Philipp Deppenwiese has uploaded a new patch set (#4) to the change originally created by Jonathan Zhang. ( https://review.coreboot.org/c/coreboot/+/42712 )
Change subject: security/intel/txt: Add Intel TXT support ......................................................................
security/intel/txt: Add Intel TXT support
Add TXT ramstage driver: * Show startup errors * Check for TXT reset * Check for Secrets-in-memory * Add assembly for GETSEC instruction * Check platform state if GETSEC instruction is supported * Configure TXT memory regions * Lock TXT * Protect TSEG using DMA protected regions * Place SINIT ACM * Print information about ACMs
Extend the `security_clear_dram_request()` function: * Clear all DRAM if secrets are in memory
Add a config so that the code gets build-tested. Since BIOS and SINIT ACM binaries are not available, use the STM binary as a placeholder.
Tested on OCP Wedge100s and Facebook Watson * Able to enter a Measured Launch Environment using SINIT ACM and TBOOT * Secrets in Memory bit is set on ungraceful shutdown * Memory is cleared after ungraceful shutdown
Change-Id: Iaf4be7f016cc12d3971e1e1fe171e6665e44c284 Signed-off-by: Philipp Deppenwiese zaolin@das-labor.org Reviewed-on: https://review.coreboot.org/c/coreboot/+/37016 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Christian Walter christian.walter@9elements.com (cherry picked from commit 5f9f77672d096a013094f3cad63cb138167dbf1b) --- A configs/config.purism_librem15_v4.txt_build_test M src/security/intel/txt/Kconfig M src/security/intel/txt/Makefile.inc A src/security/intel/txt/common.c A src/security/intel/txt/getsec.c A src/security/intel/txt/getsec_enteraccs.S A src/security/intel/txt/logging.c A src/security/intel/txt/ramstage.c A src/security/intel/txt/txt.h A src/security/intel/txt/txt_getsec.h A src/security/intel/txt/txt_register.h M src/security/memory/memory.c 12 files changed, 1,837 insertions(+), 9 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/12/42712/4