Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-state-manager / 4ccaeaa79b16004d35f3cdba335780e2316c2ebd / . / secure_boot_check.cpp
blob: daa0cfe86997339f289f94be538e1c3d581fb5b7 [file] [log] [blame]
Andrew Geissler8d8d7312022-03-04 14:42:26 -0600[diff] [blame]1#include "config.h"
2
Andrew Geissler6b9421b2022-02-24 17:01:55 -0600[diff] [blame]3#include "utils.hpp"
4
5#include <phosphor-logging/lg2.hpp>
Patrick Williams9a286db2024-01-17 06:29:47 -0600[diff] [blame]6#include <xyz/openbmc_project/Logging/Settings/client.hpp>
Andrew Geissler6b9421b2022-02-24 17:01:55 -0600[diff] [blame]7
Andrew Geissler8d8d7312022-03-04 14:42:26 -0600[diff] [blame]8#include <filesystem>
9#include <fstream>
10#include <string>
11
Andrew Geissler6b9421b2022-02-24 17:01:55 -0600[diff] [blame]12PHOSPHOR_LOG2_USING;
13
Andrew Geisslerede85d22022-03-04 16:21:32 -0600[diff] [blame]14constexpr auto PROPERTY_INTERFACE = "org.freedesktop.DBus.Properties";
Patrick Williams9a286db2024-01-17 06:29:47 -0600[diff] [blame]15using LoggingSettings =
16 sdbusplus::client::xyz::openbmc_project::logging::Settings<>;
Andrew Geisslerede85d22022-03-04 16:21:32 -0600[diff] [blame]17
Lakshmi Yadlapatib454d8b2023-03-27 16:11:41 -0500[diff] [blame]18// Check if the TPM measurement file exists and has a valid value.
19// If the TPM measurement is invalid, it logs an error message.
20void checkTpmMeasurement()
21{
22 bool tpmError = false;
23 std::string errorMsg;
24 if (!std::filesystem::exists(std::string(SYSFS_TPM_MEASUREMENT_PATH)))
25 {
26 tpmError = true;
27 errorMsg = "TPM measurement file does not exist: " +
28 std::string(SYSFS_TPM_MEASUREMENT_PATH);
29 }
30 else
31 {
32 std::string tpmValueStr;
33 std::ifstream tpmFile(std::string(SYSFS_TPM_MEASUREMENT_PATH));
34
35 tpmFile >> tpmValueStr;
36 if (tpmValueStr.empty())
37 {
38 tpmError = true;
39 errorMsg = "TPM measurement value is empty: " +
40 std::string(SYSFS_TPM_MEASUREMENT_PATH);
41 }
42 else if (tpmValueStr == "0")
43 {
44 tpmError = true;
45 errorMsg = "TPM measurement value is 0: " +
46 std::string(SYSFS_TPM_MEASUREMENT_PATH);
47 }
48 tpmFile.close();
49 }
50
51 if (tpmError)
52 {
53 // Doesn't have valid TPM measurement, log an error message
54 std::map<std::string, std::string> additionalData;
55 error("{ERROR}", "ERROR", errorMsg);
56 additionalData.emplace("ERROR", errorMsg);
57 auto bus = sdbusplus::bus::new_default();
58 phosphor::state::manager::utils::createError(
59 bus, "xyz.openbmc_project.State.Error.TpmMeasurementFail",
Patrick Williams7e969cb2023-08-23 16:24:23 -0500[diff] [blame]60 sdbusplus::server::xyz::openbmc_project::logging::Entry::Level::
Lakshmi Yadlapatib454d8b2023-03-27 16:11:41 -0500[diff] [blame]61 Error,
62 additionalData);
63 }
64 return;
65}
66
Andrew Geisslerede85d22022-03-04 16:21:32 -0600[diff] [blame]67// Utilize the QuiesceOnHwError setting as an indication that the system
68// is operating in an environment where the user should be notified of
69// security settings (i.e. "Manufacturing")
70bool isMfgModeEnabled()
71{
72 auto bus = sdbusplus::bus::new_default();
73 std::string path = "/xyz/openbmc_project/logging/settings";
Patrick Williams9a286db2024-01-17 06:29:47 -0600[diff] [blame]74 std::string interface = LoggingSettings::interface;
Alexander Hansena52ed882025-10-22 17:04:05 +0200[diff] [blame]75 const std::string propertyName =
76 LoggingSettings::property_names::quiesce_on_hw_error;
Andrew Geisslerede85d22022-03-04 16:21:32 -0600[diff] [blame]77 std::variant<bool> mfgModeEnabled;
78
79 std::string service =
80 phosphor::state::manager::utils::getService(bus, path, interface);
81
82 auto method = bus.new_method_call(service.c_str(), path.c_str(),
83 PROPERTY_INTERFACE, "Get");
84
85 method.append(interface, propertyName);
86
87 try
88 {
89 auto reply = bus.call(method);
90 reply.read(mfgModeEnabled);
91 }
Patrick Williamsf053e6f2022-07-22 19:26:54 -0500[diff] [blame]92 catch (const sdbusplus::exception_t& e)
Andrew Geisslerede85d22022-03-04 16:21:32 -0600[diff] [blame]93 {
