blob: 52863542e5d2fba3d36c2bbcafb0579eed027b0d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
config STM
bool "Enable STM"
default n
depends on ENABLE_VMX
depends on SMM_TSEG
help
Enabling the STM will load a simple hypervisor into SMM that will
restrict the actions of the SMI handler, which is the part of BIOS
that functions in system management mode (SMM). The kernel can
configure the STM to prevent the SMI handler from accessing platform
resources.
The STM closes a vulnerability in Intel TXT (D-RTM)
The SMI handler provides a list of platform resources that it
requires access to the STM during STM startup, which the kernel
cannot override.
An additional capability, called STM-PE, provides a protected
execution capability that allows modules to be executed without
observation and interference. Examples of usage include kernel
introspection and virtualized trusted platform module (vTPM).
Requirement: SMM must be enabled and there must be sufficient room
within the TSEG to fit the MSEG.
if STM
menu "SMI Transfer Monitor (STM)"
config MSEG_SIZE
hex "mseg size"
default 0x100000
help
The MSEG_SIZE of 0x100000 assumes that:
IED_REGION_SIZE = 0x400000
SMM_RESERVED_SIZE = 0x200000
SMM_TSEG_SIZE = 0x800000
To use STM/PE, a larger MSEG_SIZE is necessary. This can be
done by either increasing SMM_TSEG_SIZE or reducing the
IED_REGION_SIZE and/or SMM_RESERVED_SIZE or some combination
of the three.
NOTE: The authors experience is that these configuration
parameters have to be changed at the soc Konfig for them to
be applied.
Minimum sizes:
STM only - 0x100000 - Supports up to 38 processor threads
- 0x200000 - Supports up to 102 processor threads
STM/PE - 0x300000+ depending on the amount of memory needed
for the protected execution virtual
machine (VM/PE)
config STM_STMPE_ENABLED
bool "STM/PE Enabled"
default n
help
STM/PE provides for additional virtual machines in SMRAM
that provides a protected execution environment for
applications such as introspection, which need to be
protected from malicious code. More information can be
found on the stmpe branch of
https://review.coreboot.org/STM
config BIOS_RESOURCE_LIST_SIZE
hex "bios resource list size"
default 0x1000
help
The BIOS resource list defines the resources that the
SMI handler needs. This list is created during the
coreboot bootup. Unless there has been a lot of elements
added to this list, this value should not change.
config STM_BINARY_FILE
string "STM binary file"
default "3rdparty/stm/Stm/build/StmPkg/Core/stm.bin"
help
Location of the STM binary file. The default location is
where the file will be located when coreboot builds
the STM.
config STM_HEAPSIZE
hex "stm heapsize"
default 0x46000
help
The STM_HEAPSIZE defines the heap space that is available
to the STM. The default size assumes a MSEG_SIZE of 0x100000.
For STM/PE this size should be a minimum of 0x246000.
config STM_TTYS0_BASE
hex "stm uart"
default TTYS0_BASE if TTYS0_BASE
default 0x000
help
Defines the serial port for STM console output. 0x000 indicates
no serial port.
config STM_CBMEM_CONSOLE
bool "STM cbmem console"
default n
depends on CONSOLE_CBMEM
help
Places the STM console output into the cbmem.
choice
prompt "Select STM console output"
config STM_CONSOLE_DEBUG
bool "Debug output"
depends on STM_CBMEM_CONSOLE || STM_TTYS0_BASE
help
"Produces all STM console output"
config STM_CONSOLE_RELEASE
bool "Deactivate console output"
help
"No console output is produced"
endchoice
endmenu #STM
endif
|