diff options
author | Michael Niewöhner <foss@mniewoehner.de> | 2019-10-22 23:05:06 +0200 |
---|---|---|
committer | Nico Huber <nico.h@gmx.de> | 2019-11-04 19:25:02 +0000 |
commit | 7736bfc443a913a9cde46406bcfc38015ec71f47 (patch) | |
tree | 5b107551301bbaadc538b0c2ac7c52125462beb3 /src/soc/intel/common | |
parent | e75a64f822931a5fbdd80f20c4d168a5c346e01a (diff) | |
download | coreboot-7736bfc443a913a9cde46406bcfc38015ec71f47.tar.xz |
soc/intel/sgx: convert SGX and PRMRR devicetree options to Kconfig
The devicetree is not made for user-choosable options, thus introduce
Kconfig options for both SGX and the corresponding PRMRR size.
The PRMRR size Kconfig has been implemented as a maximum value. At
runtime the final PRMRR size gets selected by checking the supported
values in MSR_PRMRR_VALID_CONFIG and trying to select the value nearest
to the chosen one.
When "Maximum" is chosen, the highest possibly value from the MSR gets
used. When a too strict limit is set, coreboot will die, printing an
error message.
Tested successfully on X11SSM-F
Change-Id: I5f08e85898304bba6680075ca5d6bce26aef9a4d
Signed-off-by: Michael Niewöhner <foss@mniewoehner.de>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35799
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Diffstat (limited to 'src/soc/intel/common')
-rw-r--r-- | src/soc/intel/common/block/cpu/Makefile.inc | 1 | ||||
-rw-r--r-- | src/soc/intel/common/block/cpu/cpulib.c | 41 | ||||
-rw-r--r-- | src/soc/intel/common/block/include/intelblocks/cpulib.h | 4 | ||||
-rw-r--r-- | src/soc/intel/common/block/include/intelblocks/msr.h | 1 | ||||
-rw-r--r-- | src/soc/intel/common/block/sgx/Kconfig | 62 | ||||
-rw-r--r-- | src/soc/intel/common/block/sgx/sgx.c | 2 |
6 files changed, 107 insertions, 4 deletions
diff --git a/src/soc/intel/common/block/cpu/Makefile.inc b/src/soc/intel/common/block/cpu/Makefile.inc index a6c4f37cc4..f263053430 100644 --- a/src/soc/intel/common/block/cpu/Makefile.inc +++ b/src/soc/intel/common/block/cpu/Makefile.inc @@ -7,6 +7,7 @@ romstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_CAR) += car/exit_car.S romstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_CPU) += cpulib.c postcar-$(CONFIG_SOC_INTEL_COMMON_BLOCK_CAR) += car/exit_car.S +postcar-$(CONFIG_SOC_INTEL_COMMON_BLOCK_CPU) += cpulib.c postcar-$(CONFIG_FSP_CAR) += car/exit_car_fsp.S ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_CPU) += cpulib.c diff --git a/src/soc/intel/common/block/cpu/cpulib.c b/src/soc/intel/common/block/cpu/cpulib.c index 71e4dbf01b..89732f145a 100644 --- a/src/soc/intel/common/block/cpu/cpulib.c +++ b/src/soc/intel/common/block/cpu/cpulib.c @@ -325,3 +325,44 @@ void cpu_lt_lock_memory(void *unused) { msr_set_bit(MSR_LT_CONTROL, LT_CONTROL_LOCK_BIT); } + +int get_prmrr_size(void) +{ + msr_t msr; + int i; + int valid_size; + + if (CONFIG(SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_DISABLED)) { + printk(BIOS_DEBUG, "PRMRR disabled by config.\n"); + return 0; + } + + msr = rdmsr(MSR_PRMRR_VALID_CONFIG); + if (!msr.lo) { + printk(BIOS_WARNING, "PRMRR not supported.\n"); + return 0; + } + + printk(BIOS_DEBUG, "MSR_PRMRR_VALID_CONFIG = 0x%08x\n", msr.lo); + + /* find the first (greatest) value that is lower than or equal to the selected size */ + for (i = 8; i >= 0; i--) { + valid_size = msr.lo & (1 << i); + + if (valid_size && valid_size <= CONFIG_SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE) + break; + else if (i == 0) + valid_size = 0; + } + + /* die if we could not find a valid size within the limit */ + if (!valid_size) + die("Unsupported PRMRR size limit %i MiB, check your config!\n", + CONFIG_SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE); + + printk(BIOS_DEBUG, "PRMRR size set to %i MiB\n", valid_size); + + valid_size *= MiB; + + return valid_size; +} diff --git a/src/soc/intel/common/block/include/intelblocks/cpulib.h b/src/soc/intel/common/block/include/intelblocks/cpulib.h index 1aa88e156d..a422094b26 100644 --- a/src/soc/intel/common/block/include/intelblocks/cpulib.h +++ b/src/soc/intel/common/block/include/intelblocks/cpulib.h @@ -18,6 +18,7 @@ #define SOC_INTEL_COMMON_BLOCK_CPULIB_H #include <stdint.h> +#include <stddef.h> /* * Set PERF_CTL MSR (0x199) P_Req with @@ -164,4 +165,7 @@ void mca_configure(void); /* Lock chipset memory registers to