[coreboot-gerrit] Change in coreboot[master]: security/intel/txt: Allow using CF9 reset, too

Angel Pons has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/44181 )

Change subject: security/intel/txt: Allow using CF9 reset, too ......................................................................

security/intel/txt: Allow using CF9 reset, too

Soften the hard dependency on SOC_INTEL_COMMON_BLOCK_SA by allowing CF9 resets to be used in place of global resets. If both types of reset are available, prefer a global reset. This preserves current behavior, and allows more platforms to use the TXT support code, such as Haswell.

Change-Id: I034fa0b342135e7101c21646be8fd6b5d3252d9e Signed-off-by: Angel Pons th3fanbus@gmail.com --- M src/security/intel/txt/Kconfig M src/security/intel/txt/common.c 2 files changed, 18 insertions(+), 2 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/81/44181/1

diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig index edb13a5..3dd912e 100644 --- a/src/security/intel/txt/Kconfig +++ b/src/security/intel/txt/Kconfig @@ -9,7 +9,7 @@ depends on (TPM1 || TPM2) depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE depends on PLATFORM_HAS_DRAM_CLEAR - depends on SOC_INTEL_COMMON_BLOCK_SA + depends on (SOC_INTEL_COMMON_BLOCK_SA || HAVE_CF9_RESET)

if INTEL_TXT

diff --git a/src/security/intel/txt/common.c b/src/security/intel/txt/common.c index d3e18376..5a5d637 100644 --- a/src/security/intel/txt/common.c +++ b/src/security/intel/txt/common.c @@ -10,11 +10,27 @@ #include <cpu/x86/mp.h> #include <lib.h> #include <smp/node.h> + +#if CONFIG(SOC_INTEL_COMMON_BLOCK_SA) #include <soc/intel/common/reset.h> +#else +#include <cf9_reset.h> +#endif + #include "txt.h" #include "txt_register.h" #include "txt_getsec.h"

+/* Usual security practice: if an unexpected error happens, reboot */ +static void __noreturn txt_reset_platform(void) +{ +#if CONFIG(SOC_INTEL_COMMON_BLOCK_SA) + global_reset(); +#else + full_reset(); +#endif +} + /** * Dump the ACM error status bits. * @@ -307,7 +323,7 @@ msr_t msr = rdmsr(IA32_FEATURE_CONTROL); if (!(msr.lo & BIT(0))) { printk(BIOS_ERR, "TEE-TXT: IA32_FEATURE_CONTROL is not locked\n"); - global_reset(); + txt_reset_platform(); }

printk(BIOS_DEBUG, "TEE-TXT: IA32_FEATURE_CONTROL\n");