diff options
author | Michał Żygowski <michal.zygowski@3mdeb.com> | 2021-11-21 13:13:15 +0100 |
---|---|---|
committer | Michał Żygowski <michal.zygowski@3mdeb.com> | 2021-11-27 14:20:16 +0000 |
commit | 257094ac1ad5ee63c9b98cecbc3f5437eeefcc79 (patch) | |
tree | 84996bf94b54fefa2d46ccc262cda457b2d5b6da /src/security/intel/txt/getsec.c | |
parent | 50449eb05f9eae0598f589449cb9ce25b53ed84f (diff) |
security/intel/txt: Fix GETSEC checks in romstage
IA32_FEATURE_CONTROL does not need to be checked by BIOS, in fact these
bits are needed only by SENTER and SINIT ACM. ACM ENTERACCS does not
check these bits according to Intel SDM. Also noticed that the lock bit
of IA32_FEATURE_CONTROL cannot be cleared by issuing neither global
reset nor full reset on Sandybridge/Ivybridge platforms which results
in a reset loop. However, check the IA32_FEATURE_CONTROL SENTER bits in
ramstage where the register is properly set on all cores already.
TEST=Run ACM SCLEAN on Dell OptiPlex 9010 with i7-3770/Q77
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Change-Id: Ie9103041498f557b85019a56e1252090a4fcd0c9
Reviewed-on: https://review.coreboot.org/c/coreboot/+/59520
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
Diffstat (limited to 'src/security/intel/txt/getsec.c')
-rw-r--r-- | src/security/intel/txt/getsec.c | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/src/security/intel/txt/getsec.c b/src/security/intel/txt/getsec.c index af9b7bb471..cd2292745f 100644 --- a/src/security/intel/txt/getsec.c +++ b/src/security/intel/txt/getsec.c @@ -9,6 +9,7 @@ #include <cpu/x86/mp.h> #include <cpu/x86/msr.h> #include <types.h> +#include <rules.h> #include "txt_register.h" #include "txt_getsec.h" @@ -24,16 +25,26 @@ static bool getsec_enabled(void) /* * Check if SMX and VMX is supported by CPU. */ - if (!(ecx & CPUID_SMX) || !(ecx & CPUID_VMX)) + if (!(ecx & CPUID_SMX) || !(ecx & CPUID_VMX)) { + printk(BIOS_ERR, "SMX/VMX not supported by CPU\n"); return false; - + } /* - * Check if SMX, VMX and GetSec instructions haven't been disabled. + * This requirement is not needed for ENTERACCS, but for SENTER (see SDM). + * Skip check in romstage because IA32_FEATURE_CONTROL cannot be unlocked + * even after a global reset e.g. on Sandy/IvyBridge. However the register + * gets set properly in ramstage where all CPUs are already initialized. */ - msr_t msr = rdmsr(IA32_FEATURE_CONTROL); - if ((msr.lo & 0xff06) != 0xff06) - return false; - + if (!ENV_ROMSTAGE_OR_BEFORE) { + /* + * Check if SMX, VMX and GetSec instructions haven't been disabled. + */ + msr_t msr = rdmsr(IA32_FEATURE_CONTROL); + if ((msr.lo & 0xff06) != 0xff06) { + printk(BIOS_ERR, "GETSEC not enabled in IA32_FEATURE_CONTROL MSR\n"); + return false; + } + } /* * Enable SMX. Required to execute GetSec instruction. * Chapter 2.2.4.3 |