protect SMM */ void cpu_lt_lock_memory(void *unused); +/* Get the a supported PRMRR size in bytes with respect users choice */ +int get_prmrr_size(void); + #endif /* SOC_INTEL_COMMON_BLOCK_CPULIB_H */ diff --git a/src/soc/intel/common/block/include/intelblocks/msr.h b/src/soc/intel/common/block/include/intelblocks/msr.h index 3e67fd779d..8902d0992f 100644 --- a/src/soc/intel/common/block/include/intelblocks/msr.h +++ b/src/soc/intel/common/block/include/intelblocks/msr.h @@ -64,6 +64,7 @@ #define MSR_PRMRR_PHYS_MASK 0x1f5 #define PRMRR_PHYS_MASK_LOCK (1 << 10) #define PRMRR_PHYS_MASK_VALID (1 << 11) +#define MSR_PRMRR_VALID_CONFIG 0x1fb #define MSR_POWER_CTL 0x1fc #define POWER_CTL_C1E_MASK (1 << 1) #define MSR_EVICT_CTL 0x2e0 diff --git a/src/soc/intel/common/block/sgx/Kconfig b/src/soc/intel/common/block/sgx/Kconfig index 026c6afb0d..6e8323f333 100644 --- a/src/soc/intel/common/block/sgx/Kconfig +++ b/src/soc/intel/common/block/sgx/Kconfig @@ -4,9 +4,7 @@ config SOC_INTEL_COMMON_BLOCK_SGX select CPU_INTEL_COMMON_HYPERTHREADING default n help - Software Guard eXtension(SGX) Feature. Intel SGX is a set of new CPU - instructions that can be used by applications to set aside private - regions of code and data. + Intel Processor common SGX support config SOC_INTEL_COMMON_BLOCK_SGX_LOCK_MEMORY bool @@ -14,3 +12,61 @@ config SOC_INTEL_COMMON_BLOCK_SGX_LOCK_MEMORY default n help Lock memory before SGX activation. This is only needed if MCHECK does not do it. + +config SOC_INTEL_COMMON_BLOCK_SGX_ENABLE + bool "Enable Software Guard Extensions (SGX) if available" + depends on SOC_INTEL_COMMON_BLOCK_SGX + default n + help + Intel Software Guard Extensions (SGX) is a set of new CPU instructions that can be + used by applications to set aside private regions (so-called Secure Enclaves) of + code and data. + + SGX will only be enabled when supported by the CPU! + +config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE + int + default 256 if SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_MAX + default 256 if SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_256MB + default 128 if SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_128MB + default 64 if SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_64MB + default 32 if SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_32MB + default 1 if SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_1MB + +choice + prompt "PRMRR size" + default SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_MAX if SOC_INTEL_COMMON_BLOCK_SGX_ENABLE + default SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_DISABLED if !SOC_INTEL_COMMON_BLOCK_SGX_ENABLE + help + PRMRR (Protected Memory Range) is the space in RAM that is used to provide a protected + memory area (e.g. for the Intel SGX Secure Enclaves). The memory region is accessible + only by the processor itself to protect the data from unauthorized access. + + This option selects the maximum size that gets reserved. Depending on the SoC a lower, + compatible value may be chosen at runtime as not all values are supported on all + families. + +config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_MAX + bool "Maximum" + +config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_256MB + bool "256 MiB" + +config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_128MB + bool "128 MiB" + +config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_64MB + bool "64 MiB" + +config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_32MB + bool "32 MiB" + +config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_1MB + depends on !SOC_INTEL_COMMON_BLOCK_SGX_ENABLE # SGX depends on PRMRR >= 32 MiB + bool "1 MiB" + +config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_DISABLED + depends on !SOC_INTEL_COMMON_BLOCK_SGX_ENABLE # SGX depends on PRMRR >= 32 MiB + bool "Disabled" + +endchoice diff --git a/src/soc/intel/common/block/sgx/sgx.c b/src/soc/intel/common/block/sgx/sgx.c index 842eb43994..6f0cfd8f0e 100644 --- a/src/soc/intel/common/block/sgx/sgx.c +++ b/src/soc/intel/common/block/sgx/sgx.c @@ -206,7 +206,7 @@ void sgx_configure(void *unused) { if (!is_sgx_supported() || !is_prmrr_set()) { - printk(BIOS_ERR, "SGX: pre-conditions not met\n"); + printk(BIOS_ERR, "SGX: not supported or pre-conditions not met\n"); return; } |