[coreboot-gerrit] Change in coreboot[master]: cpu/x86/entry16.S: Make Intel CBnT TOCTOU safe

10 May 2021

Arthur Heymans has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/54010 )
Change subject: cpu/x86/entry16.S: Make Intel CBnT TOCTOU safe
......................................................................
cpu/x86/entry16.S: Make Intel CBnT TOCTOU safe
Intel CBnT (and Boot Guard) makes the chain of trust TOCTOU safe by
setting up NEM (non eviction mode) in the ACM. The CBnT IBB (Initial
BootBlock) therefore should not disable caching.
Sidenote: the MSR macros are taken from the slimbootloader project.
Change-Id: Id2031e4e406655e14198e45f137ba152f8b6f567
Signed-off-by: Arthur Heymans arthur@aheymans.xyz
---
M src/cpu/x86/entry16.S
M src/include/cpu/intel/msr.h
2 files changed, 22 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/10/54010/1

diff --git a/src/cpu/x86/entry16.S b/src/cpu/x86/entry16.S
index e1bfbf1..147906f 100644
--- a/src/cpu/x86/entry16.S
+++ b/src/cpu/x86/entry16.S
@@ -115,10 +115,24 @@
    subw	%ax, %bx
    lgdtl	%cs:(%bx)
+#if CONFIG(INTEL_CBNT_SUPPORT)
+#include <cpu/intel/msr.h>
+	movl	$MSR_BOOT_GUARD_SACM_INFO, %ecx
+	rdmsr
+	andl	$B_BOOT_GUARD_SACM_INFO_NEM_ENABLED, %eax
+	jz	1f
+	movl	%cr0, %eax
+	andl	$0x7FFAFFD1, %eax /* PG,AM,WP,NE,TS,EM,MP = 0 */
+	orl	$0x01, %eax /* PE = 1 */
+	movl	%eax, %cr0
+	jmp	2f
+#endif
+1:
    movl	%cr0, %eax
    andl	$0x7FFAFFD1, %eax /* PG,AM,WP,NE,TS,EM,MP = 0 */
    orl	$0x60000001, %eax /* CD, NW, PE = 1 */
    movl	%eax, %cr0
+2:
/* Restore BIST to %eax */
    movl	%ebp, %eax
diff --git a/src/include/cpu/intel/msr.h b/src/include/cpu/intel/msr.h
index 935ac30..28dea68 100644
--- a/src/include/cpu/intel/msr.h
+++ b/src/include/cpu/intel/msr.h
@@ -14,6 +14,14 @@
#define MSR_PLATFORM_INFO	0xce
+#define MSR_BOOT_GUARD_SACM_INFO                                      0x13a
+#define V_TPM_PRESENT_MASK                                            0x06
+#define B_BOOT_GUARD_SACM_INFO_NEM_ENABLED                            (1 << 0)
+#define B_BOOT_GUARD_SACM_INFO_TPM_SUCCESS                            (1 << 3)
+#define B_BOOT_GUARD_SACM_INFO_MEASURED_BOOT                          (1 << 5)
+#define B_BOOT_GUARD_SACM_INFO_VERIFIED_BOOT                          (1 << 6)
+#define B_BOOT_GUARD_SACM_INFO_CAPABILITY                             (1 << 32
+
 #define MSR_PKG_C10_RESIDENCY	0x632
#endif /* CPU_INTEL_MSR_H */
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/54010
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Id2031e4e406655e14198e45f137ba152f8b6f567
Gerrit-Change-Number: 54010
Gerrit-PatchSet: 1
Gerrit-Owner: Arthur Heymans arthur@aheymans.xyz
Gerrit-MessageType: newchange



    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in coreboot[master]: cpu/x86/entry16.S: Make Intel CBnT TOCTOU safe