From 243c130a919c7037b5edd3a8097317340796ce85 Mon Sep 17 00:00:00 2001
From: "Jason M. Bills" <jason.m.bills@linux.intel.com>
Date: Thu, 5 Dec 2019 13:29:56 -0800
Subject: Update to internal 2019-12-05

Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
---
 .../at-scale-debug/at-scale-debug_git.bb           |  9 +++-
 .../recipes-core/crashdump/crashdump_git.bb        |  2 +-
 .../recipes-core/dropbear/dropbear_%.bbappend      |  5 ++
 .../recipes-core/fw-update/files/fwupd.sh          | 55 +++++++++++++++++++++-
 .../host-error-monitor/host-error-monitor_git.bb   |  6 +--
 .../recipes-core/interfaces/libmctp_git.bb         |  2 +-
 .../recipes-core/ipmi/intel-ipmi-oem_%.bbappend    |  3 +-
 .../recipes-core/libpeci/libpeci_git.bb            |  2 +-
 .../recipes-core/peci-pcie/peci-pcie_git.bb        |  2 +-
 .../meta-common/recipes-core/safec/safec_3.4.bb    |  2 +-
 .../security-registers-check.bb                    | 26 ++++++++++
 .../security-registers-check.service               | 10 ++++
 .../security-registers-check.sh                    | 42 +++++++++++++++++
 13 files changed, 155 insertions(+), 11 deletions(-)
 create mode 100644 meta-openbmc-mods/meta-common/recipes-core/dropbear/dropbear_%.bbappend
 create mode 100644 meta-openbmc-mods/meta-common/recipes-core/security-registers-check/security-registers-check.bb
 create mode 100644 meta-openbmc-mods/meta-common/recipes-core/security-registers-check/security-registers-check/security-registers-check.service
 create mode 100644 meta-openbmc-mods/meta-common/recipes-core/security-registers-check/security-registers-check/security-registers-check.sh

(limited to 'meta-openbmc-mods/meta-common/recipes-core')

diff --git a/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/at-scale-debug_git.bb b/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/at-scale-debug_git.bb
index 23288a3c2..b57ae1ca5 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/at-scale-debug_git.bb
+++ b/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/at-scale-debug_git.bb
@@ -13,7 +13,14 @@ DEPENDS = "sdbusplus openssl libpam libgpiod"
 do_configure[depends] += "virtual/kernel:do_shared_workdir"
 
 SRC_URI = "git://git@github.com/Intel-BMC/asd;protocol=ssh"
-SRCREV = "0d25836d8c63372890fbb7f40c54de6166a0a76f"
+SRCREV = "1.4.2"
+
+inherit useradd
+
+USERADD_PACKAGES = "${PN}"
+
+# add a special user asdbg
+USERADD_PARAM_${PN} = "-u 999 asdbg"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta-openbmc-mods/meta-common/recipes-core/crashdump/crashdump_git.bb b/meta-openbmc-mods/meta-common/recipes-core/crashdump/crashdump_git.bb
index 32bb0a8b9..21ae0bff7 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/crashdump/crashdump_git.bb
+++ b/meta-openbmc-mods/meta-common/recipes-core/crashdump/crashdump_git.bb
@@ -13,7 +13,7 @@ LICENSE = "Proprietary"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=26bb6d0733830e7bab774914a8f8f20a"
 
 SRC_URI = "git://git@github.com/Intel-BMC/crashdump;protocol=ssh"
-SRCREV = "042f17fafee9fd68a885a3e503113ffad6209625"
+SRCREV = "0.4"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta-openbmc-mods/meta-common/recipes-core/dropbear/dropbear_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/dropbear/dropbear_%.bbappend
new file mode 100644
index 000000000..307400322
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/dropbear/dropbear_%.bbappend
@@ -0,0 +1,5 @@
+do_install_append() {
+   # Remove dropbear service, if debug-tweaks is disabled
+   ${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', '', 'rm ${D}/${systemd_unitdir}/system/dropbear@.service', d)}
+}
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/fw-update/files/fwupd.sh b/meta-openbmc-mods/meta-common/recipes-core/fw-update/files/fwupd.sh
index 889a73c06..ca5da9598 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/fw-update/files/fwupd.sh
+++ b/meta-openbmc-mods/meta-common/recipes-core/fw-update/files/fwupd.sh
@@ -13,6 +13,36 @@ usage() {
         exit 1
 }
 
