GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

util/intelmetool: Fix bootguard dump 

* Fix broken bootguard report on Intel ME 9.5+
* Fix broken debug statement
* Add additional rehide_me()
* Move last rehide_me()

Tested on Lenovo T470p. It shows correct BootGuard state:
Verified & Measured Boot.

Tested on Lenovo T430. It shows correct BootGuard state: Disabled.

Change-Id: Ib6c49ee39dd9962a4981e7de19b1c98c753f2944
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/25400
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
This commit is contained in:
Patrick Rudolph 2018-02-02 14:43:28 +01:00 committed by Philipp Deppenwiese
parent 0391d0b023
commit 405d2eabe0
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
util/intelmetool/intelmetool.c
View File

@ -323,7 +323,7 @@ static void dump_bootguard_info(void)
{ {
struct pci_dev *dev; struct pci_dev *dev;
char namebuf[1024]; char namebuf[1024];
const char *name; const char *name = NULL;
uint64_t bootguard = 0; uint64_t bootguard = 0;
if (pci_platform_scan()) if (pci_platform_scan())
@ -343,16 +343,10 @@ static void dump_bootguard_info(void)
} }
} }
if (debug) {
printf("BootGuard MSR Output: 0x%" PRIx64 "\n", bootguard);
bootguard &= ~0xff;
}
/* ME_major_ver is zero on some platforms (Mac) */ /* ME_major_ver is zero on some platforms (Mac) */
if (ME_major_ver && if (ME_major_ver &&
(ME_major_ver < 9 || (ME_major_ver < 9 ||
(ME_major_ver == 9 && ME_minor_ver < 5) || (ME_major_ver == 9 && ME_minor_ver < 5))) {
!BOOTGUARD_CAPABILITY(bootguard))) {
print_cap("BootGuard ", 0); print_cap("BootGuard ", 0);
printf(CGRN "\nYour system isn't bootguard ready. You can " printf(CGRN "\nYour system isn't bootguard ready. You can "
"flash other firmware!\n" RESET); "flash other firmware!\n" RESET);
@ -363,15 +357,22 @@ static void dump_bootguard_info(void)
if (msr_bootguard(&bootguard, debug) < 0) { if (msr_bootguard(&bootguard, debug) < 0) {
printf("ME Capability: %-43s: " CCYN "%s\n" RESET, printf("ME Capability: %-43s: " CCYN "%s\n" RESET,
"BootGuard Mode", "Unknown"); "BootGuard Mode", "Unknown");
rehide_me();
return; return;
} }
if (debug) {
printf("BootGuard MSR Output: 0x%" PRIx64 "\n", bootguard);
bootguard &= ~0xff;
}
print_cap("BootGuard ", 1); print_cap("BootGuard ", 1);
if (pci_read_long(dev, 0x40) & 0x10) if (pci_read_long(dev, 0x40) & 0x10)
printf(CYEL "Your southbridge configuration is insecure!! " printf(CYEL "Your southbridge configuration is insecure!! "
"BootGuard keys can be overwritten or wiped, or you are " "BootGuard keys can be overwritten or wiped, or you are "
"in developer mode.\n" "in developer mode.\n"
RESET); RESET);
rehide_me();
switch (bootguard) { switch (bootguard) {
case BOOTGUARD_DISABLED: case BOOTGUARD_DISABLED:
@ -400,7 +401,6 @@ static void dump_bootguard_info(void)
"firmware.\n" RESET); "firmware.\n" RESET);
break; break;
} }
rehide_me();
} }
static void print_version(void) static void print_version(void)