From 9734e8091f472395b16c26e74430f26bf1c3756e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Sun, 21 Nov 2021 12:29:58 +0100 Subject: security/intel/txt: Correct reporting of chipset production fuse state MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Implement the chipset production fuse state reporting as described in the Intel TXT Software Development Guide. Also fix all occurrences where the production fuse state is checked. TEST=Dell OptiPlex 9010 with i7-3770/Q77 reports the chipset is production fused Signed-off-by: Michał Żygowski Change-Id: Ic86c5a9e1d162630a1cf61435d1014edabf104b0 Reviewed-on: https://review.coreboot.org/c/coreboot/+/59514 Reviewed-by: Patrick Rudolph Tested-by: build bot (Jenkins) --- src/security/intel/txt/common.c | 20 ++++++++++++++++++-- src/security/intel/txt/logging.c | 2 +- src/security/intel/txt/txt.h | 1 + 3 files changed, 20 insertions(+), 3 deletions(-) (limited to 'src/security/intel') diff --git a/src/security/intel/txt/common.c b/src/security/intel/txt/common.c index e3e2f5c469..7e6c55cd58 100644 --- a/src/security/intel/txt/common.c +++ b/src/security/intel/txt/common.c @@ -141,6 +141,22 @@ bool intel_txt_memory_has_secrets(void) return ret; } +bool intel_txt_chipset_is_production_fused(void) +{ + /* + * Certain chipsets report production fused information in either + * TXT.VER.FSBIF or TXT.VER.EMIF/TXT.VER.QPIIF. + * Chapter B.1.7 and B.1.9 + * Intel TXT Software Development Guide (Document: 315168-015) + */ + uint32_t reg = read32((void *)TXT_VER_FSBIF); + + if (reg == 0 || reg == UINT32_MAX) + reg = read32((void *)TXT_VER_QPIIF); + + return (reg & TXT_VER_PRODUCTION_FUSED) ? true : false; +} + static struct acm_info_table *find_info_table(const void *ptr) { const struct acm_header_v0 *acm_header = (struct acm_header_v0 *)ptr; @@ -203,8 +219,8 @@ static int validate_acm(const void *ptr) if (memcmp(acm_uuid, info->uuid, sizeof(acm_uuid)) != 0) return ACM_E_UUID_NOT_MATCH; - if ((acm_header->flags & ACM_FORMAT_FLAGS_DEBUG) == - (read64((void *)TXT_VER_FSBIF) & TXT_VER_PRODUCTION_FUSED)) + const bool production_acm = !(acm_header->flags & ACM_FORMAT_FLAGS_DEBUG); + if (production_acm != intel_txt_chipset_is_production_fused()) return ACM_E_PLATFORM_IS_NOT_PROD; return 0; diff --git a/src/security/intel/txt/logging.c b/src/security/intel/txt/logging.c index b4eac3333e..f73ae4baca 100644 --- a/src/security/intel/txt/logging.c +++ b/src/security/intel/txt/logging.c @@ -185,7 +185,7 @@ void txt_dump_chipset_info(void) printk(BIOS_INFO, "TEE-TXT: DIDVID 0x%x\n", read32((void *)TXT_DIDVID)); printk(BIOS_INFO, "TEE-TXT: production fused chipset: %s\n", - (read64((void *)TXT_VER_FSBIF) & TXT_VER_PRODUCTION_FUSED) ? "true" : "false"); + intel_txt_chipset_is_production_fused() ? "true" : "false"); } void txt_dump_regions(void) diff --git a/src/security/intel/txt/txt.h b/src/security/intel/txt/txt.h index e1a78af542..63ac91c887 100644 --- a/src/security/intel/txt/txt.h +++ b/src/security/intel/txt/txt.h @@ -23,6 +23,7 @@ void intel_txt_log_bios_acm_error(void); int intel_txt_log_acm_error(const uint32_t acm_error); void intel_txt_log_spad(void); bool intel_txt_memory_has_secrets(void); +bool intel_txt_chipset_is_production_fused(void); void intel_txt_run_sclean(void); int intel_txt_run_bios_acm(const u8 input_params); bool intel_txt_prepare_txt_env(void); -- cgit v1.2.3