sec/intel/txt: Allow skipping ACM NOP function

This is merely used to test whether the BIOS ACM calling code is working properly. There's no need to do this on production platforms. Testing on Haswell showed that running this NOP function breaks S3 resume with TXT. Add a Kconfig bool to control whether the NOP function is to be invoked. Change-Id: Ibf461c18a96f1add7867e1320726fadec65b7184 Signed-off-by: Angel Pons <th3fanbus@gmail.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/46496 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
2020-10-16 10:49:12 +02:00 · 2020-10-16 10:49:12 +02:00 · 8a285fd8a5
parent c037695c19
commit 8a285fd8a5
2 changed files with 19 additions and 10 deletions
--- a/src/security/intel/txt/Kconfig
+++ b/src/security/intel/txt/Kconfig
@ -40,6 +40,12 @@ config INTEL_TXT_DPR_SIZE
 	  the MRC does not have an input to specify the size of DPR, so this
 	  field is only used to check if the programmed size is large enough.

+config INTEL_TXT_TEST_BIOS_ACM_CALLING_CODE
+	bool "Test BIOS ACM calling code with NOP function"
+	help
+	  Run a NOP function of the BIOS ACM to check that the ACM calling code
+	  is functioning properly. Use in pre-production environments only!
+
 config INTEL_TXT_LOGGING
 	bool "Enable verbose logging"
 	help
--- a/src/security/intel/txt/ramstage.c
+++ b/src/security/intel/txt/ramstage.c
@ -151,17 +151,20 @@ static void init_intel_txt(void *unused)
 		return;
 	}

-	printk(BIOS_INFO, "TEE-TXT: Testing BIOS ACM calling code...\n");
+	if (CONFIG(INTEL_TXT_TEST_BIOS_ACM_CALLING_CODE)) {
+		printk(BIOS_INFO, "TEE-TXT: Testing BIOS ACM calling code...\n");

-	/*
-	 * Test BIOS ACM code.
-	 * ACM should do nothing on reserved functions, and return an error code
-	 * in TXT_BIOSACM_ERRORCODE. Tests showed that this is not true.
-	 * Use special function "NOP" that does 'nothing'.
-	 */
-	if (intel_txt_run_bios_acm(ACMINPUT_NOP) < 0) {
-		printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM with NOP function.\n");
-		return;
+		/*
+		 * Test BIOS ACM code.
+		 * ACM should do nothing on reserved functions, and return an error code
+		 * in TXT_BIOSACM_ERRORCODE. Tests showed that this is not true.
+		 * Use special function "NOP" that does 'nothing'.
+		 */
+		if (intel_txt_run_bios_acm(ACMINPUT_NOP) < 0) {
+			printk(BIOS_ERR,
+				"TEE-TXT: Error calling BIOS ACM with NOP function.\n");
+			return;
+		}
 	}

 	if (status & (ACMSTS_BIOS_TRUSTED | ACMSTS_IBB_MEASURED)) {