summaryrefslogtreecommitdiff
path: root/src/security/intel
AgeCommit message (Collapse)Author
2020-05-08{security,soc}/*/Kconfig: Replace GPLv2 long form headers with SPDX headerElyes HAOUAS
Change-Id: Ie3721f6a93dacb8014f93aa86780d51a659a68df Signed-off-by: Elyes HAOUAS <ehaouas@noos.fr> Reviewed-on: https://review.coreboot.org/c/coreboot/+/41145 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2020-05-02intel/stm: Drop now unneeded `num_cpus` paramEugene D Myers
Suggested by Nico Huber in CB:38766 Change-Id: Ib8a340f17a12951bc6bc67e3093046575e7b0e46 Signed-off-by: Eugene D Myers <cedarhouse@comcast.net> Reviewed-on: https://review.coreboot.org/c/coreboot/+/40438 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Angel Pons <th3fanbus@gmail.com>
2020-05-02intel/stm: Place resource list right below MSEGEugene D Myers
Suggested by Nico Huber in CB:38765. This placement makes the address calculation simpler and makes its location indepedent of the number of CPUs. As part of the change in the BIOS resource list address calculation, the `size` variable was factored out of the conditional in line 361, thus eliminating the else. Change-Id: I9ee2747474df02b0306530048bdec75e95413b5d Signed-off-by: Eugene D Myers <cedarhouse@comcast.net> Reviewed-on: https://review.coreboot.org/c/coreboot/+/40437 Reviewed-by: Nico Huber <nico.h@gmx.de> Reviewed-by: Angel Pons <th3fanbus@gmail.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2020-04-15Do not select USE_BLOBSNico Huber
The `USE_BLOBS` config only exists for idealistic reasons. If we would allow us to use blobs by default, we wouldn't need that option and could just always do it. It's generally debatable for the project as a whole, but not per board/subject. Change-Id: I8591862699aef02e5a4ede32655fc82c44c97555 Signed-off-by: Nico Huber <nico.huber@secunet.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/39884 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Reviewed-by: Angel Pons <th3fanbus@gmail.com> Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
2020-03-17src (minus soc and mainboard): Remove copyright noticesPatrick Georgi
They're listed in AUTHORS and often incorrect anyway, for example: - What's a "Copyright $year-present"? - Which incarnation of Google (Inc, LLC, ...) is the current copyright holder? - People sometimes have their editor auto-add themselves to files even though they only deleted stuff - Or they let the editor automatically update the copyright year, because why not? - Who is the copyright holder "The coreboot project Authors"? - Or "Generated Code"? Sidestep all these issues by simply not putting these notices in individual files, let's list all copyright holders in AUTHORS instead and use the git history to deal with the rest. Change-Id: I89b10076e0f4a4b3acd59160fb7abe349b228321 Signed-off-by: Patrick Georgi <pgeorgi@google.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/39611 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Reviewed-by: Angel Pons <th3fanbus@gmail.com> Reviewed-by: David Hendricks <david.hendricks@gmail.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2020-02-21security/intel/stm: Use depends on ENABLE_VMXEugene Myers
The STM is a part of the core VTx and using ENABLE_VMX will make the STM option available for any configuration that has an Intel processor that supports VTx. Signed-off-by: Eugene D. Myers <edmyers@tycho.nsa.gov> Change-Id: I57ff82754e6c692c8722d41f812e35940346888a Reviewed-on: https://review.coreboot.org/c/coreboot/+/38852 Reviewed-by: Nico Huber <nico.h@gmx.de> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2020-02-21security/intel/stm: Check for processor STM supportEugene Myers
Check to ensure that dual monitor mode is supported on the current processor. Dual monitor mode is normally supported on any Intel x86 processor that has VTx support. The STM is a hypervisor that executes in SMM dual monitor mode. This check should fail only in the rare case were dual monitor mode is disabled. If the check fails, then the STM will not be initialized by coreboot. Signed-off-by: Eugene D. Myers <edmyers@tycho.nsa.gov> Change-Id: I518bb2aa1bdec94b5b6d5e991d7575257f3dc6e9 Reviewed-on: https://review.coreboot.org/c/coreboot/+/38836 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Nico Huber <nico.h@gmx.de>
2020-02-09intel/stm: Add platform opt-in KconfigNico Huber
