GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security/intel/txt: Correct reporting of chipset production fuse state 

Implement the chipset production fuse state reporting as described in
the Intel TXT Software Development Guide. Also fix all occurrences
where the production fuse state is checked.

TEST=Dell OptiPlex 9010 with i7-3770/Q77 reports the chipset is
production fused

Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Change-Id: Ic86c5a9e1d162630a1cf61435d1014edabf104b0
Reviewed-on: https://review.coreboot.org/c/coreboot/+/59514
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This commit is contained in:
Michał Żygowski 2021-11-21 12:29:58 +01:00
parent 20fe2ee502
commit 9734e8091f
3 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/security/intel/txt/common.c
View File

@ -141,6 +141,22 @@ bool intel_txt_memory_has_secrets(void)
return ret; return ret;
} }
bool intel_txt_chipset_is_production_fused(void)
{
/*
* Certain chipsets report production fused information in either
* TXT.VER.FSBIF or TXT.VER.EMIF/TXT.VER.QPIIF.
* Chapter B.1.7 and B.1.9
* Intel TXT Software Development Guide (Document: 315168-015)
*/
uint32_t reg = read32((void *)TXT_VER_FSBIF);
if (reg == 0 || reg == UINT32_MAX)
reg = read32((void *)TXT_VER_QPIIF);
return (reg & TXT_VER_PRODUCTION_FUSED) ? true : false;
}
static struct acm_info_table *find_info_table(const void *ptr) static struct acm_info_table *find_info_table(const void *ptr)
{ {
const struct acm_header_v0 *acm_header = (struct acm_header_v0 *)ptr; const struct acm_header_v0 *acm_header = (struct acm_header_v0 *)ptr;
@ -203,8 +219,8 @@ static int validate_acm(const void *ptr)
if (memcmp(acm_uuid, info->uuid, sizeof(acm_uuid)) != 0) if (memcmp(acm_uuid, info->uuid, sizeof(acm_uuid)) != 0)
return ACM_E_UUID_NOT_MATCH; return ACM_E_UUID_NOT_MATCH;
if ((acm_header->flags & ACM_FORMAT_FLAGS_DEBUG) == const bool production_acm = !(acm_header->flags & ACM_FORMAT_FLAGS_DEBUG);
(read64((void *)TXT_VER_FSBIF) & TXT_VER_PRODUCTION_FUSED)) if (production_acm != intel_txt_chipset_is_production_fused())
return ACM_E_PLATFORM_IS_NOT_PROD; return ACM_E_PLATFORM_IS_NOT_PROD;
return 0; return 0;

2
src/security/intel/txt/logging.c
View File

@ -185,7 +185,7 @@ void txt_dump_chipset_info(void)
printk(BIOS_INFO, "TEE-TXT: DIDVID 0x%x\n", read32((void *)TXT_DIDVID)); printk(BIOS_INFO, "TEE-TXT: DIDVID 0x%x\n", read32((void *)TXT_DIDVID));
printk(BIOS_INFO, "TEE-TXT: production fused chipset: %s\n", printk(BIOS_INFO, "TEE-TXT: production fused chipset: %s\n",
(read64((void *)TXT_VER_FSBIF) & TXT_VER_PRODUCTION_FUSED) ? "true" : "false"); intel_txt_chipset_is_production_fused() ? "true" : "false");
} }
void txt_dump_regions(void) void txt_dump_regions(void)

1
src/security/intel/txt/txt.h
View File

@ -23,6 +23,7 @@ void intel_txt_log_bios_acm_error(void);
int intel_txt_log_acm_error(const uint32_t acm_error); int intel_txt_log_acm_error(const uint32_t acm_error);
void intel_txt_log_spad(void); void intel_txt_log_spad(void);
bool intel_txt_memory_has_secrets(void); bool intel_txt_memory_has_secrets(void);
bool intel_txt_chipset_is_production_fused(void);
void intel_txt_run_sclean(void); void intel_txt_run_sclean(void);
int intel_txt_run_bios_acm(const u8 input_params); int intel_txt_run_bios_acm(const u8 input_params);
bool intel_txt_prepare_txt_env(void); bool intel_txt_prepare_txt_env(void);