Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46608 )
Change subject: haswell: Add Intel TXT support in romstage ......................................................................
Patch Set 5:
(1 comment)
Patch Set 5:
I was working on it for ivybridge, but unline haswell and later platforms it requires manual APs setup before calling GETSEC. There is much assembly code to configure MTRRs, clean MCEs and rendezvous the APs right before the GETSEC call. Based on all the TXT patches I saw on gerrit, we do not do it for APs anywhere. If I am not mistaken it is related to the FIT table and loading ACM before reset vector?
Thank you for the insight. The TXT code was originally tested on Broadwell-DE, and LT-SX platforms handle wiping of secrets differently. Since testing on remote Broadwell-DE boxes is cumbersome at best, I decided to make TXT work on the Asrock B85M Pro4, a Haswell board I own.
Support for Haswell required some adjustments to account for differences between LT-SX and LT-CX. The biggest one is SCLEAN, since it's the only way to recover from TXT-blocked memory (without manual intervention). Looks like the memory block simply prevents the MPLL (Memory PLL) from ever powering up, which is simple but effective. To run SCLEAN in romstage, I had to adapt the ACM calling code to tear down CAR, among other stuff. I also figured out the original implementation would fail when ACM sizes were not a power of two, which I CB:44880 addressed. After trying to read reference assembly code, I decided to write a new implementation from scratch, which turned out to be much simpler and easy to read, IMHO.
I also saw that there's something about AP init in the SCLEAN launch assembly code, but wasn't sure if it was required for Haswell and decided to not implement it at that time. I was worried because I somehow had successfully locked myself out without being able to run the ACM, and wanted to recover as soon as possible. After figuring out I had a too old ACM without TPM2 support, I got it to run and eventually made everything work (including S3 suspend/resume!), except that SCLEAN automatic reset sometimes fails. I imagine the missing AP init and microcode update loading could be to blame, so I guess I'll have to torture myself again and try to wrap my head around the AP init assembly code...
https://review.coreboot.org/c/coreboot/+/46608/5/src/security/intel/txt/comm... File src/security/intel/txt/common.c:
https://review.coreboot.org/c/coreboot/+/46608/5/src/security/intel/txt/comm... PS5, Line 310: //write32((void *)MCU_BASE_ADDR, 0xffe1a990);
I know where these come from. They were used to setup APs for ACM launch. […]
Thanks for the pointer. We don't set up the APs anywhere. I'm not sure if this is required for Haswell: sometimes SCLEAN will not complete, and I suspect the missing AP init might be why.