summaryrefslogtreecommitdiff
path: root/src/security
diff options
context:
space:
mode:
Diffstat (limited to 'src/security')
-rw-r--r--src/security/intel/txt/getsec.c31
-rw-r--r--src/security/intel/txt/txt_getsec.h2
2 files changed, 33 insertions, 0 deletions
diff --git a/src/security/intel/txt/getsec.c b/src/security/intel/txt/getsec.c
index 422f10d7c8..af9b7bb471 100644
--- a/src/security/intel/txt/getsec.c
+++ b/src/security/intel/txt/getsec.c
@@ -1,9 +1,13 @@
/* SPDX-License-Identifier: GPL-2.0-only */
+#include <cf9_reset.h>
+#include <console/console.h>
+#include <cpu/intel/common/common.h>
#include <cpu/x86/lapic.h>
#include <cpu/x86/cr.h>
#include <cpu/x86/cache.h>
#include <cpu/x86/mp.h>
+#include <cpu/x86/msr.h>
#include <types.h>
#include "txt_register.h"
@@ -40,6 +44,33 @@ static bool getsec_enabled(void)
return true;
}
+void enable_getsec_or_reset(void)
+{
+ msr_t msr = rdmsr(IA32_FEATURE_CONTROL);
+
+ if (!(msr.lo & FEATURE_CONTROL_LOCK_BIT)) {
+ /*
+ * MSR not locked, enable necessary GETSEC and VMX settings.
+ * We do not lock this MSR here, though.
+ */
+ msr.lo |= 0xff06;
+ wrmsr(IA32_FEATURE_CONTROL, msr);
+
+ } else if ((msr.lo & 0xff06) != 0xff06) {
+ /*
+ * MSR is locked without necessary GETSEC and VMX settings.
+ * This can happen after internally reflashing a coreboot
+ * image with different settings, and then doing a warm
+ * reboot. Perform a full reset in order to unlock the MSR.
+ */
+ printk(BIOS_NOTICE,
+ "IA32_FEATURE_CONTROL MSR locked with GETSEC and/or VMX disabled.\n"
+ "Will perform a full reset to unlock this MSR.\n");
+
+ full_reset();
+ }
+}
+
/**
* Get information as returned by getsec[PARAMETER].
* Arguments can be set to NULL if not needed.
diff --git a/src/security/intel/txt/txt_getsec.h b/src/security/intel/txt/txt_getsec.h
index 8e663d51b0..78171a7d5a 100644
--- a/src/security/intel/txt/txt_getsec.h
+++ b/src/security/intel/txt/txt_getsec.h
@@ -5,6 +5,8 @@
#include <types.h>
+void enable_getsec_or_reset(void);
+
bool getsec_parameter(uint32_t *version_mask,
uint32_t *version_numbers_supported,
uint32_t *max_size_acm_area,