Michał Żygowski has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/59513 )
Change subject: security/intel/txt: Allow to set TXT BIOS Data Region version ......................................................................
security/intel/txt: Allow to set TXT BIOS Data Region version
TXT BIOS Data region version is checked by Trusted Boot code. Older versions of TBoot may refuse to set up the MLE if BDR version is not known. Provide an option to set the BDR version in case an older TBoot code is used.
Signed-off-by: Michał Żygowski michal.zygowski@3mdeb.com Change-Id: Ic2550bd4008559bd47de9e35f8b1c7b52e6e0f5f --- M src/security/intel/txt/Kconfig M src/security/intel/txt/ramstage.c 2 files changed, 14 insertions(+), 4 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/13/59513/1
diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig index 3648925..ae27b30 100644 --- a/src/security/intel/txt/Kconfig +++ b/src/security/intel/txt/Kconfig @@ -39,6 +39,19 @@ the MRC does not have an input to specify the size of DPR, so this field is only used to check if the programmed size is large enough.
+config INTEL_TXT_BDR_VERSION + int "BIOS Data Region version" + range 2 6 + default 5 if TPM1 + default 6 if TPM2 + help + Specify the TXT heap BIOS Data Region version. Sometimes when using + an older Trusted Boot version, it may report unsupported BIOS Data + Region version and refuse to set up the measured launch environment. + Setting lower version may work around such issue. Allowed values + currently range from 2 to 6. + + config INTEL_TXT_TEST_BIOS_ACM_CALLING_CODE bool "Test BIOS ACM calling code with NOP function" help diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c index 3ca766e..217d50c 100644 --- a/src/security/intel/txt/ramstage.c +++ b/src/security/intel/txt/ramstage.c @@ -215,10 +215,7 @@ } __packed data = {0};
/* TPM2.0 requires version 6 of BDT */ - if (CONFIG(TPM2)) - data.bdr.version = 6; - else - data.bdr.version = 5; + data.bdr.version = CONFIG_INTEL_TXT_BDR_VERSION;
data.bdr.no_logical_procs = dev_count_cpu();