+logevent_update_started() {
+echo
+cat <<EOF | logger-systemd --journald
+REDFISH_MESSAGE_ID=OpenBMC.0.1.FirmwareUpdateStarted
+PRIORITY=2
+MESSAGE=$1 firmware update to version $2 started.
+REDFISH_MESSAGE_ARGS=$1,$2
+EOF
+}
+
+logevent_update_completed() {
+echo
+cat <<EOF | logger-systemd --journald
+REDFISH_MESSAGE_ID=OpenBMC.0.1.FirmwareUpdateCompleted
+PRIORITY=2
+MESSAGE=$1 firmware update to version $2 completed.
+REDFISH_MESSAGE_ARGS=$1,$2
+EOF
+}
+
+logevent_update_failed() {
+echo
+cat <<EOF | logger-systemd --journald
+REDFISH_MESSAGE_ID=OpenBMC.0.1.FirmwareUpdateFailed
+PRIORITY=4
+MESSAGE=$1 firmware update to version $2 failed.
+REDFISH_MESSAGE_ARGS=$1,$2
+EOF
+}
+
 if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then usage; fi
 if [ $# -eq 0 ]; then
 	# set DEFURI in $HOME/.fwupd.defaults
@@ -138,17 +168,28 @@ rm -f $LOCAL_PATH
 echo "Setting update intent in PFR CPLD"
 sleep 5 # delay for sync and to get the above echo messages
 # write to PFRCPLD about BMC update intent.
-i2cset -y 4 0x70 0x13 $upd_intent_val
+i2cset -y 4 0x38 0x13 $upd_intent_val
 
 else # Non-PFR image update section
+version="unknown"
+component="BMC"
+manifest_file=$(dirname "${REMOTE_PATH}")"/MANIFEST"
+if [ -e $manifest_file ]; then
+    version=`awk -F= -v key="version" '$1==key {print $2}' $manifest_file`
+fi
+
+logevent_update_started $component $version
+
 # do a quick sanity check on the image
 if [ $(stat -c "%s" "$LOCAL_PATH") -lt 10000000 ]; then
     echo "Update file "$LOCAL_PATH" seems to be too small"
+    logevent_update_failed $component $version
     exit 1
 fi
 dtc -I dtb -O dtb "$LOCAL_PATH" > /dev/null 2>&1
 if [ $? -ne 0 ]; then
     echo "Update file $LOCAL_PATH doesn't seem to be in the proper format"
+    logevent_update_failed $component $version
     exit 1
 fi
 
@@ -163,10 +204,22 @@ case "$BOOTADDR" in
 esac
 echo "Updating $(basename $TGT) (use bootm $BOOTADDR)"
 flash_erase $TGT 0 0
+if [ $? -ne 0 ]; then
+    echo "Erasing the flash failed"
+    logevent_update_failed $component $version
+    exit 1
+fi
 echo "Writing $(stat -c "%s" "$LOCAL_PATH") bytes"
 cat "$LOCAL_PATH" > "$TGT"
+if [ $? -ne 0 ]; then
+    echo "Writing to flash failed"
+    logevent_update_failed $component $version
+    exit 1
+fi
 fw_setenv "bootcmd" "bootm ${BOOTADDR}"
 
+logevent_update_completed $component $version
+
 # reboot
 reboot
 fi
diff --git a/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor_git.bb b/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor_git.bb
index 65e6a1778..5aab3db34 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor_git.bb
+++ b/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor_git.bb
@@ -2,14 +2,14 @@ LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://${INTELBASE}/COPYING.apache-2.0;md5=34400b68072d710fecd0a2940a0d1658"
 inherit cmake systemd
 
-SRC_URI = "git://git@github.com/Intel-BMC/provingground.git;protocol=ssh"
+SRC_URI = "git://git@github.com/Intel-BMC/host-error-monitor.git;protocol=ssh"
 
 DEPENDS = "boost sdbusplus libgpiod libpeci"
 
 PV = "0.1+git${SRCPV}"
-SRCREV = "4aec5d06d6adbaf53dbe7f18ea9f803eb2198b86"
+SRCREV = "ba7c4e08b423dc71bb8dcb963942cba860cdf7d4"
 
-S = "${WORKDIR}/git/host_error_monitor"
+S = "${WORKDIR}/git"
 
