Attention is currently required from: Jakub Czapiga, Kapil Porwal, Pratikkumar V Prajapati, Ravishankar Sarawadi, Sridhar Siricilla, Tarun Tuli.
Subrata Banik has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/75626?usp=email )
The change is no longer submittable: All-Comments-Resolved is unsatisfied now.
Change subject: soc/intel/meteorlake: Set UPDs for TME exclusion range and new key gen ......................................................................
Patch Set 14:
(1 comment)
File src/soc/intel/meteorlake/romstage/fsp_params.c:
https://review.coreboot.org/c/coreboot/+/75626/comment/3406f849_f4929351 : PS14, Line 190: Excluding CBMEM region from TME encryption and new key " : "generation on warm boot not enabled The control will reach here when the ram_top aka memory exclusion range is zero aka no range has been specified.
What is the expectation here ?
1. user doesn't want to exclude any memory range hence, the exclusion range is zero ?
2. passing exclusion range zero doesn't mean that SoC should stop creating new keys across reboots and skip security guideline?
As long as the `TME_KEY_REGENERATION_ON_WARM_BOOT` is set, the `m_cfg->GenerateNewTmeKey` should be also enabled
``` m_cfg->GenerateNewTmeKey = CONFIG(TME_KEY_REGENERATION_ON_WARM_BOOT);
if (m_cfg->GenerateNewTmeKey) { uint32_t ram_top = get_ramtop_addr(); if (!ram_top) { printk(BIOS_WARNIG, "Invalid exclusion range start address. Full memory encryption is enabled"\n"); return; } m_cfg->TmeExcludeBase = (ram_top - 16*MiB); m_cfg->TmeExcludeSize = 16*MiB; } ```