1 #include "config.h" 2 3 #include "utils.hpp" 4 5 #include <phosphor-logging/lg2.hpp> 6 7 #include <filesystem> 8 #include <fstream> 9 #include <string> 10 11 PHOSPHOR_LOG2_USING; 12 13 constexpr auto PROPERTY_INTERFACE = "org.freedesktop.DBus.Properties"; 14 15 // Utilize the QuiesceOnHwError setting as an indication that the system 16 // is operating in an environment where the user should be notified of 17 // security settings (i.e. "Manufacturing") 18 bool isMfgModeEnabled() 19 { 20 auto bus = sdbusplus::bus::new_default(); 21 std::string path = "/xyz/openbmc_project/logging/settings"; 22 std::string interface = "xyz.openbmc_project.Logging.Settings"; 23 std::string propertyName = "QuiesceOnHwError"; 24 std::variant<bool> mfgModeEnabled; 25 26 std::string service = 27 phosphor::state::manager::utils::getService(bus, path, interface); 28 29 auto method = bus.new_method_call(service.c_str(), path.c_str(), 30 PROPERTY_INTERFACE, "Get"); 31 32 method.append(interface, propertyName); 33 34 try 35 { 36 auto reply = bus.call(method); 37 reply.read(mfgModeEnabled); 38 } 39 catch (const sdbusplus::exception_t& e) 40 { 41 error("Error in property Get, error {ERROR}, property {PROPERTY}", 42 "ERROR", e, "PROPERTY", propertyName); 43 throw; 44 } 45 46 return std::get<bool>(mfgModeEnabled); 47 } 48 49 int main() 50 { 51 // Read the secure boot gpio 52 auto secureBootGpio = 53 phosphor::state::manager::utils::getGpioValue("bmc-secure-boot"); 54 if (secureBootGpio == -1) 55 { 56 debug("bmc-secure-boot gpio not present or can not be read"); 57 } 58 else if (secureBootGpio == 0) 59 { 60 info("bmc-secure-boot gpio found and indicates it is NOT enabled"); 61 } 62 else 63 { 64 info("bmc-secure-boot found and indicates it is enabled"); 65 } 66 67 // Now read the /sys/kernel/debug/aspeed/ files 68 std::string dbgVal; 69 std::ifstream dbgFile; 70 int secureBootVal = -1; 71 int abrImage = -1; 72 73 dbgFile.exceptions(std::ifstream::failbit | std::ifstream::badbit | 74 std::ifstream::eofbit); 75 76 if (std::filesystem::exists(SYSFS_SECURE_BOOT_PATH)) 77 { 78 try 79 { 80 dbgFile.open(SYSFS_SECURE_BOOT_PATH); 81 dbgFile >> dbgVal; 82 dbgFile.close(); 83 info("Read {SECURE_BOOT_VAL} from secure_boot", "SECURE_BOOT_VAL", 84 dbgVal); 85 secureBootVal = std::stoi(dbgVal); 86 } 87 catch (std::exception& e) 88 { 89 error("Failed to read secure boot sysfs file: {ERROR}", "ERROR", e); 90 // just continue and error will be logged at end if in mfg mode 91 } 92 } 93 else 94 { 95 info("sysfs file secure_boot not present"); 96 } 97 98 if (std::filesystem::exists(SYSFS_ABR_IMAGE_PATH)) 99 { 100 try 101 { 102 dbgFile.open(SYSFS_ABR_IMAGE_PATH); 103 dbgFile >> dbgVal; 104 dbgFile.close(); 105 info("Read {ABR_IMAGE_VAL} from abr_image", "ABR_IMAGE_VAL", 106 dbgVal); 107 abrImage = std::stoi(dbgVal); 108 } 109 catch (std::exception& e) 110 { 111 error("Failed to read abr image sysfs file: {ERROR}", "ERROR", e); 112 // just continue and error will be logged at end if in mfg mode 113 } 114 } 115 else 116 { 117 info("sysfs file abr_image not present"); 118 } 119 120 if (isMfgModeEnabled()) 121 { 122 if ((secureBootGpio != 1) || (secureBootVal != 1) || (abrImage != 0)) 123 { 124 error("The system is not secure"); 125 std::map<std::string, std::string> additionalData; 126 additionalData.emplace("SECURE_BOOT_GPIO", 127 std::to_string(secureBootGpio)); 128 additionalData.emplace("SYSFS_SECURE_BOOT_VAL", 129 std::to_string(secureBootVal)); 130 additionalData.emplace("SYSFS_ABR_IMAGE_VAL", 131 std::to_string(abrImage)); 132 133 auto bus = sdbusplus::bus::new_default(); 134 phosphor::state::manager::utils::createError( 135 bus, "xyz.openbmc_project.State.Error.SecurityCheckFail", 136 sdbusplus::xyz::openbmc_project::Logging::server::Entry::Level:: 137 Warning, 138 additionalData); 139 } 140 } 141 142 return 0; 143 } 144