Angel Pons has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/46497 )
Change subject: sec/intel/txt: Always run SCHECK on regular boots ......................................................................
sec/intel/txt: Always run SCHECK on regular boots
When Boot Guard is disabled or not available, the IBB might not even exist. This is the case on traditional (non-ULT) Haswell, for example.
Leave the S3 resume check as-is for now. Skylake and newer may need to run SCHECK on resume as well, but I lack the hardware to test this on.
Change-Id: I70231f60d4d4c5bc8ee0fcbb0651896256fdd391 Signed-off-by: Angel Pons th3fanbus@gmail.com --- M src/security/intel/txt/ramstage.c 1 file changed, 8 insertions(+), 7 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/97/46497/1
diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c index c39194b..86bf7aa 100644 --- a/src/security/intel/txt/ramstage.c +++ b/src/security/intel/txt/ramstage.c @@ -168,15 +168,16 @@ }
if (status & (ACMSTS_BIOS_TRUSTED | ACMSTS_IBB_MEASURED)) { + printk(BIOS_INFO, "TEE-TXT: Logging IBB measurements...\n"); log_ibb_measurements(); + }
- int s3resume = acpi_is_wakeup_s3(); - if (!s3resume) { - printk(BIOS_INFO, "TEE-TXT: Scheck...\n"); - if (intel_txt_run_bios_acm(ACMINPUT_SCHECK) < 0) { - printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM.\n"); - return; - } + int s3resume = acpi_is_wakeup_s3(); + if (!s3resume) { + printk(BIOS_INFO, "TEE-TXT: Scheck...\n"); + if (intel_txt_run_bios_acm(ACMINPUT_SCHECK) < 0) { + printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM.\n"); + return; } } }