GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sec/intel/txt: Always run SCHECK on regular boots 

When Boot Guard is disabled or not available, the IBB might not even
exist. This is the case on traditional (non-ULT) Haswell, for example.

Leave the S3 resume check as-is for now. Skylake and newer may need to
run SCHECK on resume as well, but I lack the hardware to test this on.

Change-Id: I70231f60d4d4c5bc8ee0fcbb0651896256fdd391
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46497
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
This commit is contained in:
Angel Pons 2020-10-16 10:58:57 +02:00
parent 8a285fd8a5
commit e70a3f8822
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/security/intel/txt/ramstage.c
View File

@ -168,15 +168,16 @@ static void init_intel_txt(void *unused)
} }
if (status & (ACMSTS_BIOS_TRUSTED | ACMSTS_IBB_MEASURED)) { if (status & (ACMSTS_BIOS_TRUSTED | ACMSTS_IBB_MEASURED)) {
printk(BIOS_INFO, "TEE-TXT: Logging IBB measurements...\n");
log_ibb_measurements(); log_ibb_measurements();
}
int s3resume = acpi_is_wakeup_s3(); int s3resume = acpi_is_wakeup_s3();
if (!s3resume) { if (!s3resume) {
printk(BIOS_INFO, "TEE-TXT: Scheck...\n"); printk(BIOS_INFO, "TEE-TXT: Scheck...\n");
if (intel_txt_run_bios_acm(ACMINPUT_SCHECK) < 0) { if (intel_txt_run_bios_acm(ACMINPUT_SCHECK) < 0) {
printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM.\n"); printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM.\n");
return; return;
}
} }
} }
} }