sdbusplus::exception::exception& e)
+ {
+ error("Error in property Get, error {ERROR}, property {PROPERTY}",
+ "ERROR", e, "PROPERTY", propertyName);
+ throw;
+ }
+
+ return std::get<bool>(mfgModeEnabled);
+}
+
int main()
{
// Read the secure boot gpio
@@ -82,10 +118,13 @@
info("sysfs file abr_image not present");
}
- if ((secureBootGpio != 1) || (secureBootVal != 1) || (abrImage != 0))
+ if (isMfgModeEnabled())
{
- // TODO - Generate Error when in mfg mode
- error("The system is not secure");
+ if ((secureBootGpio != 1) || (secureBootVal != 1) || (abrImage != 0))
+ {
+ // TODO - Generate Error when in mfg mode
+ error("The system is not secure");
+ }
}
return 0;