From 5f9f77672d096a013094f3cad63cb138167dbf1b Mon Sep 17 00:00:00 2001
From: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Date: Tue, 20 Nov 2018 14:22:15 +0100
Subject: security/intel/txt: Add Intel TXT support

Add TXT ramstage driver:
 * Show startup errors
 * Check for TXT reset
 * Check for Secrets-in-memory
 * Add assembly for GETSEC instruction
 * Check platform state if GETSEC instruction is supported
 * Configure TXT memory regions
 * Lock TXT
 * Protect TSEG using DMA protected regions
 * Place SINIT ACM
 * Print information about ACMs

Extend the `security_clear_dram_request()` function:
 * Clear all DRAM if secrets are in memory

Add a config so that the code gets build-tested. Since BIOS and SINIT
ACM binaries are not available, use the STM binary as a placeholder.

Tested on OCP Wedge100s and Facebook Watson
 * Able to enter a Measured Launch Environment using SINIT ACM and TBOOT
 * Secrets in Memory bit is set on ungraceful shutdown
 * Memory is cleared after ungraceful shutdown

Change-Id: Iaf4be7f016cc12d3971e1e1fe171e6665e44c284
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/37016
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
---
 src/security/intel/txt/Makefile.inc | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

(limited to 'src/security/intel/txt/Makefile.inc')

diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc
index 38eb65d69c..39c3ad1dff 100644
--- a/src/security/intel/txt/Makefile.inc
+++ b/src/security/intel/txt/Makefile.inc
@@ -1,5 +1,14 @@
 ifeq ($(CONFIG_INTEL_TXT),y)
 
+romstage-y += common.c
+romstage-$(CONFIG_INTEL_TXT_LOGGING) += logging.c
+
+ramstage-y += common.c
+ramstage-y += getsec.c
+ramstage-y += getsec_enteraccs.S
+ramstage-y += ramstage.c
+ramstage-$(CONFIG_INTEL_TXT_LOGGING) += logging.c
+
 cbfs-files-y += txt_bios_acm.bin
 txt_bios_acm.bin-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE)
 txt_bios_acm.bin-type := raw
@@ -13,6 +22,8 @@ txt_sinit_acm.bin-align := 0x10
 txt_sinit_acm.bin-compression := lzma
 endif
 
+ifeq ($(CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE),y)
+
 INTERMEDIATE+=add_acm_fit
 add_acm_fit: $(obj)/coreboot.pre $(IFITTOOL)
 	$(IFITTOOL) -r COREBOOT -a -n txt_bios_acm.bin -t 2 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
@@ -26,7 +37,9 @@ ibb-files += bootblock
 
 INTERMEDIATE+=add_ibb_fit
 add_ibb_fit: $(obj)/coreboot.pre $(IFITTOOL)
-	$(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) \
-        -r COREBOOT)) true
+	$(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 \
+                -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -r COREBOOT)) true
 
-endif
+endif # CPU_INTEL_FIRMWARE_INTERFACE_TABLE
+
+endif # INTEL_TXT
-- 
cgit v1.2.3