util/intelmetool: Fix the BootGuard dump feature
Read the correct bits for measured and verified boot, print information about some other bits. Signed-off-by: Pablo Stebler <pablo@stebler.xyz> Change-Id: Ie79d6da33032aee94d716bf0698b5501bbc424fa Reviewed-on: https://review.coreboot.org/c/coreboot/+/45516 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Angel Pons <th3fanbus@gmail.com>
This commit is contained in:
parent
ca128a0eb4
commit
9ac91d220f
|
@ -314,12 +314,16 @@ out:
|
||||||
rehide_me();
|
rehide_me();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void print_btg_bool_param(const char *name, u8 state)
|
||||||
|
{
|
||||||
|
printf("%-20s : %s\n", name, state ? "ON" : "OFF");
|
||||||
|
}
|
||||||
|
|
||||||
static void dump_bootguard_info(void)
|
static void dump_bootguard_info(void)
|
||||||
{
|
{
|
||||||
struct pci_dev *dev;
|
struct pci_dev *dev;
|
||||||
char namebuf[1024];
|
char namebuf[1024];
|
||||||
const char *name = NULL;
|
const char *name = NULL;
|
||||||
uint64_t bootguard = 0;
|
|
||||||
|
|
||||||
if (pci_platform_scan())
|
if (pci_platform_scan())
|
||||||
return;
|
return;
|
||||||
|
@ -342,59 +346,74 @@ static void dump_bootguard_info(void)
|
||||||
if (ME_major_ver &&
|
if (ME_major_ver &&
|
||||||
(ME_major_ver < 9 ||
|
(ME_major_ver < 9 ||
|
||||||
(ME_major_ver == 9 && ME_minor_ver < 5))) {
|
(ME_major_ver == 9 && ME_minor_ver < 5))) {
|
||||||
print_cap("BootGuard ", 0);
|
printf(CGRN "Your system isn't BootGuard ready.\n"
|
||||||
printf(CGRN "\nYour system isn't bootguard ready. You can "
|
"You can flash other firmware!\n" RESET);
|
||||||
"flash other firmware!\n" RESET);
|
|
||||||
rehide_me();
|
rehide_me();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (msr_bootguard(&bootguard, debug) < 0) {
|
|
||||||
printf("ME Capability: %-43s: " CCYN "%s\n" RESET,
|
|
||||||
"BootGuard Mode", "Unknown");
|
|
||||||
rehide_me();
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (debug) {
|
|
||||||
printf("BootGuard MSR Output: 0x%" PRIx64 "\n", bootguard);
|
|
||||||
bootguard &= ~0xff;
|
|
||||||
}
|
|
||||||
|
|
||||||
print_cap("BootGuard ", 1);
|
|
||||||
if (pci_read_long(dev, 0x40) & 0x10)
|
if (pci_read_long(dev, 0x40) & 0x10)
|
||||||
printf(CYEL "Your southbridge configuration is insecure!! "
|
printf(CYEL "Your southbridge configuration is insecure!!\n"
|
||||||
"BootGuard keys can be overwritten or wiped, or you are "
|
"BootGuard keys can be overwritten or wiped, or you are "
|
||||||
"in developer mode.\n"
|
"in developer mode.\n"
|
||||||
RESET);
|
RESET);
|
||||||
rehide_me();
|
rehide_me();
|
||||||
|
|
||||||
switch (bootguard) {
|
union {
|
||||||
case BOOTGUARD_DISABLED:
|
struct {
|
||||||
printf("ME Capability: %-43s: " CGRN "%s\n" RESET,
|
u8 nem_enabled : 1; /* [ 0.. 0] */
|
||||||
"BootGuard Mode", "Disabled");
|
u8 tpm_type : 2; /* [ 2.. 1] */
|
||||||
printf(CGRN "\nYour system is bootguard ready but your vendor "
|
u8 tpm_success : 1; /* [ 3.. 3] */
|
||||||
"disabled it. You can flash other firmware!\n" RESET);
|
u8 facb_fpf : 1; /* [ 4.. 4] */
|
||||||
break;
|
u8 measured_boot : 1; /* [ 5.. 5] */
|
||||||
case BOOTGUARD_ENABLED_COMBI_MODE:
|
u8 verified_boot : 1; /* [ 6.. 6] */
|
||||||
printf("ME Capability: %-43s: " CGRN "%s\n" RESET,
|
u8 module_revoked : 1; /* [ 7.. 7] */
|
||||||
"BootGuard Mode", "Verified & Measured Boot");
|
u32 : 24;
|
||||||
printf(CRED "\nVerified boot is enabled. You can't flash other "
|
u8 btg_capability : 1; /* [32..32] */
|
||||||
"firmware. !\n" RESET);
|
u32 : 31;
|
||||||
break;
|
};
|
||||||
case BOOTGUARD_ENABLED_MEASUREMENT_MODE:
|
u64 raw;
|
||||||
printf("ME Capability: %-43s: " CGRN "%s\n" RESET,
|
} btg;
|
||||||
"BootGuard Mode", "Measured Boot");
|
|
||||||
printf(CGRN "\nYour system is bootguard ready but only running "
|
if (msr_bootguard(&btg.raw) < 0) {
|
||||||
"the measured boot mode. You can flash other firmware!\n"
|
printf("Could not read the BOOTGUARD_SACM_INFO MSR.\n");
|
||||||
RESET);
|
return;
|
||||||
break;
|
}
|
||||||
case BOOTGUARD_ENABLED_VERIFIED_MODE:
|
|
||||||
printf("ME Capability: %-43s: " CGRN "%s\n" RESET,
|
printf("BootGuard MSR Output : 0x%" PRIx64 "\n", btg.raw);
