From b21586a85b6b434dc90b35285f363f97384fcdd4 Mon Sep 17 00:00:00 2001 From: Richard Marian Thomaiyar Date: Mon, 4 Nov 2019 15:19:35 +0530 Subject: Added support for validation unsecure mode Support added for validation unsecure mode under compile flag which will be enabled only with debug-tweaks. Default is disabled. Tested: Along with intel-ipmi-oem changes for set security mode command 1. Verified that system goes to validation unsecure mode as per the Set Security Mode command. 2. Able to execute all the manufacturing mode command in this state 3. Mode preserved during reboot and not in reset to defaults Change-Id: Ice33d2c02ac8c0c0276ba16651f8acbd3d5b8cd4 Signed-off-by: Richard Marian Thomaiyar --- special-mode-mgr/CMakeLists.txt | 10 ++++++++++ special-mode-mgr/include/specialmodemgr.hpp | 7 ++++++- special-mode-mgr/src/specialmodemgr.cpp | 20 ++++++++++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/special-mode-mgr/CMakeLists.txt b/special-mode-mgr/CMakeLists.txt index cefe6ff..ea54904 100644 --- a/special-mode-mgr/CMakeLists.txt +++ b/special-mode-mgr/CMakeLists.txt @@ -37,6 +37,16 @@ target_link_libraries(${PROJECT_NAME} phosphor_logging) link_directories(${EXTERNAL_INSTALL_LOCATION}/lib) +option( + BMC_VALIDATION_UNSECURE_FEATURE + "Enables unsecure features required by validation. Note: must + be turned off for production images." + OFF) +target_compile_definitions(${PROJECT_NAME} + PRIVATE + $<$: + -DBMC_VALIDATION_UNSECURE_FEATURE>) + set(SERVICE_FILES ${PROJECT_SOURCE_DIR}/specialmodemgr.service) install(TARGETS ${PROJECT_NAME} DESTINATION bin) diff --git a/special-mode-mgr/include/specialmodemgr.hpp b/special-mode-mgr/include/specialmodemgr.hpp index 2f0183b..9146b01 100644 --- a/special-mode-mgr/include/specialmodemgr.hpp +++ b/special-mode-mgr/include/specialmodemgr.hpp @@ -18,6 +18,7 @@ #include #include +#include static constexpr const char* strSpecialMode = "SpecialMode"; @@ -25,7 +26,10 @@ enum SpecialMode : uint8_t { none = 0, manufacturingExpired = 1, - manufacturingMode = 2 + manufacturingMode = 2, +#ifdef BMC_VALIDATION_UNSECURE_FEATURE + validationUnsecure = 3, +#endif }; class SpecialModeMgr @@ -38,6 +42,7 @@ class SpecialModeMgr std::unique_ptr timer = nullptr; std::unique_ptr intfAddMatchRule = nullptr; std::unique_ptr propUpdMatchRule = nullptr; + std::filesystem::path validationModeFile = "/var/validation_unsecure_mode"; void addSpecialModeProperty(); void checkAndAddSpecialModeProperty(const std::string& provMode); void updateTimer(int countInSeconds); diff --git a/special-mode-mgr/src/specialmodemgr.cpp b/special-mode-mgr/src/specialmodemgr.cpp index f1ed722..44f12cc 100644 --- a/special-mode-mgr/src/specialmodemgr.cpp +++ b/special-mode-mgr/src/specialmodemgr.cpp @@ -50,6 +50,15 @@ SpecialModeMgr::SpecialModeMgr( timer(std::make_unique(io)) { +#ifdef BMC_VALIDATION_UNSECURE_FEATURE + if (std::filesystem::exists(validationModeFile)) + { + specialMode = validationUnsecure; + addSpecialModeProperty(); + return; + } +#endif + // Following condition must match to indicate specialMode. // Mark the mode as None for any failure. // 1. U-Boot detected power button press & indicated "special=mfg" @@ -195,6 +204,17 @@ void SpecialModeMgr::addSpecialModeProperty() strSpecialMode, specialMode, // Ignore set [this](const uint8_t& req, uint8_t& propertyValue) { +#ifdef BMC_VALIDATION_UNSECURE_FEATURE + if ((req == validationUnsecure) && (specialMode != req)) + { + std::ofstream output(validationModeFile); + output.close(); + specialMode = req; + propertyValue = req; + return 1; + } +#endif + if (req == manufacturingExpired && specialMode != req) { specialMode = req; -- cgit v1.2.3