3 files changed, 28 insertions, 0 deletions

diff --git a/src/include/cpu/x86/msr.h b/src/include/cpu/x86/msr.h
index 33eb457f1a..d369972908 100644
--- a/src/include/cpu/x86/msr.h
+++ b/src/include/cpu/x86/msr.h
@@ -81,6 +81,7 @@
 #define  MCA_STATUS_LO_ERRCODE_EXT_SH	16
 #define  MCA_STATUS_LO_ERRCODE_EXT_MASK	(0x3f << MCA_STATUS_LO_ERRCODE_EXT_SH)
 #define  MCA_STATUS_LO_ERRCODE_MASK	(0xffff << 0)
+#define IA32_LT_UNLOCK_MEMORY		0x2e6
 #define IA32_MC0_ADDR			0x402
 #define IA32_MC_ADDR(bank)		(IA32_MC0_ADDR + 4 * (bank))
 #define IA32_MC0_MISC			0x403
diff --git a/src/security/intel/txt/txt.h b/src/security/intel/txt/txt.h
index 64e507d2b3..63e5bcda5b 100644
--- a/src/security/intel/txt/txt.h
+++ b/src/security/intel/txt/txt.h
@@ -30,5 +30,6 @@ bool intel_txt_prepare_txt_env(void);
 /* Allow platform override to skip TXT lockdown, e.g. required for RAS error injection. */
 bool skip_intel_txt_lockdown(void);
 const char *intel_txt_processor_error_type(uint8_t type);
+void disable_intel_txt(void);
 
 #endif /* SECURITY_INTEL_TXT_H_ */
diff --git a/src/security/intel/txt/txtlib.c b/src/security/intel/txt/txtlib.c
index 3ec2322f77..5478206ee2 100644
--- a/src/security/intel/txt/txtlib.c
+++ b/src/security/intel/txt/txtlib.c
@@ -44,3 +44,29 @@ bool is_txt_cpu(void)
 
 	return (ecx & (CPUID_SMX | CPUID_VMX)) == (CPUID_SMX | CPUID_VMX);
 }
+
+static void unlock_txt_memory(void)
+{
+	msr_t msrval = {0};
+
+	wrmsr(IA32_LT_UNLOCK_MEMORY, msrval);
+}
+
+void disable_intel_txt(void)
+{
+	/* Return if the CPU doesn't support TXT */
+	if (!is_txt_cpu()) {
+		printk(BIOS_DEBUG, "Abort disabling TXT, as CPU is not TXT capable.\n");
+		return;
+	}
+
+	/*
+	 * Memory is supposed to be locked if system is TXT capable
+	 * As per TXT BIOS spec Section 6.2.5 unlock memory
+	 * when security (TPM) is set and TXT is not enabled.
+	 */
+	if (!is_establishment_bit_asserted()) {
+		unlock_txt_memory();
+		printk(BIOS_INFO, "TXT disabled successfully - Unlocked memory\n");
+	}
+}