Sridhar Siricilla has submitted this change. ( https://review.coreboot.org/c/coreboot/+/71573 )
Change subject: security/intel/txt: Create Intel TXT lib with helper functions ......................................................................
security/intel/txt: Create Intel TXT lib with helper functions
This patch decouples useful TXT related operations from the romstage.c file alone and moves them into a helper txtlib.c. This effort will be helpful for SoC users to perform TXT related operations (like Disabling TXT) even without selecting INTEL_TXT config.
At present, those helper functions are only available upon selecting INTEL_TXT which is not getting enabled for most of the SoC platform in the scope of the Chromebooks.
TEST=Able to access functions from txtlib.c even without selecting INTEL_TXT config.
Signed-off-by: Subrata Banik subratabanik@google.com Change-Id: Iff5b4e705e18cbaf181b4c71bfed368c3ed047ed Reviewed-on: https://review.coreboot.org/c/coreboot/+/71573 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Tarun Tuli taruntuli@google.com Reviewed-by: Sridhar Siricilla sridhar.siricilla@intel.com --- M src/security/intel/txt/Kconfig M src/security/intel/txt/Makefile.inc M src/security/intel/txt/romstage.c A src/security/intel/txt/txtlib.c A src/security/intel/txt/txtlib.h 5 files changed, 96 insertions(+), 38 deletions(-)
Approvals: build bot (Jenkins): Verified Sridhar Siricilla: Looks good to me, approved Tarun Tuli: Looks good to me, approved
diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig index 19eecc4..637a6a7 100644 --- a/src/security/intel/txt/Kconfig +++ b/src/security/intel/txt/Kconfig @@ -1,8 +1,17 @@ # SPDX-License-Identifier: GPL-2.0-only
+config INTEL_TXT_LIB + bool + default n + help + This option includes library functions related to the TXT + operation which SoC would still like to access without enabling + INTEL_TXT config. + config INTEL_TXT bool "Intel TXT support" default n + select INTEL_TXT_LIB select MRC_SETTINGS_PROTECT if CACHE_MRC_SETTINGS select ENABLE_VMX if CPU_INTEL_COMMON select AP_IN_SIPI_WAIT diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc index 7132ca8..e19bacf 100644 --- a/src/security/intel/txt/Makefile.inc +++ b/src/security/intel/txt/Makefile.inc @@ -1,3 +1,5 @@ +romstage-$(CONFIG_INTEL_TXT_LIB) += txtlib.c + ifeq ($(CONFIG_INTEL_TXT),y)
all-y += logging.c diff --git a/src/security/intel/txt/romstage.c b/src/security/intel/txt/romstage.c index e1329dd..fa0ba3c 100644 --- a/src/security/intel/txt/romstage.c +++ b/src/security/intel/txt/romstage.c @@ -4,52 +4,15 @@ #include <console/console.h> #include <cpu/intel/common/common.h> #include <cpu/x86/cr.h> -#include <cpu/x86/msr.h> #include <device/mmio.h> #include <southbridge/intel/common/pmbase.h> -#include <timer.h> #include <types.h>
-#include <security/tpm/tis.h> - #include "txt.h" +#include "txtlib.h" #include "txt_register.h" #include "txt_getsec.h"
-static bool is_establishment_bit_asserted(void) -{ - struct stopwatch timer; - uint8_t access; - - /* Spec says no less than 30 milliseconds */ - stopwatch_init_msecs_expire(&timer, 50); - - while (true) { - access = read8((void *)TPM_ACCESS_REG); - - /* Register returns all ones if TPM is missing */ - if (access == 0xff) - return false; - - if (access & TPM_ACCESS_VALID) - break; - - /* On timeout, assume that the TPM is not working */ - if (stopwatch_expired(&timer)) - return false; - } - - /* This bit uses inverted logic: if cleared, establishment is asserted */ - return !(access & TPM_ACCESS_ESTABLISHMENT); -} - -static bool is_txt_cpu(void) -{ - const uint32_t ecx = cpu_get_feature_flags_ecx(); - - return (ecx & (CPUID_SMX | CPUID_VMX)) == (CPUID_SMX | CPUID_VMX); -} - static bool is_txt_chipset(void) { uint32_t eax; diff --git a/src/security/intel/txt/txtlib.c b/src/security/intel/txt/txtlib.c new file mode 100644 index 0000000..3ec2322 --- /dev/null +++ b/src/security/intel/txt/txtlib.c @@ -0,0 +1,46 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ + +#include <arch/cpu.h> +#include <cpu/intel/common/common.h> +#include <cpu/x86/msr.h> +#include <device/mmio.h> +#include <security/intel/txt/txt.h> +#include <security/tpm/tis.h> +#include <timer.h> + +#include "txtlib.h" +#include "txt_register.h" + +bool is_establishment_bit_asserted(void) +{ + struct stopwatch timer; + uint8_t access; + + /* Spec says no less than 30 milliseconds */ + stopwatch_init_msecs_expire(&timer, 50); + + while (true) { + access = read8((void *)TPM_ACCESS_REG); + + /* Register returns all ones if TPM is missing */ + if (access == 0xff) + return false; + + if (access & TPM_ACCESS_VALID) + break; + + /* On timeout, assume that the TPM is not working */ + if (stopwatch_expired(&timer)) + return false; + } + + /* This bit uses inverted logic: if cleared, establishment is asserted */ + return !(access & TPM_ACCESS_ESTABLISHMENT); +} + +bool is_txt_cpu(void) +{ + const uint32_t ecx = cpu_get_feature_flags_ecx(); + + return (ecx & (CPUID_SMX | CPUID_VMX)) == (CPUID_SMX | CPUID_VMX); +} diff --git a/src/security/intel/txt/txtlib.h b/src/security/intel/txt/txtlib.h new file mode 100644 index 0000000..35703b6 --- /dev/null +++ b/src/security/intel/txt/txtlib.h @@ -0,0 +1,12 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ + +#ifndef SECURITY_INTEL_TXT_LIB_H_ +#define SECURITY_INTEL_TXT_LIB_H_ + +#include <types.h> + +bool is_establishment_bit_asserted(void); + +bool is_txt_cpu(void); + +#endif /* SECURITY_INTEL_TXT_LIB_H_ */