94 error("Error in property Get, error {ERROR}, property {PROPERTY}",
95 "ERROR", e, "PROPERTY", propertyName);
96 throw;
97 }
98
99 return std::get<bool>(mfgModeEnabled);
100}
101
Andrew Geissler6b9421b2022-02-24 17:01:55 -0600[diff] [blame]102int main()
103{
104 // Read the secure boot gpio
105 auto secureBootGpio =
106 phosphor::state::manager::utils::getGpioValue("bmc-secure-boot");
107 if (secureBootGpio == -1)
108 {
109 debug("bmc-secure-boot gpio not present or can not be read");
110 }
111 else if (secureBootGpio == 0)
112 {
113 info("bmc-secure-boot gpio found and indicates it is NOT enabled");
114 }
115 else
116 {
117 info("bmc-secure-boot found and indicates it is enabled");
118 }
119
Andrew Geissler8d8d7312022-03-04 14:42:26 -0600[diff] [blame]120 // Now read the /sys/kernel/debug/aspeed/ files
121 std::string dbgVal;
122 std::ifstream dbgFile;
123 int secureBootVal = -1;
124 int abrImage = -1;
125
Patrick Williams1b2c3c02024-08-16 15:20:29 -0400[diff] [blame]126 dbgFile.exceptions(
127 std::ifstream::failbit | std::ifstream::badbit | std::ifstream::eofbit);
Andrew Geissler8d8d7312022-03-04 14:42:26 -0600[diff] [blame]128
129 if (std::filesystem::exists(SYSFS_SECURE_BOOT_PATH))
130 {
131 try
132 {
133 dbgFile.open(SYSFS_SECURE_BOOT_PATH);
134 dbgFile >> dbgVal;
135 dbgFile.close();
136 info("Read {SECURE_BOOT_VAL} from secure_boot", "SECURE_BOOT_VAL",
137 dbgVal);
138 secureBootVal = std::stoi(dbgVal);
139 }
140 catch (std::exception& e)
141 {
142 error("Failed to read secure boot sysfs file: {ERROR}", "ERROR", e);
143 // just continue and error will be logged at end if in mfg mode
144 }
145 }
146 else
147 {
148 info("sysfs file secure_boot not present");
149 }
150
151 if (std::filesystem::exists(SYSFS_ABR_IMAGE_PATH))
152 {
Andrew Geissler8d8d7312022-03-04 14:42:26 -0600[diff] [blame]153 try
154 {
155 dbgFile.open(SYSFS_ABR_IMAGE_PATH);
156 dbgFile >> dbgVal;
157 dbgFile.close();
158 info("Read {ABR_IMAGE_VAL} from abr_image", "ABR_IMAGE_VAL",
159 dbgVal);
160 abrImage = std::stoi(dbgVal);
161 }
162 catch (std::exception& e)
163 {
164 error("Failed to read abr image sysfs file: {ERROR}", "ERROR", e);
165 // just continue and error will be logged at end if in mfg mode
166 }
167 }
168 else
169 {
170 info("sysfs file abr_image not present");
171 }
172
Andrew Geisslerede85d22022-03-04 16:21:32 -0600[diff] [blame]173 if (isMfgModeEnabled())
Andrew Geissler8d8d7312022-03-04 14:42:26 -0600[diff] [blame]174 {
Andrew Geisslerede85d22022-03-04 16:21:32 -0600[diff] [blame]175 if ((secureBootGpio != 1) || (secureBootVal != 1) || (abrImage != 0))
176 {
Andrew Geisslerede85d22022-03-04 16:21:32 -0600[diff] [blame]177 error("The system is not secure");
Andrew Geissler6537ce12022-03-07 14:59:29 -0600[diff] [blame]178 std::map<std::string, std::string> additionalData;
179 additionalData.emplace("SECURE_BOOT_GPIO",
180 std::to_string(secureBootGpio));
181 additionalData.emplace("SYSFS_SECURE_BOOT_VAL",
182 std::to_string(secureBootVal));
183 additionalData.emplace("SYSFS_ABR_IMAGE_VAL",
184 std::to_string(abrImage));
185
186 auto bus = sdbusplus::bus::new_default();
187 phosphor::state::manager::utils::createError(
188 bus, "xyz.openbmc_project.State.Error.SecurityCheckFail",
Patrick Williams7e969cb2023-08-23 16:24:23 -0500[diff] [blame]189 sdbusplus::server::xyz::openbmc_project::logging::Entry::Level::
Andrew Geissler6537ce12022-03-07 14:59:29 -0600[diff] [blame]190 Warning,
191 additionalData);
Andrew Geisslerede85d22022-03-04 16:21:32 -0600[diff] [blame]192 }
Andrew Geissler8d8d7312022-03-04 14:42:26 -0600[diff] [blame]193 }
194
Lakshmi Yadlapati21d74d82023-07-20 17:37:22 -0500[diff] [blame]195 // Check the TPM measurement if TPM is enabled
196 if (std::filesystem::exists(std::string(SYSFS_TPM_DEVICE_PATH)))
197 {
198 checkTpmMeasurement();
199 }
Lakshmi Yadlapatib454d8b2023-03-27 16:11:41 -0500[diff] [blame]200
Andrew Geissler6b9421b2022-02-24 17:01:55 -0600[diff] [blame]201 return 0;
202}