security/intel/txt: Add helper function to disable TXT

Add a function to disable TXT as per TXT BIOS spec Section 6.2.5. AP firmware can disable TXT if TXT fails or TPM is already enabled. On platforms with TXT disabled, the memory can be unlocked using MSR 0x2e6. TEST=Able to perform disable_txt on SoC SKUs with TXT enabled. Signed-off-by: Subrata Banik <subratabanik@google.com> Change-Id: I27f613428e82a1dd924172eab853d2ce9c32b473 Reviewed-on: https://review.coreboot.org/c/coreboot/+/71574 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Tarun Tuli <taruntuli@google.com> Reviewed-by: Sridhar Siricilla <sridhar.siricilla@intel.com> Reviewed-by: Eric Lai <eric_lai@quanta.corp-partner.google.com>
2022-12-31 14:43:57 +05:30 · 2022-12-31 14:43:57 +05:30 · ad87a82ca7
parent 93f12985e6
commit ad87a82ca7
3 changed files with 28 additions and 0 deletions
--- a/src/include/cpu/x86/msr.h
+++ b/src/include/cpu/x86/msr.h
@ -81,6 +81,7 @@
 #define  MCA_STATUS_LO_ERRCODE_EXT_SH	16
 #define  MCA_STATUS_LO_ERRCODE_EXT_MASK	(0x3f << MCA_STATUS_LO_ERRCODE_EXT_SH)
 #define  MCA_STATUS_LO_ERRCODE_MASK	(0xffff << 0)
+#define IA32_LT_UNLOCK_MEMORY		0x2e6
 #define IA32_MC0_ADDR			0x402
 #define IA32_MC_ADDR(bank)		(IA32_MC0_ADDR + 4 * (bank))
 #define IA32_MC0_MISC			0x403
--- a/src/security/intel/txt/txt.h
+++ b/src/security/intel/txt/txt.h
@ -30,5 +30,6 @@ bool intel_txt_prepare_txt_env(void);
 /* Allow platform override to skip TXT lockdown, e.g. required for RAS error injection. */
 bool skip_intel_txt_lockdown(void);
 const char *intel_txt_processor_error_type(uint8_t type);
+void disable_intel_txt(void);

 #endif /* SECURITY_INTEL_TXT_H_ */
--- a/src/security/intel/txt/txtlib.c
+++ b/src/security/intel/txt/txtlib.c
@ -44,3 +44,29 @@ bool is_txt_cpu(void)

 	return (ecx & (CPUID_SMX | CPUID_VMX)) == (CPUID_SMX | CPUID_VMX);
 }
+
+static void unlock_txt_memory(void)
+{
+	msr_t msrval = {0};
+
+	wrmsr(IA32_LT_UNLOCK_MEMORY, msrval);
+}
+
+void disable_intel_txt(void)
+{
+	/* Return if the CPU doesn't support TXT */
+	if (!is_txt_cpu()) {
+		printk(BIOS_DEBUG, "Abort disabling TXT, as CPU is not TXT capable.\n");
+		return;
+	}
+
+	/*
+	 * Memory is supposed to be locked if system is TXT capable
+	 * As per TXT BIOS spec Section 6.2.5 unlock memory
+	 * when security (TPM) is set and TXT is not enabled.
+	 */
+	if (!is_establishment_bit_asserted()) {
+		unlock_txt_memory();
+		printk(BIOS_INFO, "TXT disabled successfully - Unlocked memory\n");
+	}
+}