Angel Pons has submitted this change. ( https://review.coreboot.org/c/coreboot/+/46606 )
Change subject: sec/intel/txt: Add `enable_getsec_or_reset` function ......................................................................
sec/intel/txt: Add `enable_getsec_or_reset` function
This can be used to enable GETSEC/SMX in the IA32_FEATURE_CONTROL MSR, and will be put to use on Haswell in subsequent commits.
Change-Id: I5a82e515c6352b6ebbc361c6a53ff528c4b6cdba Signed-off-by: Angel Pons th3fanbus@gmail.com Reviewed-on: https://review.coreboot.org/c/coreboot/+/46606 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Arthur Heymans arthur@aheymans.xyz --- M src/security/intel/txt/getsec.c M src/security/intel/txt/txt_getsec.h 2 files changed, 33 insertions(+), 0 deletions(-)
Approvals: build bot (Jenkins): Verified Arthur Heymans: Looks good to me, approved
diff --git a/src/security/intel/txt/getsec.c b/src/security/intel/txt/getsec.c index 422f10d..af9b7bb 100644 --- a/src/security/intel/txt/getsec.c +++ b/src/security/intel/txt/getsec.c @@ -1,9 +1,13 @@ /* SPDX-License-Identifier: GPL-2.0-only */
+#include <cf9_reset.h> +#include <console/console.h> +#include <cpu/intel/common/common.h> #include <cpu/x86/lapic.h> #include <cpu/x86/cr.h> #include <cpu/x86/cache.h> #include <cpu/x86/mp.h> +#include <cpu/x86/msr.h> #include <types.h>
#include "txt_register.h" @@ -40,6 +44,33 @@ return true; }
+void enable_getsec_or_reset(void) +{ + msr_t msr = rdmsr(IA32_FEATURE_CONTROL); + + if (!(msr.lo & FEATURE_CONTROL_LOCK_BIT)) { + /* + * MSR not locked, enable necessary GETSEC and VMX settings. + * We do not lock this MSR here, though. + */ + msr.lo |= 0xff06; + wrmsr(IA32_FEATURE_CONTROL, msr); + + } else if ((msr.lo & 0xff06) != 0xff06) { + /* + * MSR is locked without necessary GETSEC and VMX settings. + * This can happen after internally reflashing a coreboot + * image with different settings, and then doing a warm + * reboot. Perform a full reset in order to unlock the MSR. + */ + printk(BIOS_NOTICE, + "IA32_FEATURE_CONTROL MSR locked with GETSEC and/or VMX disabled.\n" + "Will perform a full reset to unlock this MSR.\n"); + + full_reset(); + } +} + /** * Get information as returned by getsec[PARAMETER]. * Arguments can be set to NULL if not needed. diff --git a/src/security/intel/txt/txt_getsec.h b/src/security/intel/txt/txt_getsec.h index 8e663d5..78171a7 100644 --- a/src/security/intel/txt/txt_getsec.h +++ b/src/security/intel/txt/txt_getsec.h @@ -5,6 +5,8 @@
#include <types.h>
+void enable_getsec_or_reset(void); + bool getsec_parameter(uint32_t *version_mask, uint32_t *version_numbers_supported, uint32_t *max_size_acm_area,