1 files changed, 42 insertions, 0 deletions

diff --git a/src/security/intel/txt/common.c b/src/security/intel/txt/common.c
index 88e2b5dddb..4dd4ad3ddf 100644
--- a/src/security/intel/txt/common.c
+++ b/src/security/intel/txt/common.c
@@ -290,6 +290,48 @@ static void *intel_txt_prepare_bios_acm(struct region_device *acm, size_t *acm_l
 	return acm_data;
 }
 
+#define MCU_BASE_ADDR	(TXT_BASE + 0x278)
+#define BIOACM_ADDR	(TXT_BASE + 0x27c)
+#define APINIT_ADDR	(TXT_BASE + 0x290)
+#define SEMAPHORE	(TXT_BASE + 0x294)
+
+/* Returns on failure, resets the computer on success */
+void intel_txt_run_sclean(void)
+{
+	struct region_device acm;
+	size_t acm_len;
+
+	void *acm_data = intel_txt_prepare_bios_acm(&acm, &acm_len);
+
+	if (!acm_data)
+		return;
+
+	/* FIXME: Do we need to program these two? */
+	//write32((void *)MCU_BASE_ADDR, 0xffe1a990);
+	//write32((void *)APINIT_ADDR, 0xfffffff0);
+
+	write32((void *)BIOACM_ADDR, (uintptr_t)acm_data);
+	write32((void *)SEMAPHORE, 0);
+
+	/*
+	 * The time SCLEAN will take depends on the installed RAM size.
+	 * On Haswell with 8 GiB of DDR3, it takes five or ten minutes. (rough estimate)
+	 */
+	printk(BIOS_ALERT, "TEE-TXT: Invoking SCLEAN. This can take several minutes.\n");
+
+	/*
+	 * Invoke the BIOS ACM. If successful, the system will reset with memory unlocked.
+	 */
+	getsec_sclean((uintptr_t)acm_data, acm_len);
+
+	/*
+	 * However, if this function returns, the BIOS ACM could not be invoked. This is bad.
+	 */
+	printk(BIOS_CRIT, "TEE-TXT: getsec_sclean could not launch the BIOS ACM.\n");
+
+	rdev_munmap(&acm, acm_data);
+}
+
 /*
  * Test all bits for TXT execution.
  *