Arthur Heymans has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt: Account for SINIT ACM's of different sizes ......................................................................
sec/intel/txt: Account for SINIT ACM's of different sizes
This checks the size of the ACM at runtime before programming the TXT SINIT BASE/SIZE and HEAP BASE/SIZE.
Change-Id: Ia3e81d051a03b54233eef6ccdc4740c1a709be40 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M src/security/intel/txt/ramstage.c 1 file changed, 65 insertions(+), 17 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46556/1
diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c index f532a2f..3105d30 100644 --- a/src/security/intel/txt/ramstage.c +++ b/src/security/intel/txt/ramstage.c @@ -194,6 +194,18 @@ } }
+/* fms: find most significant bit set, stolen from Linux Kernel Source. */ +static inline unsigned int fms(unsigned int x) +{ + unsigned int r; + + __asm__("bsrl %1,%0\n\t" + "jnz 1f\n\t" + "movl $0,%0\n" + "1:" : "=r" (r) : "mr" (x)); + return r; +} + /** * Finalize the TXT device. * @@ -274,22 +286,58 @@ read32((void *)TXT_DPR)); }
- /* - * Document Number: 558294 - * Chapter 5.5.6.3 Intel TXT Heap Memory Region + /* Document Number: 558294 + * Chapter 5.5.5.6 Intel TXT Device Memory + * + * +------------+ TSEG_BASE / DPR.TOP + * | TXT HEAP | + * +------------+ TSEG_BASE - 1 MiB + SINIT ACM SIZE + * | TXT SINIT | + * +------------+ TSEG_BASE - 1 MiB + * | MLE code | + * | Page Table | + * +------------+ TSEG_BASE - at least 3 MiB */ - write64((void *)TXT_HEAP_SIZE, 0xE0000); - write64((void *)TXT_HEAP_BASE, - ALIGN_DOWN(tseg_base - read64((void *)TXT_HEAP_SIZE), 4096)); + + struct cbfsf fh; + uint32_t compression_algo; + size_t decompressed_size; + + void *sinit_base = (void *)(tseg_base - 1 * MiB); + + if (cbfs_boot_locate(&fh, CONFIG_INTEL_TXT_CBFS_SINIT_ACM, NULL)) { + printk(BIOS_ERR, "TEE-TXT: Couldn't locate SINIT ACM in CBFS.\n"); + /* Clear where SINIT and Heap would have been. */ + memset(sinit_base, 0, 1 * MiB); + return; + } + + cbfsf_decompression_info(&fh, &compression_algo, &decompressed_size); + + /* Align the SINIT size to a power of 2 */ + const size_t sinit_size = IS_POWER_OF_2(decompressed_size) ? + decompressed_size : 1 << (fms(decompressed_size) + 1); + + if (sinit_size >= 1 * MiB) { + printk(BIOS_ERR, "TEE-TXT: Invalid SINIT ACM size"); + /* Clear where SINIT and Heap would have been. */ + memset(sinit_base, 0, 1 * MiB); + return; + }
/* * Document Number: 558294 * Chapter 5.5.6.2 SINIT Memory Region */ - write64((void *)TXT_SINIT_SIZE, 0x20000); - write64((void *)TXT_SINIT_BASE, - ALIGN_DOWN(read64((void *)TXT_HEAP_BASE) - - read64((void *)TXT_SINIT_SIZE), 4096)); + write64((void *)TXT_SINIT_SIZE, sinit_size); + write64((void *)TXT_SINIT_BASE, (uint64_t)(uintptr_t)sinit_base); + + /* + * Document Number: 558294 + * Chapter 5.5.6.3 Intel TXT Heap Memory Region + */ + write64((void *)TXT_HEAP_SIZE, 1 * MiB - sinit_size); + write64((void *)TXT_HEAP_BASE, tseg_base - 1 * MiB + sinit_size);
/* * BIOS Data Format @@ -309,12 +357,12 @@ data.bdr.version = 5;
data.bdr.no_logical_procs = dev_count_cpu(); - - void *sinit_base = (void *)(uintptr_t)read64((void *)TXT_SINIT_BASE); - data.bdr.bios_sinit_size = cbfs_boot_load_file(CONFIG_INTEL_TXT_CBFS_SINIT_ACM, - sinit_base, - read64((void *)TXT_SINIT_SIZE), - CBFS_TYPE_RAW); + data.bdr.bios_sinit_size = cbfs_load_and_decompress(&fh.data, + 0, + region_device_sz(&fh.data), + sinit_base, + sinit_size, + compression_algo);
if (data.bdr.bios_sinit_size) { printk(BIOS_INFO, "TEE-TXT: Placing SINIT ACM in memory.\n"); @@ -323,7 +371,7 @@ } else { printk(BIOS_ERR, "TEE-TXT: Couldn't locate SINIT ACM in CBFS.\n"); /* Clear memory */ - memset(sinit_base, 0, read64((void *)TXT_SINIT_SIZE)); + memset(sinit_base, 0, sinit_size); }
struct cbfsf file;
Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt: Account for SINIT ACM's of different sizes ......................................................................
