diff --git a/src/include/cpu/x86/msr.h b/src/include/cpu/x86/msr.h index 33eb457f1a..d369972908 100644 --- a/src/include/cpu/x86/msr.h +++ b/src/include/cpu/x86/msr.h @@ -81,6 +81,7 @@ #define MCA_STATUS_LO_ERRCODE_EXT_SH 16 #define MCA_STATUS_LO_ERRCODE_EXT_MASK (0x3f << MCA_STATUS_LO_ERRCODE_EXT_SH) #define MCA_STATUS_LO_ERRCODE_MASK (0xffff << 0) +#define IA32_LT_UNLOCK_MEMORY 0x2e6 #define IA32_MC0_ADDR 0x402 #define IA32_MC_ADDR(bank) (IA32_MC0_ADDR + 4 * (bank)) #define IA32_MC0_MISC 0x403 diff --git a/src/security/intel/txt/txt.h b/src/security/intel/txt/txt.h index 64e507d2b3..63e5bcda5b 100644 --- a/src/security/intel/txt/txt.h +++ b/src/security/intel/txt/txt.h @@ -30,5 +30,6 @@ bool intel_txt_prepare_txt_env(void); /* Allow platform override to skip TXT lockdown, e.g. required for RAS error injection. */ bool skip_intel_txt_lockdown(void); const char *intel_txt_processor_error_type(uint8_t type); +void disable_intel_txt(void); #endif /* SECURITY_INTEL_TXT_H_ */ diff --git a/src/security/intel/txt/txtlib.c b/src/security/intel/txt/txtlib.c index 3ec2322f77..5478206ee2 100644 --- a/src/security/intel/txt/txtlib.c +++ b/src/security/intel/txt/txtlib.c @@ -44,3 +44,29 @@ bool is_txt_cpu(void) return (ecx & (CPUID_SMX | CPUID_VMX)) == (CPUID_SMX | CPUID_VMX); } + +static void unlock_txt_memory(void) +{ + msr_t msrval = {0}; + + wrmsr(IA32_LT_UNLOCK_MEMORY, msrval); +} + +void disable_intel_txt(void) +{ + /* Return if the CPU doesn't support TXT */ + if (!is_txt_cpu()) { + printk(BIOS_DEBUG, "Abort disabling TXT, as CPU is not TXT capable.\n"); + return; + } + + /* + * Memory is supposed to be locked if system is TXT capable + * As per TXT BIOS spec Section 6.2.5 unlock memory + * when security (TPM) is set and TXT is not enabled. + */ + if (!is_establishment_bit_asserted()) { + unlock_txt_memory(); + printk(BIOS_INFO, "TXT disabled successfully - Unlocked memory\n"); + } +}