From e70a3f8822d6c1e0b0f1dc86464acfb24c80b450 Mon Sep 17 00:00:00 2001 From: Angel Pons Date: Fri, 16 Oct 2020 10:58:57 +0200 Subject: sec/intel/txt: Always run SCHECK on regular boots When Boot Guard is disabled or not available, the IBB might not even exist. This is the case on traditional (non-ULT) Haswell, for example. Leave the S3 resume check as-is for now. Skylake and newer may need to run SCHECK on resume as well, but I lack the hardware to test this on. Change-Id: I70231f60d4d4c5bc8ee0fcbb0651896256fdd391 Signed-off-by: Angel Pons Reviewed-on: https://review.coreboot.org/c/coreboot/+/46497 Tested-by: build bot (Jenkins) Reviewed-by: Arthur Heymans --- src/security/intel/txt/ramstage.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'src/security') diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c index c39194ba47..86bf7aa428 100644 --- a/src/security/intel/txt/ramstage.c +++ b/src/security/intel/txt/ramstage.c @@ -168,15 +168,16 @@ static void init_intel_txt(void *unused) } if (status & (ACMSTS_BIOS_TRUSTED | ACMSTS_IBB_MEASURED)) { + printk(BIOS_INFO, "TEE-TXT: Logging IBB measurements...\n"); log_ibb_measurements(); + } - int s3resume = acpi_is_wakeup_s3(); - if (!s3resume) { - printk(BIOS_INFO, "TEE-TXT: Scheck...\n"); - if (intel_txt_run_bios_acm(ACMINPUT_SCHECK) < 0) { - printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM.\n"); - return; - } + int s3resume = acpi_is_wakeup_s3(); + if (!s3resume) { + printk(BIOS_INFO, "TEE-TXT: Scheck...\n"); + if (intel_txt_run_bios_acm(ACMINPUT_SCHECK) < 0) { + printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM.\n"); + return; } } } -- cgit v1.2.3