[coreboot-gerrit] Change in coreboot[master]: sec/intel/txt: Allow skipping ACM NOP function

23 Oct 2020

Angel Pons has submitted this change. ( https://review.coreboot.org/c/coreboot/+/46496 )
Change subject: sec/intel/txt: Allow skipping ACM NOP function
......................................................................
sec/intel/txt: Allow skipping ACM NOP function
This is merely used to test whether the BIOS ACM calling code is working
properly. There's no need to do this on production platforms. Testing on
Haswell showed that running this NOP function breaks S3 resume with TXT.
Add a Kconfig bool to control whether the NOP function is to be invoked.
Change-Id: Ibf461c18a96f1add7867e1320726fadec65b7184
Signed-off-by: Angel Pons th3fanbus@gmail.com
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46496
Tested-by: build bot (Jenkins) no-reply@coreboot.org
Reviewed-by: Arthur Heymans arthur@aheymans.xyz
---
M src/security/intel/txt/Kconfig
M src/security/intel/txt/ramstage.c
2 files changed, 19 insertions(+), 10 deletions(-)
Approvals:
  build bot (Jenkins): Verified
  Arthur Heymans: Looks good to me, approved

diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig
index b1d0475..d3ef2a6 100644
--- a/src/security/intel/txt/Kconfig
+++ b/src/security/intel/txt/Kconfig
@@ -40,6 +40,12 @@
      the MRC does not have an input to specify the size of DPR, so this
      field is only used to check if the programmed size is large enough.
+config INTEL_TXT_TEST_BIOS_ACM_CALLING_CODE
+	bool "Test BIOS ACM calling code with NOP function"
+	help
+	  Run a NOP function of the BIOS ACM to check that the ACM calling code
+	  is functioning properly. Use in pre-production environments only!
+
 config INTEL_TXT_LOGGING
    bool "Enable verbose logging"
    help
diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c
index 00e9ce7..c39194b 100644
--- a/src/security/intel/txt/ramstage.c
+++ b/src/security/intel/txt/ramstage.c
@@ -151,17 +151,20 @@
    	return;
    }
-	printk(BIOS_INFO, "TEE-TXT: Testing BIOS ACM calling code...\n");
+	if (CONFIG(INTEL_TXT_TEST_BIOS_ACM_CALLING_CODE)) {
+		printk(BIOS_INFO, "TEE-TXT: Testing BIOS ACM calling code...\n");
-	/*
-	 * Test BIOS ACM code.
-	 * ACM should do nothing on reserved functions, and return an error code
-	 * in TXT_BIOSACM_ERRORCODE. Tests showed that this is not true.
-	 * Use special function "NOP" that does 'nothing'.
-	 */
-	if (intel_txt_run_bios_acm(ACMINPUT_NOP) < 0) {
-		printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM with NOP function.\n");
-		return;
+		/*
+		 * Test BIOS ACM code.
+		 * ACM should do nothing on reserved functions, and return an error code
+		 * in TXT_BIOSACM_ERRORCODE. Tests showed that this is not true.
+		 * Use special function "NOP" that does 'nothing'.
+		 */
+		if (intel_txt_run_bios_acm(ACMINPUT_NOP) < 0) {
+			printk(BIOS_ERR,
+				"TEE-TXT: Error calling BIOS ACM with NOP function.\n");
+			return;
+		}
    }
if (status & (ACMSTS_BIOS_TRUSTED | ACMSTS_IBB_MEASURED)) {
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/46496
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ibf461c18a96f1add7867e1320726fadec65b7184
Gerrit-Change-Number: 46496
Gerrit-PatchSet: 6
Gerrit-Owner: Angel Pons th3fanbus@gmail.com
Gerrit-Reviewer: Angel Pons th3fanbus@gmail.com
Gerrit-Reviewer: Arthur Heymans arthur@aheymans.xyz
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net
Gerrit-MessageType: merged



    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in coreboot[master]: sec/intel/txt: Allow skipping ACM NOP function