soc/intel/common: Merge TME new key gen and exclusion range configs

Merge TME_KEY_REGENERATION_ON_WARM_BOOT and
TME_EXCLUDE_CBMEM_ENCRYPTION config options under new config option
named TME_KEY_REGENERATION_ON_WARM_BOOT.

Program Intel TME to generate a new key for each warm boot. TME always
generates a new key on each cold boot. With this option enabled TME
generates a new key even in warm boot. Without this option TME reuses
the key for warm boot.

If a new key is generated on warm boot, DRAM contents from previous
warm boot will not get decrypted. This creates issue in accessing
CBMEM region from previous warm boot. To mitigate the issue coreboot
also programs exclusion range. Intel TME does not encrypt physical
memory range set in exclusion range. Current coreboot implementation
programs TME to exclude CBMEM region. When this config option is
enabled, coreboot instructs Intel FSP to program TME to generate
a new key on every warm boot and also exclude CBMEM region from being
encrypted by TME.

BUG=b:276120526
TEST=Able to build rex.

Change-Id: I19d9504229adb1abff2ef394c4ca113c335099c2
Signed-off-by: Pratikkumar Prajapati <pratikkumar.v.prajapati@intel.corp-partner.google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/76879
Reviewed-by: Sridhar Siricilla <sridhar.siricilla@intel.com>
Reviewed-by: Subrata Banik <subratabanik@google.com>
Reviewed-by: Kapil Porwal <kapilporwal@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This commit is contained in:
Pratikkumar Prajapati 2023-08-01 09:53:55 -07:00 committed by Felix Held
parent bc1533e089
commit 62ceabc4d1
1 changed files with 10 additions and 19 deletions

View File

@ -142,7 +142,7 @@ config INTEL_TME
it would get enabled. If CPU supports MKTME, this same config option
enables MKTME.
config TME_GENERATE_NEW_KEY_ON_WARM_BOOT
config TME_KEY_REGENERATION_ON_WARM_BOOT
bool "Generate new TME key on each warm boot"
depends on INTEL_TME
default n
@ -152,24 +152,15 @@ config TME_GENERATE_NEW_KEY_ON_WARM_BOOT
generates a new key even in warm boot. Without this option TME reuses
the key for warm boot.
config TME_EXCLUDE_CBMEM_ENCRYPTION
bool "Exclude CBMEM from TME encryption"
depends on INTEL_TME
default n
help
This option allows to exclude the CBMEM region from being encrypted by
Intel TME. When TME is enabled it encrypts whole DRAM. TME provides
option to carve out a region of physical memory to get excluded from
encryption. With this config enabled, CBMEM region does not get
encrypted by TME. If TME is not programmed to generate a new key in
warm boot, exclusion range does not need be programmed due to the
fact that TME uses same key in warm boot if
TME_GENERATE_NEW_KEY_ON_WARM_BOOT is not set. But if TME is programmed
to generate a new key in warm boot, contents of the CBMEM get
encrypted with a new key in each warm boot case hence, that leads to
loss of CBMEM data from previous warm boot. So enabling this config
allows CBMEM region to get excluded from being encrypted and can be
accessible irrespective of the type of the platform reset.
If a new key is generated on warm boot, DRAM contents from previous
warm boot will not get decrypted. This creates issue in accessing
CBMEM region from previous warm boot. To mitigate the issue coreboot
also programs exclusion range. Intel TME does not encrypt physical
memory range set in exclusion range. Current coreboot implementation
programs TME to exclude CBMEM region. When this config option is
enabled, coreboot instructs Intel FSP to program TME to generate
a new key on every warm boot and also exclude CBMEM region from being
encrypted by TME.
config CPU_XTAL_HZ
int