From ad87a82ca7d960ee696dd57c013d75609212eb66 Mon Sep 17 00:00:00 2001 From: Subrata Banik Date: Sat, 31 Dec 2022 14:43:57 +0530 Subject: =?UTF-8?q?security/intel/txt:=20Add=20helper=20function=20to=20di?= =?UTF-8?q?sable=C2=A0TXT?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a function to disable TXT as per TXT BIOS spec Section 6.2.5. AP firmware can disable TXT if TXT fails or TPM is already enabled. On platforms with TXT disabled, the memory can be unlocked using MSR 0x2e6. TEST=Able to perform disable_txt on SoC SKUs with TXT enabled. Signed-off-by: Subrata Banik Change-Id: I27f613428e82a1dd924172eab853d2ce9c32b473 Reviewed-on: https://review.coreboot.org/c/coreboot/+/71574 Tested-by: build bot (Jenkins) Reviewed-by: Tarun Tuli Reviewed-by: Sridhar Siricilla Reviewed-by: Eric Lai --- src/security/intel/txt/txt.h | 1 + src/security/intel/txt/txtlib.c | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+) (limited to 'src/security/intel/txt') diff --git a/src/security/intel/txt/txt.h b/src/security/intel/txt/txt.h index 64e507d2b3..63e5bcda5b 100644 --- a/src/security/intel/txt/txt.h +++ b/src/security/intel/txt/txt.h @@ -30,5 +30,6 @@ bool intel_txt_prepare_txt_env(void); /* Allow platform override to skip TXT lockdown, e.g. required for RAS error injection. */ bool skip_intel_txt_lockdown(void); const char *intel_txt_processor_error_type(uint8_t type); +void disable_intel_txt(void); #endif /* SECURITY_INTEL_TXT_H_ */ diff --git a/src/security/intel/txt/txtlib.c b/src/security/intel/txt/txtlib.c index 3ec2322f77..5478206ee2 100644 --- a/src/security/intel/txt/txtlib.c +++ b/src/security/intel/txt/txtlib.c @@ -44,3 +44,29 @@ bool is_txt_cpu(void) return (ecx & (CPUID_SMX | CPUID_VMX)) == (CPUID_SMX | CPUID_VMX); } + +static void unlock_txt_memory(void) +{ + msr_t msrval = {0}; + + wrmsr(IA32_LT_UNLOCK_MEMORY, msrval); +} + +void disable_intel_txt(void) +{ + /* Return if the CPU doesn't support TXT */ + if (!is_txt_cpu()) { + printk(BIOS_DEBUG, "Abort disabling TXT, as CPU is not TXT capable.\n"); + return; + } + + /* + * Memory is supposed to be locked if system is TXT capable + * As per TXT BIOS spec Section 6.2.5 unlock memory + * when security (TPM) is set and TXT is not enabled. + */ + if (!is_establishment_bit_asserted()) { + unlock_txt_memory(); + printk(BIOS_INFO, "TXT disabled successfully - Unlocked memory\n"); + } +} -- cgit v1.2.3