Patch Set 1:
(1 comment)
https://review.coreboot.org/c/coreboot/+/46556/1/src/security/intel/txt/rams... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/1/src/security/intel/txt/rams... PS1, Line 318: sinit_size on the deltalake board this needs an additional 64K. Not sure what is the case for other SoC's...
Hello build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/46556
to look at the new patch set (#6).
Change subject: sec/intel/txt: Update TXT HEAP and SINIT size ......................................................................
sec/intel/txt: Update TXT HEAP and SINIT size
More recent platforms (Coperlake_SP) need bigger sizes.
Change-Id: Ia3e81d051a03b54233eef6ccdc4740c1a709be40 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M src/security/intel/txt/ramstage.c 1 file changed, 8 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46556/6
Hello build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/46556
to look at the new patch set (#7).
Change subject: sec/intel/txt: Update TXT HEAP and SINIT size ......................................................................
sec/intel/txt: Update TXT HEAP and SINIT size
More recent platforms (Coperlake_SP) need bigger sizes.
Change-Id: Ia3e81d051a03b54233eef6ccdc4740c1a709be40 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M src/security/intel/txt/ramstage.c 1 file changed, 8 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46556/7
Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt: Update TXT HEAP and SINIT size ......................................................................
Patch Set 8: Code-Review+1
(1 comment)
I'll test this on Haswell soon
https://review.coreboot.org/c/coreboot/+/46556/8//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/46556/8//COMMIT_MSG@9 PS8, Line 9: Coperlake_SP Co*o*perlake-SP
Hello build bot (Jenkins), Angel Pons,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/46556
to look at the new patch set (#12).
Change subject: sec/intel/txt: Update TXT HEAP and SINIT size ......................................................................
sec/intel/txt: Update TXT HEAP and SINIT size
More recent platforms (Coperlake_SP) need bigger sizes.
Change-Id: Ia3e81d051a03b54233eef6ccdc4740c1a709be40 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M src/security/intel/txt/ramstage.c 1 file changed, 8 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46556/12
Christian Walter has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt: Update TXT HEAP and SINIT size ......................................................................
Patch Set 12:
(1 comment)
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... PS12, Line 306: define HEAP_SIZE (1 * MiB) : /* Recent SINIT ACM (COOPERLAKE_SP) are 256KiB but also need 64KiB data size */ : #define SINIT_SIZE ((256 + 64) * KiB) Is this something that we should handle on the SoC level?
I don't think that hardcoded values make sense here if they differ throughout the platforms.
Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt: Update TXT HEAP and SINIT size ......................................................................
Patch Set 12:
(1 comment)
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... PS12, Line 306: define HEAP_SIZE (1 * MiB) : /* Recent SINIT ACM (COOPERLAKE_SP) are 256KiB but also need 64KiB data size */ : #define SINIT_SIZE ((256 + 64) * KiB)
Is this something that we should handle on the SoC level? […]
I'd make Kconfig symbols to handle this
Patrick Rudolph has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt: Update TXT HEAP and SINIT size ......................................................................
Patch Set 12:
(2 comments)
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... PS12, Line 307: /* Recent SINIT ACM (COOPERLAKE_SP) are 256KiB but also need 64KiB data size */ what's data size? that's not described in Document Number: 558294
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... PS12, Line 415: write64((void *)TXT_SINIT_SIZE, SINIT_SIZE); according to Document Number: 558294 this should match the SINIT ACM size. Can we use the cbfs file size instead?
Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt: Update TXT HEAP and SINIT size ......................................................................
Patch Set 12:
(3 comments)
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... PS12, Line 307: /* Recent SINIT ACM (COOPERLAKE_SP) are 256KiB but also need 64KiB data size */
what's data size? that's not described in Document Number: 558294
This comes from 572782.
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... PS12, Line 306: define HEAP_SIZE (1 * MiB) : /* Recent SINIT ACM (COOPERLAKE_SP) are 256KiB but also need 64KiB data size */ : #define SINIT_SIZE ((256 + 64) * KiB)
I'd make Kconfig symbols to handle this
Sounds good.
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... PS12, Line 415: write64((void *)TXT_SINIT_SIZE, SINIT_SIZE);
according to Document Number: 558294 this should match the SINIT ACM size. […]
This is not true anymore for Cooperlake_SP. Also see 572782
Hello build bot (Jenkins), Angel Pons,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/46556
to look at the new patch set (#18).
Change subject: sec/intel/txt: Update TXT HEAP and SINIT size ......................................................................
sec/intel/txt: Update TXT HEAP and SINIT size
More recent platforms (Coperlake_SP) need bigger sizes.
Change-Id: Ia3e81d051a03b54233eef6ccdc4740c1a709be40 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M src/security/intel/txt/ramstage.c 1 file changed, 8 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46556/18
Hello build bot (Jenkins), Angel Pons,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/46556
to look at the new patch set (#20).
Change subject: sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable ......................................................................
sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable
More recent platforms (Coperlake_SP) need bigger sizes.
Change-Id: Ia3e81d051a03b54233eef6ccdc4740c1a709be40 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M src/security/intel/txt/Kconfig M src/security/intel/txt/ramstage.c M src/soc/intel/xeon_sp/cpx/Kconfig 3 files changed, 36 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46556/20
Hello build bot (Jenkins), Angel Pons, Patrick Rudolph,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/46556
to look at the new patch set (#22).
Change subject: sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable ......................................................................
sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable
More recent platforms (Coperlake_SP) need bigger sizes.
Change-Id: Ia3e81d051a03b54233eef6ccdc4740c1a709be40 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M src/security/intel/txt/Kconfig M src/security/intel/txt/ramstage.c M src/soc/intel/xeon_sp/cpx/Kconfig 3 files changed, 37 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46556/22
Hello build bot (Jenkins), Angel Pons, Patrick Rudolph,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/46556
to look at the new patch set (#23).
Change subject: sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable ......................................................................
sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable
More recent platforms (Cooperlake) need bigger sizes.
Change-Id: Ia3e81d051a03b54233eef6ccdc4740c1a709be40 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M src/security/intel/txt/Kconfig M src/security/intel/txt/ramstage.c M src/soc/intel/xeon_sp/cpx/Kconfig 3 files changed, 37 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46556/23
Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable ......................................................................
Patch Set 23:
(5 comments)
https://review.coreboot.org/c/coreboot/+/46556/8//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/46556/8//COMMIT_MSG@9 PS8, Line 9: Coperlake_SP
Co*o*perlake-SP
Done
https://review.coreboot.org/c/coreboot/+/46556/1/src/security/intel/txt/rams... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/1/src/security/intel/txt/rams... PS1, Line 318: sinit_size
on the deltalake board this needs an additional 64K. Not sure what is the case for other SoC's...
Done
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... PS12, Line 307: /* Recent SINIT ACM (COOPERLAKE_SP) are 256KiB but also need 64KiB data size */
This comes from 572782.
Done
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... PS12, Line 306: define HEAP_SIZE (1 * MiB) : /* Recent SINIT ACM (COOPERLAKE_SP) are 256KiB but also need 64KiB data size */ : #define SINIT_SIZE ((256 + 64) * KiB)
Sounds good.
Done
https://review.coreboot.org/c/coreboot/+/46556/12/src/security/intel/txt/ram... PS12, Line 415: write64((void *)TXT_SINIT_SIZE, SINIT_SIZE);
This is not true anymore for Cooperlake_SP. […]
Done
Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable ......................................................................
