Angel Pons has submitted this change. ( https://review.coreboot.org/c/coreboot/+/46494 )
Change subject: sec/intel/txt/ramstage.c: Extract heap init into a function ......................................................................
sec/intel/txt/ramstage.c: Extract heap init into a function
Heap initialization is self-contained, so place it into a separate function. Also, do it after the MSEG registers have been written, so that all register writes are grouped together. This has no impact.
Change-Id: Id108f4cfcd2896d881d9ba267888f7ed5dd984fa Signed-off-by: Angel Pons th3fanbus@gmail.com Reviewed-on: https://review.coreboot.org/c/coreboot/+/46494 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Arthur Heymans arthur@aheymans.xyz --- M src/security/intel/txt/ramstage.c 1 file changed, 101 insertions(+), 96 deletions(-)
Approvals: build bot (Jenkins): Verified Arthur Heymans: Looks good to me, approved
diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c index 5d0d121..2d56d1f 100644 --- a/src/security/intel/txt/ramstage.c +++ b/src/security/intel/txt/ramstage.c @@ -194,103 +194,8 @@ } }
-/** - * Finalize the TXT device. - * - * - Lock TXT register. - * - Protect TSEG using DMA protected regions. - * - Setup TXT regions. - * - Place SINIT ACM in TXT_SINIT memory segment. - * - Fill TXT BIOSDATA region. - */ -static void lockdown_intel_txt(void *unused) +static void txt_initialize_heap(void) { - const uint64_t status = read64((void *)TXT_SPAD); - - uintptr_t tseg_base; - size_t tseg_size; - - smm_region(&tseg_base, &tseg_size); - - if (status & ACMSTS_TXT_DISABLED) - return; - - printk(BIOS_INFO, "TEE-TXT: Locking TEE...\n"); - - /* Lock TXT config, unlocks TXT_HEAP_BASE */ - if (intel_txt_run_bios_acm(ACMINPUT_LOCK_CONFIG) < 0) { - printk(BIOS_ERR, "TEE-TXT: Failed to lock registers.\n"); - printk(BIOS_ERR, "TEE-TXT: SINIT won't be supported.\n"); - return; - } - - /* - * Document Number: 558294 - * Chapter 5.5.6.1 DMA Protection Memory Region - */ - - const u8 dpr_capable = !!(read64((void *)TXT_CAPABILITIES) & - TXT_CAPABILITIES_DPR); - printk(BIOS_INFO, "TEE-TXT: DPR capable %x\n", dpr_capable); - - if (dpr_capable) { - /* Verify the DPR settings on the MCH and mirror them to TXT public space */ - union dpr_register dpr = txt_get_chipset_dpr(); - - printk(BIOS_DEBUG, "TEE-TXT: MCH DPR 0x%08x\n", dpr.raw); - - printk(BIOS_DEBUG, "TEE-TXT: MCH DPR base @ 0x%08x size %u MiB\n", - (dpr.top - dpr.size) * MiB, dpr.size); - - // DPR TODO: implement SA_ENABLE_DPR in the intelblocks - - if (!dpr.lock) { - printk(BIOS_ERR, "TEE-TXT: MCH DPR not locked.\n"); - return; - } - - if (!dpr.epm || !dpr.prs) { - printk(BIOS_ERR, "TEE-TXT: MCH DPR protection not active.\n"); - return; - } - - if (dpr.size < CONFIG_INTEL_TXT_DPR_SIZE) { - printk(BIOS_ERR, "TEE-TXT: MCH DPR configured size is too small.\n"); - return; - } - - if (dpr.top * MiB != tseg_base) { - printk(BIOS_ERR, "TEE-TXT: MCH DPR top does not equal TSEG base.