| Andrew Geissler | 8d8d731 | 2022-03-04 14:42:26 -0600 | [diff] [blame] | 1 | #include "config.h" |
| 2 | |
| Andrew Geissler | 6b9421b | 2022-02-24 17:01:55 -0600 | [diff] [blame] | 3 | #include "utils.hpp" |
| 4 | |
| 5 | #include <phosphor-logging/lg2.hpp> |
| 6 | |
| Andrew Geissler | 8d8d731 | 2022-03-04 14:42:26 -0600 | [diff] [blame] | 7 | #include <filesystem> |
| 8 | #include <fstream> |
| 9 | #include <string> |
| 10 | |
| Andrew Geissler | 6b9421b | 2022-02-24 17:01:55 -0600 | [diff] [blame] | 11 | PHOSPHOR_LOG2_USING; |
| 12 | |
| Andrew Geissler | ede85d2 | 2022-03-04 16:21:32 -0600 | [diff] [blame] | 13 | constexpr auto PROPERTY_INTERFACE = "org.freedesktop.DBus.Properties"; |
| 14 | |
| 15 | // Utilize the QuiesceOnHwError setting as an indication that the system |
| 16 | // is operating in an environment where the user should be notified of |
| 17 | // security settings (i.e. "Manufacturing") |
| 18 | bool isMfgModeEnabled() |
| 19 | { |
| 20 | auto bus = sdbusplus::bus::new_default(); |
| 21 | std::string path = "/xyz/openbmc_project/logging/settings"; |
| 22 | std::string interface = "xyz.openbmc_project.Logging.Settings"; |
| 23 | std::string propertyName = "QuiesceOnHwError"; |
| 24 | std::variant<bool> mfgModeEnabled; |
| 25 | |
| 26 | std::string service = |
| 27 | phosphor::state::manager::utils::getService(bus, path, interface); |
| 28 | |
| 29 | auto method = bus.new_method_call(service.c_str(), path.c_str(), |
| 30 | PROPERTY_INTERFACE, "Get"); |
| 31 | |
| 32 | method.append(interface, propertyName); |
| 33 | |
| 34 | try |
| 35 | { |
| 36 | auto reply = bus.call(method); |
| 37 | reply.read(mfgModeEnabled); |
| 38 | } |
| Patrick Williams | f053e6f | 2022-07-22 19:26:54 -0500 | [diff] [blame] | 39 | catch (const sdbusplus::exception_t& e) |
| Andrew Geissler | ede85d2 | 2022-03-04 16:21:32 -0600 | [diff] [blame] | 40 | { |
| 41 | error("Error in property Get, error {ERROR}, property {PROPERTY}", |
| 42 | "ERROR", e, "PROPERTY", propertyName); |
| 43 | throw; |
| 44 | } |
| 45 | |
| 46 | return std::get<bool>(mfgModeEnabled); |
| 47 | } |
| 48 | |
| Andrew Geissler | 6b9421b | 2022-02-24 17:01:55 -0600 | [diff] [blame] | 49 | int main() |
| 50 | { |
| 51 | // Read the secure boot gpio |
| 52 | auto secureBootGpio = |
| 53 | phosphor::state::manager::utils::getGpioValue("bmc-secure-boot"); |
| 54 | if (secureBootGpio == -1) |
| 55 | { |
| 56 | debug("bmc-secure-boot gpio not present or can not be read"); |
| 57 | } |
| 58 | else if (secureBootGpio == 0) |
| 59 | { |
| 60 | info("bmc-secure-boot gpio found and indicates it is NOT enabled"); |
| 61 | } |
| 62 | else |
| 63 | { |
| 64 | info("bmc-secure-boot found and indicates it is enabled"); |
| 65 | } |
| 66 | |
| Andrew Geissler | 8d8d731 | 2022-03-04 14:42:26 -0600 | [diff] [blame] | 67 | // Now read the /sys/kernel/debug/aspeed/ files |
| 68 | std::string dbgVal; |
| 69 | std::ifstream dbgFile; |
| 70 | int secureBootVal = -1; |
| 71 | int abrImage = -1; |
| 72 | |