Patch Set 24: Code-Review+1
(1 comment)
https://review.coreboot.org/c/coreboot/+/46556/24/src/security/intel/txt/ram... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/24/src/security/intel/txt/ram... PS24, Line 374: This check primarily exists to account for platforms that do not obey INTEL_TXT_DPR_SIZE. Haswell MRC does not have any parameter to specify the DPR size, so the current approach is to patch the binary and use a hardcoded value. For other platforms, dpr.size should always be equal to CONFIG_INTEL_TXT_DPR_SIZE.
Taking this into account, it is possible to express the newly-added check as a build-time assertion:
_Static_assert(CONFIG_INTEL_TXT_DPR_SIZE * MiB >= CONFIG_INTEL_TXT_HEAP_SIZE + CONFIG_INTEL_TXT_SINIT_SIZE, "DPR size is too small to contain TXT heap and SINIT regions");
Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable ......................................................................
Patch Set 24:
(1 comment)
https://review.coreboot.org/c/coreboot/+/46556/24/src/security/intel/txt/ram... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/24/src/security/intel/txt/ram... PS24, Line 374:
This check primarily exists to account for platforms that do not obey INTEL_TXT_DPR_SIZE. Haswell MRC does not have any parameter to specify the DPR size, so the current approach is to patch the binary and use a hardcoded value. For other platforms, dpr.size should always be equal to CONFIG_INTEL_TXT_DPR_SIZE.
Taking this into account, it is possible to express the newly-added check as a build-time assertion:
_Static_assert(CONFIG_INTEL_TXT_DPR_SIZE * MiB >= CONFIG_INTEL_TXT_HEAP_SIZE + CONFIG_INTEL_TXT_SINIT_SIZE, "DPR size is too small to contain TXT heap and SINIT regions");
Can't you read back what the haswell MRC sets up? On CPX it's also FSP-M that leaves a region between top_of_ram and TSEG empty to be used for DPR, so there is no point in using/synchronising with a Kconfig parameter (and it's also unused at this point).
Hello build bot (Jenkins), Angel Pons, Patrick Rudolph,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/46556
to look at the new patch set (#25).
Change subject: sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable ......................................................................
sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable
More recent platforms (Cooperlake) need bigger sizes.
Change-Id: Ia3e81d051a03b54233eef6ccdc4740c1a709be40 Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M src/security/intel/txt/Kconfig M src/security/intel/txt/ramstage.c M src/soc/intel/xeon_sp/cpx/Kconfig 3 files changed, 38 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/46556/25
Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable ......................................................................
Patch Set 25:
(1 comment)
https://review.coreboot.org/c/coreboot/+/46556/24/src/security/intel/txt/ram... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/24/src/security/intel/txt/ram... PS24, Line 374:
This check primarily exists to account for platforms that do not obey INTEL_TXT_DPR_SIZE. […]
Done
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable ......................................................................
Patch Set 25:
(1 comment)
https://review.coreboot.org/c/coreboot/+/46556/25/src/security/intel/txt/ram... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/25/src/security/intel/txt/ram... PS25, Line 376: < CONFIG_INTEL_TXT_DPR_SIZE * MiB, "TXT Heap and Sinit must fit DPR"); line over 96 characters
Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable ......................................................................
Patch Set 25: Code-Review+2
(1 comment)
https://review.coreboot.org/c/coreboot/+/46556/25/src/security/intel/txt/ram... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/25/src/security/intel/txt/ram... PS25, Line 376: CONFIG_INTEL_TXT_DPR_SIZE I'll rename this to indicate it's the size in MiB
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable ......................................................................
Patch Set 26:
(1 comment)
https://review.coreboot.org/c/coreboot/+/46556/26/src/security/intel/txt/ram... File src/security/intel/txt/ramstage.c:
https://review.coreboot.org/c/coreboot/+/46556/26/src/security/intel/txt/ram... PS26, Line 376: < CONFIG_INTEL_TXT_DPR_SIZE * MiB, "TXT Heap and Sinit must fit DPR"); line over 96 characters
Hung-Te Lin has submitted this change. ( https://review.coreboot.org/c/coreboot/+/46556 )
Change subject: sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable ......................................................................
sec/intel/txt/Kconfig: Make TXT HEAP and SINIT size configurable
More recent platforms (Cooperlake) need bigger sizes.