Selecting STM on an arbitrary platform would likely result in a brick, so let's hide the prompt by default. Change-Id: I50f2106ac05c3efb7f92fccb1e6edfbf961b68b8 Signed-off-by: Nico Huber <nico.h@gmx.de> Reviewed-on: https://review.coreboot.org/c/coreboot/+/38764 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: <cedarhouse1@comcast.net> Reviewed-by: Angel Pons <th3fanbus@gmail.com>
2020-02-05security/intel/stm: Add STM supportEugene Myers
This update is a combination of all four of the patches so that the commit can be done without breaking parts of coreboot. This possible breakage is because of the cross-dependencies between the original separate patches would cause failure because of data structure changes. security/intel/stm This directory contains the functions that check and move the STM to the MSEG, create its page tables, and create the BIOS resource list. The STM page tables is a six page region located in the MSEG and are pointed to by the CR3 Offset field in the MSEG header. The initial page tables will identity map all memory between 0-4G. The STM starts in IA32e mode, which requires page tables to exist at startup. The BIOS resource list defines the resources that the SMI Handler is allowed to access. This includes the SMM memory area where the SMI handler resides and other resources such as I/O devices. The STM uses the BIOS resource list to restrict the SMI handler's accesses. The BIOS resource list is currently located in the same area as the SMI handler. This location is shown in the comment section before smm_load_module in smm_module_loader.c Note: The files within security/intel/stm come directly from their Tianocore counterparts. Unnecessary code has been removed and the remaining code has been converted to meet coreboot coding requirements. For more information see: SMI Transfer Monitor (STM) User Guide, Intel Corp., August 2015, Rev 1.0, can be found at firmware.intel.com include/cpu/x86: Addtions to include/cpu/x86 for STM support. cpu/x86: STM Set up - The STM needs to be loaded into the MSEG during BIOS initialization and the SMM Monitor Control MSR be set to indicate that an STM is in the system. cpu/x86/smm: SMI module loader modifications needed to set up the SMM descriptors used by the STM during its initialization Change-Id: If4adcd92c341162630ce1ec357ffcf8a135785ec Signed-off-by: Eugene D. Myers <edmyers@tycho.nsa.gov> Reviewed-on: https://review.coreboot.org/c/coreboot/+/33234 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Patrick Georgi <pgeorgi@google.com> Reviewed-by: ron minnich <rminnich@gmail.com>
2019-11-21soc/intel/fsp_broadwell_de: Drop supportArthur Heymans
Relocatable ramstage, postcar stage and C_ENVIRONMENT_BOOTBLOCK are now mandatory features, which this platform lacks. Change-Id: I8b6502b0894f9e2b8b1334871d7b6cde65cba7d4 Signed-off-by: Arthur Heymans <arthur@aheymans.xyz> Reviewed-on: https://review.coreboot.org/c/coreboot/+/36984 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com> Reviewed-by: David Hendricks <david.hendricks@gmail.com> Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
2019-11-14security/intel: Hide Intel submenu when INTEL TXT is disabledWim Vervoorn
An empty submenu Intel is displayed in security menu when INTEL_TXT is disabled. Enable submenu Intel only when INTEL_TXT is enabled. BUG=N/A TEST=build Change-Id: Iff1d84ff60a15259b60c6205a63a27ecb26346a3 Signed-off-by: Wim Vervoorn <wvervoorn@eltan.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/36852 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Nico Huber <nico.h@gmx.de>
2019-10-18build: Mark bootblock files on x86 as IBBPatrick Rudolph
* Add cbfsoption --ibb to mark files as IBB * Will be used by "Legacy FIT TXT" boot Change-Id: I83313f035e7fb7e1eb484b323862522e28cb73d4 Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/31497 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
2019-09-02security/intel: Add TXT infrastructurePatrick Rudolph
* Add Kconfig to enable TXT * Add possibility to add BIOS and SINIT ACMs * Set default BIOS ACM alignment * Increase FIT space if TXT is enabled The following commits depend on the basic Kconfig infrastructure. Intel TXT isn't supported until all following commits are merged. Change-Id: I5f0f956d2b7ba43d4e7e0062803c6d8ba569a052 Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/34585 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: David Hendricks <david.hendricks@gmail.com>