|
||||||
"BootGuard Mode", "Verified Boot");
|
|
||||||
printf(CRED "\nVerified boot is enabled! You can't flash other "
|
if (!btg.btg_capability) {
|
||||||
"firmware.\n" RESET);
|
printf(CGRN "Your system isn't BootGuard ready.\n"
|
||||||
break;
|
"You can flash other firmware!\n" RESET);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
print_btg_bool_param("Measured boot", btg.measured_boot);
|
||||||
|
print_btg_bool_param("Verified boot", btg.verified_boot);
|
||||||
|
print_btg_bool_param("FACB in FPFs", btg.facb_fpf);
|
||||||
|
print_btg_bool_param("Module revoked", btg.module_revoked);
|
||||||
|
if (btg.measured_boot) {
|
||||||
|
const char *const tpm_type_strs[] = {
|
||||||
|
"None",
|
||||||
|
"TPM 1.2",
|
||||||
|
"TPM 2.0",
|
||||||
|
"PTT",
|
||||||
|
};
|
||||||
|
printf("%-20s : %s\n", "TPM type", tpm_type_strs[btg.tpm_type]);
|
||||||
|
print_btg_bool_param("TPM success", btg.tpm_success);
|
||||||
|
}
|
||||||
|
if (btg.verified_boot) {
|
||||||
|
print_btg_bool_param("NEM enabled", btg.nem_enabled);
|
||||||
|
if (btg.nem_enabled)
|
||||||
|
printf(CRED "Verified boot is enabled and ACM has enabled "
|
||||||
|
"Cache-As-RAM.\nYou can't flash other firmware!\n" RESET);
|
||||||
|
else
|
||||||
|
printf(CYEL "Verified boot is enabled, but ACM did not enable "
|
||||||
|
"Cache-As-RAM.\nIt might be possible to flash other firmware.\n"
|
||||||
|
RESET);
|
||||||
|
} else {
|
||||||
|
printf(CGRN "Your system is BootGuard ready but verified boot is disabled.\n"
|
||||||
|
"You can flash other firmware!\n" RESET);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -48,11 +48,6 @@
|
||||||
#define ME_MESSAGE_LEN 256
|
#define ME_MESSAGE_LEN 256
|
||||||
|
|
||||||
extern int debug;
|
extern int debug;
|
||||||
static inline void print_cap(const char *name, int state)
|
|
||||||
{
|
|
||||||
printf("ME Capability: %-30s : %s\n",
|
|
||||||
name, state ? CRED "ON" RESET : CGRN "OFF" RESET);
|
|
||||||
}
|
|
||||||
|
|
||||||
#define PCI_VENDOR_ID_INTEL 0x8086
|
#define PCI_VENDOR_ID_INTEL 0x8086
|
||||||
|
|
||||||
|
@ -495,13 +490,3 @@ static inline void print_cap(const char *name, int state)
|
||||||
((x) == PCI_DEVICE_ID_INTEL_LEWISBURG_IE3) || \
|
((x) == PCI_DEVICE_ID_INTEL_LEWISBURG_IE3) || \
|
||||||
((x) == PCI_DEVICE_ID_INTEL_CANNONLAKE) || \
|
((x) == PCI_DEVICE_ID_INTEL_CANNONLAKE) || \
|
||||||
0)
|
0)
|
||||||
|
|
||||||
#define BOOTGUARD_DISABLED 0x400000000
|
|
||||||
#define BOOTGUARD_ENABLED_VERIFIED_MODE 0x100000000
|
|
||||||
#define BOOTGUARD_ENABLED_MEASUREMENT_MODE 0x200000000
|
|
||||||
#define BOOTGUARD_ENABLED_COMBI_MODE 0x300000000
|
|
||||||
#define BOOTGUARD_CAPABILITY(x) ( \
|
|
||||||
((x) == BOOTGUARD_DISABLED) || \
|
|
||||||
((x) == BOOTGUARD_ENABLED_VERIFIED_MODE) || \
|
|
||||||
((x) == BOOTGUARD_ENABLED_MEASUREMENT_MODE) || \
|
|
||||||
((x) == BOOTGUARD_ENABLED_COMBI_MODE))
|
|
||||||
|
|
|
@ -413,6 +413,12 @@ int mkhi_get_fw_version(int *major, int *minor)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void print_cap(const char *name, int state)
|
||||||
|
{
|
||||||
|
printf("ME Capability: %-30s : %s\n",
|
||||||
|
name, state ? CRED "ON" RESET : CGRN "OFF" RESET);
|
||||||
|
}
|
||||||
|
|
||||||
/* Get ME Firmware Capabilities */
|
/* Get ME Firmware Capabilities */
|
||||||
int mkhi_get_fwcaps(void)
|
int mkhi_get_fwcaps(void)
|
||||||
{
|
{
|
||||||
|
|
|
@ -39,7 +39,7 @@ static int rdmsr(int addr, uint64_t *msr)
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
int msr_bootguard(uint64_t *msr, int debug)
|
int msr_bootguard(uint64_t *msr)
|
||||||
{
|
{
|
||||||
|
|
||||||
#ifndef __DARWIN__
|
#ifndef __DARWIN__
|
||||||
|
@ -54,8 +54,5 @@ int msr_bootguard(uint64_t *msr, int debug)
|
||||||
return -1;
|
return -1;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (!debug)
|
|
||||||
*msr &= ~0xff;
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,5 +13,5 @@ typedef struct {
|
||||||
unsigned int ecx;
|
unsigned int ecx;
|
||||||
} regs_t;
|
} regs_t;
|
||||||
|
|
||||||
extern int msr_bootguard(uint64_t *msr, int debug);
|
extern int msr_bootguard(uint64_t *msr);
|
||||||
#endif
|
#endif
|
||||||
|
|
Loading…
Reference in New Issue