Change-Id: Ia3e81d051a03b54233eef6ccdc4740c1a709be40 Signed-off-by: Arthur Heymans arthur@aheymans.xyz Reviewed-on: https://review.coreboot.org/c/coreboot/+/46556 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Angel Pons th3fanbus@gmail.com --- M src/security/intel/txt/Kconfig M src/security/intel/txt/ramstage.c M src/soc/intel/xeon_sp/cpx/Kconfig 3 files changed, 38 insertions(+), 2 deletions(-)
Approvals: build bot (Jenkins): Verified Angel Pons: Looks good to me, approved
diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig index f9e4bc4..c1442c8 100644 --- a/src/security/intel/txt/Kconfig +++ b/src/security/intel/txt/Kconfig @@ -70,4 +70,20 @@ string default "txt_sinit_acm.bin"
+config INTEL_TXT_SINIT_SIZE + hex + default 0x20000 + help + This is the size that will be programmed in TXT_SINIT_SIZE. + This needs to be at least the size of the SINIT ACM. + This is platform dependent. For instance on CPX this has + to be the ACM size + 64K. + +config INTEL_TXT_HEAP_SIZE + hex + default 0xe0000 + help + This is the size that will be programmed in TXT_HEAP_SIZE. + This is platform dependent. + endif diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c index 81d2dd1..c33af89 100644 --- a/src/security/intel/txt/ramstage.c +++ b/src/security/intel/txt/ramstage.c @@ -372,6 +372,9 @@ return; }
+ _Static_assert(CONFIG_INTEL_TXT_HEAP_SIZE + CONFIG_INTEL_TXT_SINIT_SIZE + < CONFIG_INTEL_TXT_DPR_SIZE * MiB, "TXT Heap and Sinit must fit DPR"); + if (dpr.size < CONFIG_INTEL_TXT_DPR_SIZE) { printk(BIOS_ERR, "TEE-TXT: MCH DPR configured size is too small.\n"); return; @@ -396,7 +399,7 @@ * Document Number: 558294 * Chapter 5.5.6.3 Intel TXT Heap Memory Region */ - write64((void *)TXT_HEAP_SIZE, 0xE0000); + write64((void *)TXT_HEAP_SIZE, CONFIG_INTEL_TXT_HEAP_SIZE); write64((void *)TXT_HEAP_BASE, ALIGN_DOWN(tseg_base - read64((void *)TXT_HEAP_SIZE), 4096));
@@ -404,7 +407,7 @@ * Document Number: 558294 * Chapter 5.5.6.2 SINIT Memory Region */ - write64((void *)TXT_SINIT_SIZE, 0x20000); + write64((void *)TXT_SINIT_SIZE, CONFIG_INTEL_TXT_SINIT_SIZE); write64((void *)TXT_SINIT_BASE, ALIGN_DOWN(read64((void *)TXT_HEAP_BASE) - read64((void *)TXT_SINIT_SIZE), 4096)); diff --git a/src/soc/intel/xeon_sp/cpx/Kconfig b/src/soc/intel/xeon_sp/cpx/Kconfig index 43337b5..7b583cd 100644 --- a/src/soc/intel/xeon_sp/cpx/Kconfig +++ b/src/soc/intel/xeon_sp/cpx/Kconfig @@ -104,4 +104,21 @@ int default 512
+if INTEL_TXT + +config INTEL_TXT_SINIT_SIZE + hex + default 0x50000 + help + According to document number 572782 this needs to be 256KiB + for the SINIT module and 64KiB for SINIT data. + +config INTEL_TXT_HEAP_SIZE + hex + default 0xf0000 + help + This must be 960KiB according to 572782. + +endif # INTEL_TXT + endif
-
Angel Pons (Code Review) -
Arthur Heymans (Code Review)
-
build bot (Jenkins) (Code Review)
-
Christian Walter (Code Review)
-
Hung-Te Lin (Code Review)
-
Patrick Rudolph (Code Review)