 SYSTEMD_SERVICE_${PN} += "xyz.openbmc_project.HostErrorMonitor.service"
 
diff --git a/meta-openbmc-mods/meta-common/recipes-core/interfaces/libmctp_git.bb b/meta-openbmc-mods/meta-common/recipes-core/interfaces/libmctp_git.bb
index a678fe72f..560efc72c 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/interfaces/libmctp_git.bb
+++ b/meta-openbmc-mods/meta-common/recipes-core/interfaces/libmctp_git.bb
@@ -2,7 +2,7 @@ SUMMARY = "libmctp"
 DESCRIPTION = "Implementation of MCTP (DTMF DSP0236)"
 
 SRC_URI = "git://github.com/openbmc/libmctp.git"
-SRCREV = "195a7c5e212f7fb50c850880519073ec99133607"
+SRCREV = "8081beba756d371cba40dee86b37bbc654020b17"
 
 PV = "0.1+git${SRCPV}"
 
diff --git a/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend
index 32a6dcf45..baab0e9eb 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend
@@ -1,3 +1,4 @@
 EXTRA_OECMAKE += "${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', '-DINTEL_PFR_ENABLED=ON', '', d)}"
+EXTRA_OECMAKE += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'validation-unsecure', '-DBMC_VALIDATION_UNSECURE_FEATURE=ON', '', d)}"
 SRC_URI = "git://github.com/openbmc/intel-ipmi-oem.git"
-SRCREV = "262276f4964191d780aeab3a821de54b01c0a8ff"
+SRCREV = "09a8314bb754dccd4af2ef8d2d9e6e43f6da74ec"
diff --git a/meta-openbmc-mods/meta-common/recipes-core/libpeci/libpeci_git.bb b/meta-openbmc-mods/meta-common/recipes-core/libpeci/libpeci_git.bb
index f515501e8..8b97f95e8 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/libpeci/libpeci_git.bb
+++ b/meta-openbmc-mods/meta-common/recipes-core/libpeci/libpeci_git.bb
@@ -5,7 +5,7 @@ inherit cmake
 SRC_URI = "git://git@github.com/Intel-BMC/provingground.git;protocol=ssh"
 
 PV = "0.1+git${SRCPV}"
-SRCREV = "4aec5d06d6adbaf53dbe7f18ea9f803eb2198b86"
+SRCREV = "e1dbcef575309efeb04d275565a6e9649f3b89dd"
 
 S = "${WORKDIR}/git/libpeci"
 
diff --git a/meta-openbmc-mods/meta-common/recipes-core/peci-pcie/peci-pcie_git.bb b/meta-openbmc-mods/meta-common/recipes-core/peci-pcie/peci-pcie_git.bb
index 10b34354c..2b77a193c 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/peci-pcie/peci-pcie_git.bb
+++ b/meta-openbmc-mods/meta-common/recipes-core/peci-pcie/peci-pcie_git.bb
@@ -10,7 +10,7 @@ SRC_URI = "git://git@github.com/Intel-BMC/at-scale-debug;protocol=ssh"
 DEPENDS = "boost sdbusplus libpeci"
 
 PV = "0.1+git${SRCPV}"
-SRCREV = "20016caebaac78c3290462ffa8df10c2efd61261"
+SRCREV = "98c33cdb7d704a387edee4ac8f0ef98ea771b222"
 
 S = "${WORKDIR}/git/peci_pcie"
 
diff --git a/meta-openbmc-mods/meta-common/recipes-core/safec/safec_3.4.bb b/meta-openbmc-mods/meta-common/recipes-core/safec/safec_3.4.bb
index 646d9612f..a09c8ac2d 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/safec/safec_3.4.bb
+++ b/meta-openbmc-mods/meta-common/recipes-core/safec/safec_3.4.bb
@@ -7,7 +7,7 @@ SECTION = "lib"
 inherit autotools pkgconfig
 
 S = "${WORKDIR}/git"
-SRCREV = "5d92be815bf35137eb31fb653e435321a511311c"
+SRCREV = "60786283fd61cd621a5d1df00e083a1c1e3cf52a"
 SRC_URI = "git://github.com/rurban/safeclib.git"
 
