Change in coreboot[master]: security/intel/txt: Correct reporting of chipset production fuse state - coreboot-gerrit

25 Nov 2021


      Attention is currently required from: Michał Żygowski, Patrick Rudolph.
Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/59514 )
Change subject: security/intel/txt: Correct reporting of chipset production fuse state
......................................................................
Patch Set 4: Code-Review+1
(1 comment)
File src/security/intel/txt/common.c:
https://review.coreboot.org/c/coreboot/+/59514/comment/584710fc_47e17b1a 
PS4, Line 222: if ((acm_header->flags & ACM_FORMAT_FLAGS_DEBUG) ==
             : 	    (read64((void *)TXT_VER_FSBIF) & TXT_VER_PRODUCTION_FUSED))
This check should also be updated, but note that it's incorrect. It returns a false negative when ACM is debug and chipset is production fused, because `(1 << 15) == (1 << 31)` is false. I'd do the following:
const bool production_acm = !(acm_header->flags & ACM_FORMAT_FLAGS_DEBUG);
 if (production_acm != intel_txt_chipset_is_production_fused())
    return ACM_E_PLATFORM_IS_NOT_PROD;
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/59514
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ic86c5a9e1d162630a1cf61435d1014edabf104b0
Gerrit-Change-Number: 59514
Gerrit-PatchSet: 4
Gerrit-Owner: Michał Żygowski michal.zygowski@3mdeb.com
Gerrit-Reviewer: Angel Pons th3fanbus@gmail.com
Gerrit-Reviewer: Arthur Heymans arthur@aheymans.xyz
Gerrit-Reviewer: Patrick Rudolph siro@das-labor.org
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-CC: Paul Menzel paulepanter@mailbox.org
Gerrit-Attention: Michał Żygowski michal.zygowski@3mdeb.com
Gerrit-Attention: Patrick Rudolph siro@das-labor.org
Gerrit-Comment-Date: Thu, 25 Nov 2021 10:50:56 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment