security/intel/txt: Allow using CF9 reset, too

Soften the hard dependency on SOC_INTEL_COMMON_BLOCK_SA by allowing CF9
resets to be used in place of global resets. If both types of reset are
available, prefer a global reset. This preserves current behavior, and
allows more platforms to use the TXT support code, such as Haswell.

Change-Id: I034fa0b342135e7101c21646be8fd6b5d3252d9e
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/44181
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>

src/security/intel/txt/Kconfig

@@ -9,7 +9,7 @@ config INTEL_TXT
 	depends on (TPM1 || TPM2)
 	depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE
 	depends on PLATFORM_HAS_DRAM_CLEAR
-	depends on SOC_INTEL_COMMON_BLOCK_SA
+	depends on (SOC_INTEL_COMMON_BLOCK_SA || HAVE_CF9_RESET)
 
 if INTEL_TXT
 

src/security/intel/txt/common.c

@@ -10,11 +10,27 @@
 #include <cpu/x86/mp.h>
 #include <lib.h>
 #include <smp/node.h>
+
+#if CONFIG(SOC_INTEL_COMMON_BLOCK_SA)
 #include <soc/intel/common/reset.h>
+#else
+#include <cf9_reset.h>
+#endif
+
 #include "txt.h"
 #include "txt_register.h"
 #include "txt_getsec.h"
 
+/* Usual security practice: if an unexpected error happens, reboot */
+static void __noreturn txt_reset_platform(void)
+{
+#if CONFIG(SOC_INTEL_COMMON_BLOCK_SA)
+	global_reset();
+#else
+	full_reset();
+#endif
+}
+
 /**
  * Dump the ACM error status bits.
  *
@@ -310,7 +326,7 @@ bool intel_txt_prepare_txt_env(void)
 	msr_t msr = rdmsr(IA32_FEATURE_CONTROL);
 	if (!(msr.lo & BIT(0))) {
 		printk(BIOS_ERR, "TEE-TXT: IA32_FEATURE_CONTROL is not locked\n");
-		global_reset();
+		txt_reset_platform();
 	}
 
 	printk(BIOS_DEBUG, "TEE-TXT: IA32_FEATURE_CONTROL\n");