diff options
| -rw-r--r-- | src/security/intel/txt/getsec.c | 25 | ||||
| -rw-r--r-- | src/security/intel/txt/romstage.c | 17 |
2 files changed, 31 insertions, 11 deletions
diff --git a/src/security/intel/txt/getsec.c b/src/security/intel/txt/getsec.c index af9b7bb471..cd2292745f 100644 --- a/src/security/intel/txt/getsec.c +++ b/src/security/intel/txt/getsec.c @@ -9,6 +9,7 @@ #include <cpu/x86/mp.h> #include <cpu/x86/msr.h> #include <types.h> +#include <rules.h> #include "txt_register.h" #include "txt_getsec.h" @@ -24,16 +25,26 @@ static bool getsec_enabled(void) /* * Check if SMX and VMX is supported by CPU. */ - if (!(ecx & CPUID_SMX) || !(ecx & CPUID_VMX)) + if (!(ecx & CPUID_SMX) || !(ecx & CPUID_VMX)) { + printk(BIOS_ERR, "SMX/VMX not supported by CPU\n"); return false; - + } /* - * Check if SMX, VMX and GetSec instructions haven't been disabled. + * This requirement is not needed for ENTERACCS, but for SENTER (see SDM). + * Skip check in romstage because IA32_FEATURE_CONTROL cannot be unlocked + * even after a global reset e.g. on Sandy/IvyBridge. However the register + * gets set properly in ramstage where all CPUs are already initialized. */ - msr_t msr = rdmsr(IA32_FEATURE_CONTROL); - if ((msr.lo & 0xff06) != 0xff06) - return false; - + if (!ENV_ROMSTAGE_OR_BEFORE) { + /* + * Check if SMX, VMX and GetSec instructions haven't been disabled. + */ + msr_t msr = rdmsr(IA32_FEATURE_CONTROL); + if ((msr.lo & 0xff06) != 0xff06) { + printk(BIOS_ERR, "GETSEC not enabled in IA32_FEATURE_CONTROL MSR\n"); + return false; + } + } /* * Enable SMX. Required to execute GetSec instruction. * Chapter 2.2.4.3 diff --git a/src/security/intel/txt/romstage.c b/src/security/intel/txt/romstage.c index 63db10f8c3..98308b7ba1 100644 --- a/src/security/intel/txt/romstage.c +++ b/src/security/intel/txt/romstage.c @@ -5,6 +5,7 @@ #include <cf9_reset.h> #include <console/console.h> #include <cpu/intel/common/common.h> +#include <cpu/x86/cr.h> #include <cpu/x86/msr.h> #include <southbridge/intel/common/pmbase.h> #include <timer.h> @@ -83,14 +84,22 @@ static void print_memory_is_locked(void) void intel_txt_romstage_init(void) { /* Bail early if the CPU doesn't support TXT */ - if (!is_txt_cpu()) + if (!is_txt_cpu()) { + printk(BIOS_ERR, "TEE-TXT: CPU not TXT capable.\n"); return; + } - /* We need to use GETSEC here, so enable it */ - enable_getsec_or_reset(); + /* + * We need to use GETSEC here, so enable it. + * CR4_SMXE is all we need to be able to call GETSEC[CAPABILITIES] + * or GETSEC[ENTERACCS] for SCLEAN. + */ + write_cr4(read_cr4() | CR4_SMXE); - if (!is_txt_chipset()) + if (!is_txt_chipset()) { + printk(BIOS_ERR, "TEE-TXT: Chipset not TXT capable.\n"); return; + } const uint8_t txt_ests = read8((void *)TXT_ESTS); |