 COMPATIBLE_HOST = '(x86_64|i.86|powerpc|powerpc64|arm|aarch64).*-linux'
diff --git a/meta-openbmc-mods/meta-common/recipes-core/security-registers-check/security-registers-check.bb b/meta-openbmc-mods/meta-common/recipes-core/security-registers-check/security-registers-check.bb
new file mode 100644
index 000000000..29f8e4986
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/security-registers-check/security-registers-check.bb
@@ -0,0 +1,26 @@
+SUMMARY = "Security registers check"
+DESCRIPTION = "script tool to check if registers value are security \
+               log the security event to systemd journal, and also log to redfish \
+              "
+
+S = "${WORKDIR}"
+SRC_URI = "file://security-registers-check.sh \
+           file://security-registers-check.service \
+"
+
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${INTELBASE}/COPYING.apache-2.0;md5=34400b68072d710fecd0a2940a0d1658"
+RDEPENDS_${PN} += "bash logger-systemd"
+
+inherit systemd
+
+FILES_${PN} += "${systemd_system_unitdir}/security-registers-check.service"
+
+do_install() {
+    install -d ${D}${systemd_system_unitdir}
+    install -m 0777 ${WORKDIR}/security-registers-check.service ${D}${systemd_system_unitdir}
+    install -d ${D}${bindir}
+    install -m 0777 ${S}/security-registers-check.sh ${D}/${bindir}/security-registers-check.sh
+}
+
+SYSTEMD_SERVICE_${PN} += " security-registers-check.service"
\ No newline at end of file
diff --git a/meta-openbmc-mods/meta-common/recipes-core/security-registers-check/security-registers-check/security-registers-check.service b/meta-openbmc-mods/meta-common/recipes-core/security-registers-check/security-registers-check/security-registers-check.service
new file mode 100644
index 000000000..b824dbe3e
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/security-registers-check/security-registers-check/security-registers-check.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Check for security registers
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/security-registers-check.sh
+Nice=5
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-openbmc-mods/meta-common/recipes-core/security-registers-check/security-registers-check/security-registers-check.sh b/meta-openbmc-mods/meta-common/recipes-core/security-registers-check/security-registers-check/security-registers-check.sh
new file mode 100644
index 000000000..211120c78
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/security-registers-check/security-registers-check/security-registers-check.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+value=`cat /sys/devices/platform/ahb/ahb:apb/1e6e2000.syscon/1e6e2000.syscon:misc_control/uart_port_debug`
+if [ $value == 0 ]
+    then
+    # log the detailed last security registers check messages
+    logger -t security-registers-check "Uart port debug is enabled! Log as following:"
+    echo "Uart port debug is enabled." | logger
+    # Also log it to redfish
+    cat <<EOF | logger-systemd --journald
+REDFISH_MESSAGE_ID=OpenBMC.0.1.SecurityUartPortDebugEnabled
+PRIORITY=4
+MESSAGE=BMC Uart port debug is enabled
+EOF
+fi
+
+value=`cat /sys/devices/platform/ahb/ahb:apb/1e6e2000.syscon/1e6e2000.syscon:misc_control/p2a-bridge`
+if [ $value == 1 ]
+    then
+    # log the detailed last security registers check messages
+    logger -t security-registers-check "P2A(PCIe to AHB) bridge is enabled! Log as following:"
+    echo "P2A(PCIe to AHB) bridge is enabled." | logger
+    # Also log it to redfish
+    cat <<EOF | logger-systemd --journald
+REDFISH_MESSAGE_ID=OpenBMC.0.1.SecurityP2aBridgeEnabled
+PRIORITY=4
+MESSAGE=BMC P2A(PCIe to AHB) bridge is enabled
+EOF
+fi
+
+value=`cat /sys/devices/platform/ahb/ahb:apb/1e6e2000.syscon/1e6e2000.syscon:misc_control/boot-2nd-flash`
+if [ $value == 1 ]
+    then
+    # log the detailed last security registers check messages
+    logger -t security-registers-check "BMC 2nd boot flash is enabled! Log as following:"
+    echo "BMC 2nd boot flash is enabled." | logger
+    # Also log it to redfish
+    cat <<EOF | logger-systemd --journald
+REDFISH_MESSAGE_ID=OpenBMC.0.1.SecurityBoot2ndFlashEnabled
+PRIORITY=4
+MESSAGE=BMC 2nd boot flash is enabled
+EOF
+fi
-- 
cgit v1.2.3