diff options
| author | Angel Pons <th3fanbus@gmail.com> | 2020-10-16 11:52:40 +0200 |
|---|---|---|
| committer | Angel Pons <th3fanbus@gmail.com> | 2020-10-22 20:05:01 +0000 |
| commit | 6c4028dd3ddf571ef2e992de8d9927b598f7cd6b (patch) | |
| tree | be16d37d00c53d75231da79f1c37cdf70e3956e7 /src/security | |
| parent | e70a3f8822d6c1e0b0f1dc86464acfb24c80b450 (diff) | |
sec/intel/txt: Only run LockConfig for LT-SX
LockConfig only exists on Intel TXT for Servers. Check whether this is
supported using GETSEC[PARAMETERS]. This eliminates a spurious error for
Client TXT platforms such as Haswell, and is a no-op on TXT for Servers.
Change-Id: Ibb7b0eeba1489dc522d06ab27eafcaa0248b7083
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46498
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Diffstat (limited to 'src/security')
| -rw-r--r-- | src/security/intel/txt/ramstage.c | 22 | ||||
| -rw-r--r-- | src/security/intel/txt/txt_register.h | 3 |
2 files changed, 18 insertions, 7 deletions
diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c index 86bf7aa428..76eeaaffef 100644 --- a/src/security/intel/txt/ramstage.c +++ b/src/security/intel/txt/ramstage.c @@ -316,6 +316,7 @@ static void lockdown_intel_txt(void *unused) { const uint64_t status = read64((void *)TXT_SPAD); + uint32_t txt_feature_flags = 0; uintptr_t tseg_base; size_t tseg_size; @@ -324,13 +325,24 @@ static void lockdown_intel_txt(void *unused) if (status & ACMSTS_TXT_DISABLED) return; - printk(BIOS_INFO, "TEE-TXT: Locking TEE...\n"); + /* + * Document Number: 558294 + * Chapter 5.4.3 Detection of Intel TXT Capability + */ - /* Lock TXT config, unlocks TXT_HEAP_BASE */ - if (intel_txt_run_bios_acm(ACMINPUT_LOCK_CONFIG) < 0) { - printk(BIOS_ERR, "TEE-TXT: Failed to lock registers.\n"); - printk(BIOS_ERR, "TEE-TXT: SINIT won't be supported.\n"); + if (!getsec_parameter(NULL, NULL, NULL, NULL, NULL, &txt_feature_flags)) return; + + /* LockConfig only exists on Intel TXT for Servers */ + if (txt_feature_flags & GETSEC_PARAMS_TXT_EXT_CRTM_SUPPORT) { + printk(BIOS_INFO, "TEE-TXT: Locking TEE...\n"); + + /* Lock TXT config, unlocks TXT_HEAP_BASE */ + if (intel_txt_run_bios_acm(ACMINPUT_LOCK_CONFIG) < 0) { + printk(BIOS_ERR, "TEE-TXT: Failed to lock registers.\n"); + printk(BIOS_ERR, "TEE-TXT: SINIT won't be supported.\n"); + return; + } } /* diff --git a/src/security/intel/txt/txt_register.h b/src/security/intel/txt/txt_register.h index bbf0a7e72d..c19ec13799 100644 --- a/src/security/intel/txt/txt_register.h +++ b/src/security/intel/txt/txt_register.h @@ -132,8 +132,7 @@ #define IA32_GETSEC_SMCTRL 7 #define IA32_GETSEC_WAKEUP 8 -#define GETSEC_PARAMS_TXT_EXT (1ul << 5) -#define GETSEC_PARAMS_TXT_EXT_CRTM_SUPPORT (1ul << 1) +#define GETSEC_PARAMS_TXT_EXT_CRTM_SUPPORT (1ul << 5) #define GETSEC_PARAMS_TXT_EXT_MACHINE_CHECK (1ul << 6) /* ACM defines */ |