| 73 | dbgFile.exceptions(std::ifstream::failbit | std::ifstream::badbit | |
| 74 | std::ifstream::eofbit); |
| 75 | |
| 76 | if (std::filesystem::exists(SYSFS_SECURE_BOOT_PATH)) |
| 77 | { |
| 78 | try |
| 79 | { |
| 80 | dbgFile.open(SYSFS_SECURE_BOOT_PATH); |
| 81 | dbgFile >> dbgVal; |
| 82 | dbgFile.close(); |
| 83 | info("Read {SECURE_BOOT_VAL} from secure_boot", "SECURE_BOOT_VAL", |
| 84 | dbgVal); |
| 85 | secureBootVal = std::stoi(dbgVal); |
| 86 | } |
| 87 | catch (std::exception& e) |
| 88 | { |
| 89 | error("Failed to read secure boot sysfs file: {ERROR}", "ERROR", e); |
| 90 | // just continue and error will be logged at end if in mfg mode |
| 91 | } |
| 92 | } |
| 93 | else |
| 94 | { |
| 95 | info("sysfs file secure_boot not present"); |
| 96 | } |
| 97 | |
| 98 | if (std::filesystem::exists(SYSFS_ABR_IMAGE_PATH)) |
| 99 | { |
| Andrew Geissler | 8d8d731 | 2022-03-04 14:42:26 -0600 | [diff] [blame] | 100 | try |
| 101 | { |
| 102 | dbgFile.open(SYSFS_ABR_IMAGE_PATH); |
| 103 | dbgFile >> dbgVal; |
| 104 | dbgFile.close(); |
| 105 | info("Read {ABR_IMAGE_VAL} from abr_image", "ABR_IMAGE_VAL", |
| 106 | dbgVal); |
| 107 | abrImage = std::stoi(dbgVal); |
| 108 | } |
| 109 | catch (std::exception& e) |
| 110 | { |
| 111 | error("Failed to read abr image sysfs file: {ERROR}", "ERROR", e); |
| 112 | // just continue and error will be logged at end if in mfg mode |
| 113 | } |
| 114 | } |
| 115 | else |
| 116 | { |
| 117 | info("sysfs file abr_image not present"); |
| 118 | } |
| 119 | |
| Andrew Geissler | ede85d2 | 2022-03-04 16:21:32 -0600 | [diff] [blame] | 120 | if (isMfgModeEnabled()) |
| Andrew Geissler | 8d8d731 | 2022-03-04 14:42:26 -0600 | [diff] [blame] | 121 | { |
| Andrew Geissler | ede85d2 | 2022-03-04 16:21:32 -0600 | [diff] [blame] | 122 | if ((secureBootGpio != 1) || (secureBootVal != 1) || (abrImage != 0)) |
| 123 | { |
| Andrew Geissler | ede85d2 | 2022-03-04 16:21:32 -0600 | [diff] [blame] | 124 | error("The system is not secure"); |
| Andrew Geissler | 6537ce1 | 2022-03-07 14:59:29 -0600 | [diff] [blame] | 125 | std::map<std::string, std::string> additionalData; |
| 126 | additionalData.emplace("SECURE_BOOT_GPIO", |
| 127 | std::to_string(secureBootGpio)); |
| 128 | additionalData.emplace("SYSFS_SECURE_BOOT_VAL", |
| 129 | std::to_string(secureBootVal)); |
| 130 | additionalData.emplace("SYSFS_ABR_IMAGE_VAL", |
| 131 | std::to_string(abrImage)); |
| 132 | |
| 133 | auto bus = sdbusplus::bus::new_default(); |
| 134 | phosphor::state::manager::utils::createError( |
| 135 | bus, "xyz.openbmc_project.State.Error.SecurityCheckFail", |
| 136 | sdbusplus::xyz::openbmc_project::Logging::server::Entry::Level:: |
| 137 | Warning, |
| 138 | additionalData); |
| Andrew Geissler | ede85d2 | 2022-03-04 16:21:32 -0600 | [diff] [blame] | 139 | } |
| Andrew Geissler | 8d8d731 | 2022-03-04 14:42:26 -0600 | [diff] [blame] | 140 | } |
| 141 | |
| Andrew Geissler | 6b9421b | 2022-02-24 17:01:55 -0600 | [diff] [blame] | 142 | return 0; |
| 143 | } |