From 6a2495d8d9f389b7ee08c559cb18f9a78c810e38 Mon Sep 17 00:00:00 2001 From: Subrata Banik Date: Sat, 31 Dec 2022 14:36:54 +0530 Subject: security/intel/txt: Create Intel TXT lib with helper functions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch decouples useful TXT related operations from the romstage.c file alone and moves them into a helper txtlib.c. This effort will be helpful for SoC users to perform TXT related operations (like Disabling TXT) even without selecting INTEL_TXT config. At present, those helper functions are only available upon selecting INTEL_TXT which is not getting enabled for most of the SoC platform in the scope of the Chromebooks. TEST=Able to access functions from txtlib.c even without selecting INTEL_TXT config. Signed-off-by: Subrata Banik Change-Id: Iff5b4e705e18cbaf181b4c71bfed368c3ed047ed Reviewed-on: https://review.coreboot.org/c/coreboot/+/71573 Tested-by: build bot (Jenkins) Reviewed-by: Tarun Tuli Reviewed-by: Sridhar Siricilla --- src/security/intel/txt/Kconfig | 9 ++++++++ src/security/intel/txt/Makefile.inc | 2 ++ src/security/intel/txt/romstage.c | 39 +------------------------------ src/security/intel/txt/txtlib.c | 46 +++++++++++++++++++++++++++++++++++++ src/security/intel/txt/txtlib.h | 12 ++++++++++ 5 files changed, 70 insertions(+), 38 deletions(-) create mode 100644 src/security/intel/txt/txtlib.c create mode 100644 src/security/intel/txt/txtlib.h (limited to 'src/security/intel') diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig index 19eecc401b..637a6a787b 100644 --- a/src/security/intel/txt/Kconfig +++ b/src/security/intel/txt/Kconfig @@ -1,8 +1,17 @@ # SPDX-License-Identifier: GPL-2.0-only +config INTEL_TXT_LIB + bool + default n + help + This option includes library functions related to the TXT + operation which SoC would still like to access without enabling + INTEL_TXT config. + config INTEL_TXT bool "Intel TXT support" default n + select INTEL_TXT_LIB select MRC_SETTINGS_PROTECT if CACHE_MRC_SETTINGS select ENABLE_VMX if CPU_INTEL_COMMON select AP_IN_SIPI_WAIT diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc index 7132ca8495..e19bacfbf5 100644 --- a/src/security/intel/txt/Makefile.inc +++ b/src/security/intel/txt/Makefile.inc @@ -1,3 +1,5 @@ +romstage-$(CONFIG_INTEL_TXT_LIB) += txtlib.c + ifeq ($(CONFIG_INTEL_TXT),y) all-y += logging.c diff --git a/src/security/intel/txt/romstage.c b/src/security/intel/txt/romstage.c index e1329dd957..fa0ba3c7ff 100644 --- a/src/security/intel/txt/romstage.c +++ b/src/security/intel/txt/romstage.c @@ -4,52 +4,15 @@ #include #include #include -#include #include #include -#include #include -#include - #include "txt.h" +#include "txtlib.h" #include "txt_register.h" #include "txt_getsec.h" -static bool is_establishment_bit_asserted(void) -{ - struct stopwatch timer; - uint8_t access; - - /* Spec says no less than 30 milliseconds */ - stopwatch_init_msecs_expire(&timer, 50); - - while (true) { - access = read8((void *)TPM_ACCESS_REG); - - /* Register returns all ones if TPM is missing */ - if (access == 0xff) - return false; - - if (access & TPM_ACCESS_VALID) - break; - - /* On timeout, assume that the TPM is not working */ - if (stopwatch_expired(&timer)) - return false; - } - - /* This bit uses inverted logic: if cleared, establishment is asserted */ - return !(access & TPM_ACCESS_ESTABLISHMENT); -} - -static bool is_txt_cpu(void) -{ - const uint32_t ecx = cpu_get_feature_flags_ecx(); - - return (ecx & (CPUID_SMX | CPUID_VMX)) == (CPUID_SMX | CPUID_VMX); -} - static bool is_txt_chipset(void) { uint32_t eax; diff --git a/src/security/intel/txt/txtlib.c b/src/security/intel/txt/txtlib.c new file mode 100644 index 0000000000..3ec2322f77 --- /dev/null +++ b/src/security/intel/txt/txtlib.c @@ -0,0 +1,46 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ + +#include +#include +#include +#include +#include +#include +#include + +#include "txtlib.h" +#include "txt_register.h" + +bool is_establishment_bit_asserted(void) +{ + struct stopwatch timer; + uint8_t access; + + /* Spec says no less than 30 milliseconds */ + stopwatch_init_msecs_expire(&timer, 50); + + while (true) { + access = read8((void *)TPM_ACCESS_REG); + + /* Register returns all ones if TPM is missing */ + if (access == 0xff) + return false; + + if (access & TPM_ACCESS_VALID) + break; + + /* On timeout, assume that the TPM is not working */ + if (stopwatch_expired(&timer)) + return false; + } + + /* This bit uses inverted logic: if cleared, establishment is asserted */ + return !(access & TPM_ACCESS_ESTABLISHMENT); +} + +bool is_txt_cpu(void) +{ + const uint32_t ecx = cpu_get_feature_flags_ecx(); + + return (ecx & (CPUID_SMX | CPUID_VMX)) == (CPUID_SMX | CPUID_VMX); +} diff --git a/src/security/intel/txt/txtlib.h b/src/security/intel/txt/txtlib.h new file mode 100644 index 0000000000..35703b6139 --- /dev/null +++ b/src/security/intel/txt/txtlib.h @@ -0,0 +1,12 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ + +#ifndef SECURITY_INTEL_TXT_LIB_H_ +#define SECURITY_INTEL_TXT_LIB_H_ + +#include + +bool is_establishment_bit_asserted(void); + +bool is_txt_cpu(void); + +#endif /* SECURITY_INTEL_TXT_LIB_H_ */ -- cgit v1.2.3