From 85d94740c44c0113459c78c57ed0733c7481348f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Sun, 21 Nov 2021 12:11:47 +0100 Subject: security/intel/txt: Allow to set TXT BIOS Data Region version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit TXT BIOS Data region version is checked by Trusted Boot code. Older versions of TBoot (e.g. 1.8.2) may refuse to set up the MLE if BDR version is not known. Provide an option to set the BDR version in case an older TBoot code is used. This is very useful for platforms with TPM 1.2. TEST=Set BDR version to 4 and successfully boot QubesOS 4.0 with TBoot 1.8.2 on Dell OptiPlex 9010 Signed-off-by: Michał Żygowski Change-Id: Ic2550bd4008559bd47de9e35f8b1c7b52e6e0f5f Reviewed-on: https://review.coreboot.org/c/coreboot/+/59513 Tested-by: build bot (Jenkins) Reviewed-by: Arthur Heymans Reviewed-by: Angel Pons --- src/security/intel/txt/Kconfig | 12 ++++++++++++ src/security/intel/txt/ramstage.c | 5 +---- 2 files changed, 13 insertions(+), 4 deletions(-) (limited to 'src/security/intel') diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig index 36489256b9..6d23583ed7 100644 --- a/src/security/intel/txt/Kconfig +++ b/src/security/intel/txt/Kconfig @@ -39,6 +39,18 @@ config INTEL_TXT_DPR_SIZE the MRC does not have an input to specify the size of DPR, so this field is only used to check if the programmed size is large enough. +config INTEL_TXT_BDR_VERSION + int "BIOS Data Region version" + range 2 6 + default 5 if TPM1 + default 6 if TPM2 + help + Specify the TXT heap BIOS Data Region version. Sometimes when using + an older Trusted Boot version, it may report unsupported BIOS Data + Region version and refuse to set up the measured launch environment. + Setting lower version may work around such issue. Allowed values + currently range from 2 to 6. + config INTEL_TXT_TEST_BIOS_ACM_CALLING_CODE bool "Test BIOS ACM calling code with NOP function" help diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c index 3ca766e51c..217d50c475 100644 --- a/src/security/intel/txt/ramstage.c +++ b/src/security/intel/txt/ramstage.c @@ -215,10 +215,7 @@ static void txt_initialize_heap(void) } __packed data = {0}; /* TPM2.0 requires version 6 of BDT */ - if (CONFIG(TPM2)) - data.bdr.version = 6; - else - data.bdr.version = 5; + data.bdr.version = CONFIG_INTEL_TXT_BDR_VERSION; data.bdr.no_logical_procs = dev_count_cpu(); -- cgit v1.2.3