\n"); - return; - } - - /* Clear reserved bits */ - dpr.prs = 0; - dpr.epm = 0; - - write64((void *)TXT_DPR, dpr.raw); - - printk(BIOS_INFO, "TEE-TXT: TXT.DPR 0x%08x\n", - read32((void *)TXT_DPR)); - } - - /* - * Document Number: 558294 - * Chapter 5.5.6.3 Intel TXT Heap Memory Region - */ - write64((void *)TXT_HEAP_SIZE, 0xE0000); - write64((void *)TXT_HEAP_BASE, - ALIGN_DOWN(tseg_base - read64((void *)TXT_HEAP_SIZE), 4096)); - - /* - * Document Number: 558294 - * Chapter 5.5.6.2 SINIT Memory Region - */ - write64((void *)TXT_SINIT_SIZE, 0x20000); - write64((void *)TXT_SINIT_BASE, - ALIGN_DOWN(read64((void *)TXT_HEAP_BASE) - - read64((void *)TXT_SINIT_SIZE), 4096)); - /* * BIOS Data Format * Chapter C.2 @@ -392,6 +297,104 @@ /* SinitMLEData */ /* FIXME: Does firmware need to write this? */ push_sinit_heap(&heap_struct, NULL, 0); +} + +/** + * Finalize the TXT device. + * + * - Lock TXT register. + * - Protect TSEG using DMA protected regions. + * - Setup TXT regions. + * - Place SINIT ACM in TXT_SINIT memory segment. + * - Fill TXT BIOSDATA region. + */ +static void lockdown_intel_txt(void *unused) +{ + const uint64_t status = read64((void *)TXT_SPAD); + + uintptr_t tseg_base; + size_t tseg_size; + + smm_region(&tseg_base, &tseg_size); + + if (status & ACMSTS_TXT_DISABLED) + return; + + printk(BIOS_INFO, "TEE-TXT: Locking TEE...\n"); + + /* Lock TXT config, unlocks TXT_HEAP_BASE */ + if (intel_txt_run_bios_acm(ACMINPUT_LOCK_CONFIG) < 0) { + printk(BIOS_ERR, "TEE-TXT: Failed to lock registers.\n"); + printk(BIOS_ERR, "TEE-TXT: SINIT won't be supported.\n"); + return; + } + + /* + * Document Number: 558294 + * Chapter 5.5.6.1 DMA Protection Memory Region + */ + + const u8 dpr_capable = !!(read64((void *)TXT_CAPABILITIES) & + TXT_CAPABILITIES_DPR); + printk(BIOS_INFO, "TEE-TXT: DPR capable %x\n", dpr_capable); + + if (dpr_capable) { + /* Verify the DPR settings on the MCH and mirror them to TXT public space */ + union dpr_register dpr = txt_get_chipset_dpr(); + + printk(BIOS_DEBUG, "TEE-TXT: MCH DPR 0x%08x\n", dpr.raw); + + printk(BIOS_DEBUG, "TEE-TXT: MCH DPR base @ 0x%08x size %u MiB\n", + (dpr.top - dpr.size) * MiB, dpr.size); + + // DPR TODO: implement SA_ENABLE_DPR in the intelblocks + + if (!dpr.lock) { + printk(BIOS_ERR, "TEE-TXT: MCH DPR not locked.\n"); + return; + } + + if (!dpr.epm || !dpr.prs) { + printk(BIOS_ERR, "TEE-TXT: MCH DPR protection not active.\n"); + return; + } + + if (dpr.size < CONFIG_INTEL_TXT_DPR_SIZE) { + printk(BIOS_ERR, "TEE-TXT: MCH DPR configured size is too small.\n"); + return; + } + + if (dpr.top * MiB != tseg_base) { + printk(BIOS_ERR, "TEE-TXT: MCH DPR top does not equal TSEG base.\n"); + return; + } + + /* Clear reserved bits */ + dpr.prs = 0; + dpr.epm = 0; + + write64((void *)TXT_DPR, dpr.raw); + + printk(BIOS_INFO, "TEE-TXT: TXT.DPR 0x%08x\n", + read32((void *)TXT_DPR)); + } + + /* + * Document Number: 558294 + * Chapter 5.5.6.3 Intel TXT Heap Memory Region + */ + write64((void *)TXT_HEAP_SIZE, 0xE0000); + write64((void *)TXT_HEAP_BASE, + ALIGN_DOWN(tseg_base - read64((void *)TXT_HEAP_SIZE), 4096)); + + /* + * Document Number: 558294 + * Chapter 5.5.6.2 SINIT Memory Region + */ + write64((void *)TXT_SINIT_SIZE, 0x20000); + write64((void *)TXT_SINIT_BASE, + ALIGN_DOWN(read64((void *)TXT_HEAP_BASE) - + read64((void *)TXT_SINIT_SIZE), 4096));
/* * FIXME: Server-TXT capable platforms need to install an STM in SMM and set up MSEG. @@ -404,6 +407,8 @@ write64((void *)TXT_MSEG_SIZE, 0); write64((void *)TXT_MSEG_BASE, 0);
+ txt_initialize_heap(); + if (CONFIG(INTEL_TXT_LOGGING)) txt_dump_regions(); }