Pratikkumar V Prajapati has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/45087 )
Change subject: soc/intel/common: Add config option to enable TME/MKTME ......................................................................
Patch Set 4:
Patch Set 4:
Since this is just a blanket "enable" bit to the FSP, wow about a little bit of documentation explaining how TME is configured, so users would know what behavior to expect?
Is there any specific question? I think Nate may help from FSP's point of view.
For example, in chapter 4 of the doc you linked: " The maximum number of keys available/supported in the processor for MKTME are enumerated. BIOS will need to activate this capability via an MSR (described later) and it must select the number of keys to be supported/used for MKTME during early boot process. Upon activation, all memory (except in the TME exclusion range) attached to the CPU/SoC is encrypted using an AES-XTS 128 bit ephemeral key (platform key) that is generated by the CPU on every boot. "
How would a user know if MKTME is available and enabled (versus just TME), or activate an exclusion range?
IA32_TME_CAPABILITY MSR – 981H, bits 50:36 can say TME vs MKTME.
I dont see any UPD params for exclusion range. I am checking with FSP team internally. Nate may also have some idea from FSP side here.