Angel Pons has uploaded a new patch set (#10) to the change originally created by Philipp Deppenwiese. ( https://review.coreboot.org/c/coreboot/+/37016 )
Change subject: security/intel/txt: Add Intel TXT support ......................................................................
security/intel/txt: Add Intel TXT support
Add TXT ramstage driver: * Show startup errors * Check for TXT reset * Check for Secrets-in-memory * Add assembly for GETSEC instruction * Check platform state if GETSEC instruction is supported * Configure TXT memory regions * Lock TXT * Protect TSEG using DMA protected regions * Place SINIT ACM * Print information about ACMs
Extend the `security_clear_dram_request()` function: * Clear all DRAM if secrets are in memory
Add a config so that the code gets build-tested. Since BIOS and SINIT ACM binaries are not available, use the STM binary as a placeholder.
Tested on OCP Wedge100s and Facebook Watson * Able to enter a Measured Launch Environment using SINIT ACM and TBOOT * Secrets in Memory bit is set on ungraceful shutdown * Memory is cleared after ungraceful shutdown
Change-Id: Iaf4be7f016cc12d3971e1e1fe171e6665e44c284 Signed-off-by: Philipp Deppenwiese zaolin@das-labor.org --- A configs/config.purism_librem15_v4.txt_build_test M src/security/intel/txt/Kconfig M src/security/intel/txt/Makefile.inc A src/security/intel/txt/common.c A src/security/intel/txt/getsec.c A src/security/intel/txt/getsec_enteraccs.S A src/security/intel/txt/logging.c A src/security/intel/txt/ramstage.c A src/security/intel/txt/txt.h A src/security/intel/txt/txt_getsec.h A src/security/intel/txt/txt_register.h M src/security/memory/memory.c 12 files changed, 1,837 insertions(+), 9 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/16/37016/10
-
Angel Pons (Code Review)