util/intelmetool: Fix bootguard dump

* Fix broken bootguard report on Intel ME 9.5+
* Fix broken debug statement
* Add additional rehide_me()
* Move last rehide_me()

Tested on Lenovo T470p. It shows correct BootGuard state:
Verified & Measured Boot.

Tested on Lenovo T430. It shows correct BootGuard state: Disabled.

Change-Id: Ib6c49ee39dd9962a4981e7de19b1c98c753f2944
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/25400
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
This commit is contained in:
Patrick Rudolph 2018-02-02 14:43:28 +01:00 committed by Philipp Deppenwiese
parent 0391d0b023
commit 405d2eabe0
1 changed files with 9 additions and 9 deletions

View File

@ -323,7 +323,7 @@ static void dump_bootguard_info(void)
{
struct pci_dev *dev;
char namebuf[1024];
const char *name;
const char *name = NULL;
uint64_t bootguard = 0;
if (pci_platform_scan())
@ -343,16 +343,10 @@ static void dump_bootguard_info(void)
}
}
if (debug) {
printf("BootGuard MSR Output: 0x%" PRIx64 "\n", bootguard);
bootguard &= ~0xff;
}
/* ME_major_ver is zero on some platforms (Mac) */
if (ME_major_ver &&
(ME_major_ver < 9 ||
(ME_major_ver == 9 && ME_minor_ver < 5) ||
!BOOTGUARD_CAPABILITY(bootguard))) {
(ME_major_ver == 9 && ME_minor_ver < 5))) {
print_cap("BootGuard ", 0);
printf(CGRN "\nYour system isn't bootguard ready. You can "
"flash other firmware!\n" RESET);
@ -363,15 +357,22 @@ static void dump_bootguard_info(void)
if (msr_bootguard(&bootguard, debug) < 0) {
printf("ME Capability: %-43s: " CCYN "%s\n" RESET,
"BootGuard Mode", "Unknown");
rehide_me();
return;
}
if (debug) {
printf("BootGuard MSR Output: 0x%" PRIx64 "\n", bootguard);
bootguard &= ~0xff;
}
print_cap("BootGuard ", 1);
if (pci_read_long(dev, 0x40) & 0x10)
printf(CYEL "Your southbridge configuration is insecure!! "
"BootGuard keys can be overwritten or wiped, or you are "
"in developer mode.\n"
RESET);
rehide_me();
switch (bootguard) {
case BOOTGUARD_DISABLED:
@ -400,7 +401,6 @@ static void dump_bootguard_info(void)
"firmware.\n" RESET);
break;
}
rehide_me();
}
static void print_version(void)