Subrata Banik has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/71574 )
Change subject: security/intel/txt: Helper function to disable TXT ......................................................................
security/intel/txt: Helper function to disable TXT
This patch disables TXT as per TXT BIOS spec Section 6.2.5. AP firmware can disable TXT if TXT fails or TPM is already enabled.
On platform with TXT disabled, the memory can be unlocked using MSR 0x2e6.
TEST=Able to perform disable_txt on SoC SKUs with TXT enabled.
Signed-off-by: Subrata Banik subratabanik@google.com Change-Id: I27f613428e82a1dd924172eab853d2ce9c32b473 --- M src/include/cpu/x86/msr.h M src/security/intel/txt/txt.h M src/security/intel/txt/txtlib.c 3 files changed, 49 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/74/71574/1
diff --git a/src/include/cpu/x86/msr.h b/src/include/cpu/x86/msr.h index 33eb457..0d04dda 100644 --- a/src/include/cpu/x86/msr.h +++ b/src/include/cpu/x86/msr.h @@ -81,6 +81,7 @@ #define MCA_STATUS_LO_ERRCODE_EXT_SH 16 #define MCA_STATUS_LO_ERRCODE_EXT_MASK (0x3f << MCA_STATUS_LO_ERRCODE_EXT_SH) #define MCA_STATUS_LO_ERRCODE_MASK (0xffff << 0) +#define IA32_UNLOCK_LT_MEMORY 0x2e6 #define IA32_MC0_ADDR 0x402 #define IA32_MC_ADDR(bank) (IA32_MC0_ADDR + 4 * (bank)) #define IA32_MC0_MISC 0x403 diff --git a/src/security/intel/txt/txt.h b/src/security/intel/txt/txt.h index 64e507d..63e5bcd 100644 --- a/src/security/intel/txt/txt.h +++ b/src/security/intel/txt/txt.h @@ -30,5 +30,6 @@ /* Allow platform override to skip TXT lockdown, e.g. required for RAS error injection. */ bool skip_intel_txt_lockdown(void); const char *intel_txt_processor_error_type(uint8_t type); +void disable_intel_txt(void);
#endif /* SECURITY_INTEL_TXT_H_ */ diff --git a/src/security/intel/txt/txtlib.c b/src/security/intel/txt/txtlib.c index 0fd40ab..2ae546a 100644 --- a/src/security/intel/txt/txtlib.c +++ b/src/security/intel/txt/txtlib.c @@ -45,3 +45,32 @@ return (ecx & (CPUID_SMX | CPUID_VMX)) == (CPUID_SMX | CPUID_VMX); }
+static void unlock_txt_memory(void) +{ + msr_t msrval = {0}; + + wrmsr(IA32_UNLOCK_LT_MEMORY, msrval); +} + +void disable_intel_txt(void) +{ + /* Don't disable if INTEL_TXT config is selected */ + if (CONFIG(INTEL_TXT)) + return; + + /* Return if the CPU doesn't support TXT */ + if (!is_txt_cpu()) { + printk(BIOS_INFO, "CPU is not TXT capable.\n"); + return; + } + + /* + * Memory is supposed to lock if system is TXT capable + * As per TXT BIOS spec Section 6.2.5 unlock memory + * when security(TPM) is set and TXT is not enabled. + */ + if (!is_establishment_bit_asserted()) { + unlock_txt_memory(); + printk(BIOS_INFO, "TXT disabled successfully- Unlock Memory\n"); + } +}