From bccb6916feffa340be163cefa2654e014c485b79 Mon Sep 17 00:00:00 2001
From: Arthur Heymans <arthur@aheymans.xyz>
Date: Tue, 24 Nov 2020 17:37:11 +0100
Subject: security/intel/txt/ramstage.c: Fix clearing secrets on CBNT

intel_txt_memory_has_secret() checks for ESTS.TXT_ESTS_WAKE_ERROR_STS
|| E2STS.TXT_E2STS_SECRET_STS and it looks like with CBNT the E2STS
bit can be set without the ESTS bit.

Change-Id: Iff4436501b84f5c209add845b3cd3a62782d17e6
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/47934
Reviewed-by: Jonathan Zhang <jonzhang@fb.com>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
 src/security/intel/txt/ramstage.c | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

(limited to 'src/security/intel/txt')

diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c
index c33af893ac..cbc3a41bb7 100644
--- a/src/security/intel/txt/ramstage.c
+++ b/src/security/intel/txt/ramstage.c
@@ -89,23 +89,21 @@ static void check_secrets_txt(void *unused)
 	if (status & ACMSTS_TXT_DISABLED)
 		return;
 
-	/* Check for fatal ACM error and TXT reset */
-	if (get_wake_error_status()) {
-		/*
-		 * Check if secrets bit needs to be reset. Only platforms that support
-		 * CONFIG(PLATFORM_HAS_DRAM_CLEAR) will be able to run this code.
-		 * Assume all memory really was cleared.
-		 *
-		 * TXT will issue a platform reset to come up sober.
-		 */
-		if (intel_txt_memory_has_secrets()) {
-			printk(BIOS_INFO, "TEE-TXT: Wiping TEE...\n");
-			intel_txt_run_bios_acm(ACMINPUT_CLEAR_SECRETS);
+	/*
+	 * Check if secrets bit needs to be reset. Only platforms that support
+	 * CONFIG(PLATFORM_HAS_DRAM_CLEAR) will be able to run this code.
+	 * On some platforms FSP-M takes care of the DRAM clearing.
+	 * Assume all memory really was cleared.
+	 *
+	 * TXT will issue a platform reset to come up sober.
+	 */
+	if (intel_txt_memory_has_secrets()) {
+		printk(BIOS_INFO, "TEE-TXT: Wiping TEE...\n");
+		intel_txt_run_bios_acm(ACMINPUT_CLEAR_SECRETS);
 
-			/* Should never reach this point ... */
-			intel_txt_log_acm_error(read32((void *)TXT_BIOSACM_ERRORCODE));
-			die("Waiting for platform reset...\n");
-		}
+		/* Should never reach this point ... */
+		intel_txt_log_acm_error(read32((void *)TXT_BIOSACM_ERRORCODE));
+		die("Waiting for platform reset...\n");
 	}
 }
 
-- 
cgit v1.2.3