GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sec/intel/txt: Extract BIOS ACM loading into a function 

Tested on Asrock B85M Pro4, still boots with TXT enabled.

Change-Id: I0b04955b341848ea8627a9c3ffd6a68cd49c3858
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46593
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
This commit is contained in:
Angel Pons 2020-10-20 14:17:42 +02:00
parent 84641c8183
commit 7b4d67cf42
1 changed files with 45 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
src/security/intel/txt/common.c
View File

@ -210,29 +210,28 @@ static int validate_acm(const void *ptr)
} }
/* /*
* Test all bits for TXT execution. * Prepare to run the BIOS ACM: mmap it from the CBFS and verify that it
* * can be launched. Returns pointer to ACM on success, NULL on failure.
* @return 0 on success
*/ */
int intel_txt_run_bios_acm(const u8 input_params) static void *intel_txt_prepare_bios_acm(struct region_device *acm, size_t *acm_len)
{ {
struct cbfsf file; struct cbfsf file;
void *acm_data; void *acm_data = NULL;
struct region_device acm;
size_t acm_len; if (!acm || !acm_len)
int ret; return NULL;
if (cbfs_boot_locate(&file, CONFIG_INTEL_TXT_CBFS_BIOS_ACM, NULL)) { if (cbfs_boot_locate(&file, CONFIG_INTEL_TXT_CBFS_BIOS_ACM, NULL)) {
printk(BIOS_ERR, "TEE-TXT: Couldn't locate BIOS ACM in CBFS.\n"); printk(BIOS_ERR, "TEE-TXT: Couldn't locate BIOS ACM in CBFS.\n");
return -1; return NULL;
} }
cbfs_file_data(&acm, &file); cbfs_file_data(acm, &file);
acm_data = rdev_mmap_full(&acm); acm_data = rdev_mmap_full(acm);
acm_len = region_device_sz(&acm); *acm_len = region_device_sz(acm);
if (!acm_data || acm_len == 0) { if (!acm_data || *acm_len == 0) {
printk(BIOS_ERR, "TEE-TXT: Couldn't map BIOS ACM from CBFS.\n"); printk(BIOS_ERR, "TEE-TXT: Couldn't map BIOS ACM from CBFS.\n");
return -1; return NULL;
} }
/* /*
@ -242,8 +241,8 @@ int intel_txt_run_bios_acm(const u8 input_params)
*/ */
if (!IS_ALIGNED((uintptr_t)acm_data, 4096)) { if (!IS_ALIGNED((uintptr_t)acm_data, 4096)) {
printk(BIOS_ERR, "TEE-TXT: BIOS ACM isn't mapped at page boundary.\n"); printk(BIOS_ERR, "TEE-TXT: BIOS ACM isn't mapped at page boundary.\n");
rdev_munmap(&acm, acm_data); rdev_munmap(acm, acm_data);
return -1; return NULL;
} }
/* /*
@ -251,20 +250,20 @@ int intel_txt_run_bios_acm(const u8 input_params)
* SAFER MODE EXTENSIONS REFERENCE. * SAFER MODE EXTENSIONS REFERENCE.
* Intel 64 and IA-32 Architectures Software Developer Manuals Vol 2D * Intel 64 and IA-32 Architectures Software Developer Manuals Vol 2D
*/ */
if (!IS_ALIGNED(acm_len, 64)) { if (!IS_ALIGNED(*acm_len, 64)) {
printk(BIOS_ERR, "TEE-TXT: BIOS ACM size isn't multiple of 64.\n"); printk(BIOS_ERR, "TEE-TXT: BIOS ACM size isn't multiple of 64.\n");
rdev_munmap(&acm, acm_data); rdev_munmap(acm, acm_data);
return -1; return NULL;
} }
/* /*
* The ACM should be aligned to it's size, but that's not possible, as * The ACM should be aligned to it's size, but that's not possible, as
* some ACMs are not power of two. Use the next power of two for verification. * some ACMs are not power of two. Use the next power of two for verification.
*/ */
if (!IS_ALIGNED((uintptr_t)acm_data, (1UL << log2_ceil(acm_len)))) { if (!IS_ALIGNED((uintptr_t)acm_data, (1UL << log2_ceil(*acm_len)))) {
printk(BIOS_ERR, "TEE-TXT: BIOS ACM isn't aligned to its size.\n"); printk(BIOS_ERR, "TEE-TXT: BIOS ACM isn't aligned to its size.\n");
rdev_munmap(&acm, acm_data); rdev_munmap(acm, acm_data);
return -1; return NULL;
} }
/* /*
@ -272,22 +271,40 @@ int intel_txt_run_bios_acm(const u8 input_params)
* a page (4 KiB) of unused memory after the BIOS ACM. On Haswell, failure * a page (4 KiB) of unused memory after the BIOS ACM. On Haswell, failure
* to do so will cause a TXT reset with Class Code 5, Major Error Code 2. * to do so will cause a TXT reset with Class Code 5, Major Error Code 2.
*/ */
if (popcnt(ALIGN_UP(acm_len, 4096)) > get_var_mtrr_count()) { if (popcnt(ALIGN_UP(*acm_len, 4096)) > get_var_mtrr_count()) {
printk(BIOS_ERR, "TEE-TXT: Not enough MTRRs to cache this BIOS ACM's size.\n"); printk(BIOS_ERR, "TEE-TXT: Not enough MTRRs to cache this BIOS ACM's size.\n");
rdev_munmap(&acm, acm_data); rdev_munmap(acm, acm_data);
return -1; return NULL;
} }
if (CONFIG(INTEL_TXT_LOGGING)) if (CONFIG(INTEL_TXT_LOGGING))
txt_dump_acm_info(acm_data); txt_dump_acm_info(acm_data);
ret = validate_acm(acm_data); const int ret = validate_acm(acm_data);
if (ret < 0) { if (ret < 0) {
printk(BIOS_ERR, "TEE-TXT: Validation of ACM failed with: %d\n", ret); printk(BIOS_ERR, "TEE-TXT: Validation of ACM failed with: %d\n", ret);
rdev_munmap(&acm, acm_data); rdev_munmap(acm, acm_data);
return ret; return NULL;
} }
return acm_data;
}
/*
* Test all bits for TXT execution.
*
* @return 0 on success
*/
int intel_txt_run_bios_acm(const u8 input_params)
{
struct region_device acm;
size_t acm_len;
void *acm_data = intel_txt_prepare_bios_acm(&acm, &acm_len);
if (!acm_data)
return -1;
/* Call into assembly which invokes the referenced ACM */ /* Call into assembly which invokes the referenced ACM */
getsec_enteraccs(input_params, (uintptr_t)acm_data, acm_len); getsec_enteraccs(input_params, (uintptr_t)acm_data, acm_len);