Patrick Rudolph has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35312 )
Change subject: soc/intel/common/block/sgx: Fix crash in MP init ......................................................................
Patch Set 9:
Patch Set 8:
Good message first: this fixes the SGX crash and SGX get's enabled correctly according to chipsec.
The bad news is, this triggers microcode update failures.
- I get multiple microcode update errors:
microcode: updated to revision 0xb4 date=2019-04-01 VMX status: enabled VMX status: enabled VMX status: enabled VMX status: enabled VMX status: enabled VMX status: enabled SGX: MCHECK approved SGX PRMRR SGX activation was successful. IA32_FEATURE_CONTROL already locked microcode: updated to revision 0xb4 date=2019-04-01 microcode: updated to revision 0xb4 date=2019-04-01 microcode: Update failed SGX: MCHECK approved SGX PRMRR SGX: MCHECK approved SGX PRMRR SGX activation was successful. SGX activation was successful.
Full log here: https://paste.xinu.at/4zT/
- Chipsec complains that PAVPC and TSEGMB are not locked.
However, when sgx is disabled these memory regions get locked. I guess FSP does this. I experienced the same behaviour when trying to set MSR_LT_LOCK_MEMORY without SGX enabled, shortly after the point where SGX normally would get enabled. I solved that problem by setting MSR_LT_LOCK_MEMORY in the pch finalize phase. Disclaimer: I do not know, when exactly MSR_LT_LOCK_MEMORY has to be enabled, as it is not documented............. TBD: find out.
Fun fact: even FSP leaves PAVPC and TSEGMB unlocked when SGX is enabled by FSP. I opened an issue on Github: https://github.com/IntelFsp/FSP/issues/34
chipsec fsp: https://paste.xinu.at/Rvz1mD/ chipsec coreboot: https://paste.xinu.at/irjNm/
Updated the patch as microcode updates should only be loaded on one thread as per Intel SDM. Also added more comments.