summaryrefslogtreecommitdiff
path: root/src/security/intel/txt
diff options
context:
space:
mode:
authorAngel Pons <th3fanbus@gmail.com>2020-10-21 00:19:00 +0200
committerAngel Pons <th3fanbus@gmail.com>2020-10-22 20:06:26 +0000
commit01490258bb26a1bbb7b41e0cf8100ec4d42082cb (patch)
tree823ee3ae9597ac761f009bb2c73daa5136a48ede /src/security/intel/txt
parent7b4d67cf42d7bb0718f2542075f76e5b0cb56548 (diff)
sec/intel/txt: Add `enable_getsec_or_reset` function
This can be used to enable GETSEC/SMX in the IA32_FEATURE_CONTROL MSR, and will be put to use on Haswell in subsequent commits. Change-Id: I5a82e515c6352b6ebbc361c6a53ff528c4b6cdba Signed-off-by: Angel Pons <th3fanbus@gmail.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/46606 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Diffstat (limited to 'src/security/intel/txt')
-rw-r--r--src/security/intel/txt/getsec.c31
-rw-r--r--src/security/intel/txt/txt_getsec.h2
2 files changed, 33 insertions, 0 deletions
diff --git a/src/security/intel/txt/getsec.c b/src/security/intel/txt/getsec.c
index 422f10d7c8..af9b7bb471 100644
--- a/src/security/intel/txt/getsec.c
+++ b/src/security/intel/txt/getsec.c
@@ -1,9 +1,13 @@
/* SPDX-License-Identifier: GPL-2.0-only */
+#include <cf9_reset.h>
+#include <console/console.h>
+#include <cpu/intel/common/common.h>
#include <cpu/x86/lapic.h>
#include <cpu/x86/cr.h>
#include <cpu/x86/cache.h>
#include <cpu/x86/mp.h>
+#include <cpu/x86/msr.h>
#include <types.h>
#include "txt_register.h"
@@ -40,6 +44,33 @@ static bool getsec_enabled(void)
return true;
}
+void enable_getsec_or_reset(void)
+{
+ msr_t msr = rdmsr(IA32_FEATURE_CONTROL);
+
+ if (!(msr.lo & FEATURE_CONTROL_LOCK_BIT)) {
+ /*
+ * MSR not locked, enable necessary GETSEC and VMX settings.
+ * We do not lock this MSR here, though.
+ */
+ msr.lo |= 0xff06;
+ wrmsr(IA32_FEATURE_CONTROL, msr);
+
+ } else if ((msr.lo & 0xff06) != 0xff06) {
+ /*
+ * MSR is locked without necessary GETSEC and VMX settings.
+ * This can happen after internally reflashing a coreboot
+ * image with different settings, and then doing a warm
+ * reboot. Perform a full reset in order to unlock the MSR.
+ */
+ printk(BIOS_NOTICE,
+ "IA32_FEATURE_CONTROL MSR locked with GETSEC and/or VMX disabled.\n"
+ "Will perform a full reset to unlock this MSR.\n");
+
+ full_reset();
+ }
+}
+
/**
* Get information as returned by getsec[PARAMETER].
* Arguments can be set to NULL if not needed.
diff --git a/src/security/intel/txt/txt_getsec.h b/src/security/intel/txt/txt_getsec.h
index 8e663d51b0..78171a7d5a 100644
--- a/src/security/intel/txt/txt_getsec.h
+++ b/src/security/intel/txt/txt_getsec.h
@@ -5,6 +5,8 @@
#include <types.h>
+void enable_getsec_or_reset(void);
+
bool getsec_parameter(uint32_t *version_mask,
uint32_t *version_numbers_supported,
uint32_t *max_size_acm_area,