Felix Held has submitted this change. ( https://review.coreboot.org/c/coreboot/+/76879?usp=email )
Change subject: soc/intel/common: Merge TME new key gen and exclusion range configs ......................................................................
soc/intel/common: Merge TME new key gen and exclusion range configs
Merge TME_KEY_REGENERATION_ON_WARM_BOOT and TME_EXCLUDE_CBMEM_ENCRYPTION config options under new config option named TME_KEY_REGENERATION_ON_WARM_BOOT.
Program Intel TME to generate a new key for each warm boot. TME always generates a new key on each cold boot. With this option enabled TME generates a new key even in warm boot. Without this option TME reuses the key for warm boot.
If a new key is generated on warm boot, DRAM contents from previous warm boot will not get decrypted. This creates issue in accessing CBMEM region from previous warm boot. To mitigate the issue coreboot also programs exclusion range. Intel TME does not encrypt physical memory range set in exclusion range. Current coreboot implementation programs TME to exclude CBMEM region. When this config option is enabled, coreboot instructs Intel FSP to program TME to generate a new key on every warm boot and also exclude CBMEM region from being encrypted by TME.
BUG=b:276120526 TEST=Able to build rex.
Change-Id: I19d9504229adb1abff2ef394c4ca113c335099c2 Signed-off-by: Pratikkumar Prajapati pratikkumar.v.prajapati@intel.corp-partner.google.com Reviewed-on: https://review.coreboot.org/c/coreboot/+/76879 Reviewed-by: Sridhar Siricilla sridhar.siricilla@intel.com Reviewed-by: Subrata Banik subratabanik@google.com Reviewed-by: Kapil Porwal kapilporwal@google.com Tested-by: build bot (Jenkins) no-reply@coreboot.org --- M src/soc/intel/common/block/cpu/Kconfig 1 file changed, 10 insertions(+), 19 deletions(-)
Approvals: build bot (Jenkins): Verified Kapil Porwal: Looks good to me, approved Sridhar Siricilla: Looks good to me, approved Subrata Banik: Looks good to me, approved
diff --git a/src/soc/intel/common/block/cpu/Kconfig b/src/soc/intel/common/block/cpu/Kconfig index fb1e251..316ec40 100644 --- a/src/soc/intel/common/block/cpu/Kconfig +++ b/src/soc/intel/common/block/cpu/Kconfig @@ -142,7 +142,7 @@ it would get enabled. If CPU supports MKTME, this same config option enables MKTME.
-config TME_GENERATE_NEW_KEY_ON_WARM_BOOT +config TME_KEY_REGENERATION_ON_WARM_BOOT bool "Generate new TME key on each warm boot" depends on INTEL_TME default n @@ -152,24 +152,15 @@ generates a new key even in warm boot. Without this option TME reuses the key for warm boot.
-config TME_EXCLUDE_CBMEM_ENCRYPTION - bool "Exclude CBMEM from TME encryption" - depends on INTEL_TME - default n - help - This option allows to exclude the CBMEM region from being encrypted by - Intel TME. When TME is enabled it encrypts whole DRAM. TME provides - option to carve out a region of physical memory to get excluded from - encryption. With this config enabled, CBMEM region does not get - encrypted by TME. If TME is not programmed to generate a new key in - warm boot, exclusion range does not need be programmed due to the - fact that TME uses same key in warm boot if - TME_GENERATE_NEW_KEY_ON_WARM_BOOT is not set. But if TME is programmed - to generate a new key in warm boot, contents of the CBMEM get - encrypted with a new key in each warm boot case hence, that leads to - loss of CBMEM data from previous warm boot. So enabling this config - allows CBMEM region to get excluded from being encrypted and can be - accessible irrespective of the type of the platform reset. + If a new key is generated on warm boot, DRAM contents from previous + warm boot will not get decrypted. This creates issue in accessing + CBMEM region from previous warm boot. To mitigate the issue coreboot + also programs exclusion range. Intel TME does not encrypt physical + memory range set in exclusion range. Current coreboot implementation + programs TME to exclude CBMEM region. When this config option is + enabled, coreboot instructs Intel FSP to program TME to generate + a new key on every warm boot and also exclude CBMEM region from being + encrypted by TME.
config CPU_XTAL_HZ int