diff options
| author | Arthur Heymans <arthur@aheymans.xyz> | 2021-05-10 09:23:31 +0200 |
|---|---|---|
| committer | Werner Zeh <werner.zeh@siemens.com> | 2021-05-28 09:13:06 +0000 |
| commit | e7266e8393590c5e9012e0f169a99fa4a86ec9db (patch) | |
| tree | ee33bd6e144c36ad598765673f2602c2acf03f8f /src/cpu | |
| parent | e3a079cff89b8101d0b0a3a77938bd1c6ddaf752 (diff) | |
cpu/x86/entry16.S: Make Intel CBnT TOCTOU safe
Intel CBnT (and Boot Guard) makes the chain of trust TOCTOU safe by
setting up NEM (non eviction mode) in the ACM. The CBnT IBB (Initial
BootBlock) therefore should not disable caching.
Sidenote: the MSR macros are taken from the slimbootloader project.
TESTED: ocp/Deltalake boot with and without CBnT and also a broken
CBnT setup.
Change-Id: Id2031e4e406655e14198e45f137ba152f8b6f567
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/54010
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Diffstat (limited to 'src/cpu')
| -rw-r--r-- | src/cpu/x86/entry16.S | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/cpu/x86/entry16.S b/src/cpu/x86/entry16.S index e1bfbf145d..147906fe4d 100644 --- a/src/cpu/x86/entry16.S +++ b/src/cpu/x86/entry16.S @@ -115,10 +115,24 @@ _start16bit: subw %ax, %bx lgdtl %cs:(%bx) +#if CONFIG(INTEL_CBNT_SUPPORT) +#include <cpu/intel/msr.h> + movl $MSR_BOOT_GUARD_SACM_INFO, %ecx + rdmsr + andl $B_BOOT_GUARD_SACM_INFO_NEM_ENABLED, %eax + jz 1f + movl %cr0, %eax + andl $0x7FFAFFD1, %eax /* PG,AM,WP,NE,TS,EM,MP = 0 */ + orl $0x01, %eax /* PE = 1 */ + movl %eax, %cr0 + jmp 2f +#endif +1: movl %cr0, %eax andl $0x7FFAFFD1, %eax /* PG,AM,WP,NE,TS,EM,MP = 0 */ orl $0x60000001, %eax /* CD, NW, PE = 1 */ movl %eax, %cr0 +2: /* Restore BIST to %eax */ movl %ebp, %eax |