summaryrefslogtreecommitdiff
path: root/src/security/intel
diff options
context:
space:
mode:
Diffstat (limited to 'src/security/intel')
-rw-r--r--src/security/intel/txt/txt.h1
-rw-r--r--src/security/intel/txt/txtlib.c26
2 files changed, 27 insertions, 0 deletions
diff --git a/src/security/intel/txt/txt.h b/src/security/intel/txt/txt.h
index 64e507d2b3..63e5bcda5b 100644
--- a/src/security/intel/txt/txt.h
+++ b/src/security/intel/txt/txt.h
@@ -30,5 +30,6 @@ bool intel_txt_prepare_txt_env(void);
/* Allow platform override to skip TXT lockdown, e.g. required for RAS error injection. */
bool skip_intel_txt_lockdown(void);
const char *intel_txt_processor_error_type(uint8_t type);
+void disable_intel_txt(void);
#endif /* SECURITY_INTEL_TXT_H_ */
diff --git a/src/security/intel/txt/txtlib.c b/src/security/intel/txt/txtlib.c
index 3ec2322f77..5478206ee2 100644
--- a/src/security/intel/txt/txtlib.c
+++ b/src/security/intel/txt/txtlib.c
@@ -44,3 +44,29 @@ bool is_txt_cpu(void)
return (ecx & (CPUID_SMX | CPUID_VMX)) == (CPUID_SMX | CPUID_VMX);
}
+
+static void unlock_txt_memory(void)
+{
+ msr_t msrval = {0};
+
+ wrmsr(IA32_LT_UNLOCK_MEMORY, msrval);
+}
+
+void disable_intel_txt(void)
+{
+ /* Return if the CPU doesn't support TXT */
+ if (!is_txt_cpu()) {
+ printk(BIOS_DEBUG, "Abort disabling TXT, as CPU is not TXT capable.\n");
+ return;
+ }
+
+ /*
+ * Memory is supposed to be locked if system is TXT capable
+ * As per TXT BIOS spec Section 6.2.5 unlock memory
+ * when security (TPM) is set and TXT is not enabled.
+ */
+ if (!is_establishment_bit_asserted()) {
+ unlock_txt_memory();
+ printk(BIOS_INFO, "TXT disabled successfully - Unlocked memory\n");
+ }
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-16 03:29:50 +0000