From e7266e8393590c5e9012e0f169a99fa4a86ec9db Mon Sep 17 00:00:00 2001
From: Arthur Heymans <arthur@aheymans.xyz>
Date: Mon, 10 May 2021 09:23:31 +0200
Subject: cpu/x86/entry16.S: Make Intel CBnT TOCTOU safe

Intel CBnT (and Boot Guard) makes the chain of trust TOCTOU safe by
setting up NEM (non eviction mode) in the ACM. The CBnT IBB (Initial
BootBlock) therefore should not disable caching.

Sidenote: the MSR macros are taken from the slimbootloader project.

TESTED: ocp/Deltalake boot with and without CBnT and also a broken
CBnT setup.

Change-Id: Id2031e4e406655e14198e45f137ba152f8b6f567
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/54010
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
---
 src/cpu/x86/entry16.S | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'src/cpu')

diff --git a/src/cpu/x86/entry16.S b/src/cpu/x86/entry16.S
index e1bfbf145d..147906fe4d 100644
--- a/src/cpu/x86/entry16.S
+++ b/src/cpu/x86/entry16.S
@@ -115,10 +115,24 @@ _start16bit:
 	subw	%ax, %bx
 	lgdtl	%cs:(%bx)
 
+#if CONFIG(INTEL_CBNT_SUPPORT)
+#include <cpu/intel/msr.h>
+	movl	$MSR_BOOT_GUARD_SACM_INFO, %ecx
+	rdmsr
+	andl	$B_BOOT_GUARD_SACM_INFO_NEM_ENABLED, %eax
+	jz	1f
+	movl	%cr0, %eax
+	andl	$0x7FFAFFD1, %eax /* PG,AM,WP,NE,TS,EM,MP = 0 */
+	orl	$0x01, %eax /* PE = 1 */
+	movl	%eax, %cr0
+	jmp	2f
+#endif
+1:
 	movl	%cr0, %eax
 	andl	$0x7FFAFFD1, %eax /* PG,AM,WP,NE,TS,EM,MP = 0 */
 	orl	$0x60000001, %eax /* CD, NW, PE = 1 */
 	movl	%eax, %cr0
+2:
 
 	/* Restore BIST to %eax */
 	movl	%ebp, %eax
-- 
cgit v1.2.3