diff options
author | Angel Pons <th3fanbus@gmail.com> | 2020-10-21 00:19:00 +0200 |
---|---|---|
committer | Angel Pons <th3fanbus@gmail.com> | 2020-10-22 20:06:26 +0000 |
commit | 01490258bb26a1bbb7b41e0cf8100ec4d42082cb (patch) | |
tree | 823ee3ae9597ac761f009bb2c73daa5136a48ede /src | |
parent | 7b4d67cf42d7bb0718f2542075f76e5b0cb56548 (diff) | |
download | coreboot-01490258bb26a1bbb7b41e0cf8100ec4d42082cb.tar.xz |
sec/intel/txt: Add `enable_getsec_or_reset` function
This can be used to enable GETSEC/SMX in the IA32_FEATURE_CONTROL MSR,
and will be put to use on Haswell in subsequent commits.
Change-Id: I5a82e515c6352b6ebbc361c6a53ff528c4b6cdba
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46606
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Diffstat (limited to 'src')
-rw-r--r-- | src/security/intel/txt/getsec.c | 31 | ||||
-rw-r--r-- | src/security/intel/txt/txt_getsec.h | 2 |
2 files changed, 33 insertions, 0 deletions
diff --git a/src/security/intel/txt/getsec.c b/src/security/intel/txt/getsec.c index 422f10d7c8..af9b7bb471 100644 --- a/src/security/intel/txt/getsec.c +++ b/src/security/intel/txt/getsec.c @@ -1,9 +1,13 @@ /* SPDX-License-Identifier: GPL-2.0-only */ +#include <cf9_reset.h> +#include <console/console.h> +#include <cpu/intel/common/common.h> #include <cpu/x86/lapic.h> #include <cpu/x86/cr.h> #include <cpu/x86/cache.h> #include <cpu/x86/mp.h> +#include <cpu/x86/msr.h> #include <types.h> #include "txt_register.h" @@ -40,6 +44,33 @@ static bool getsec_enabled(void) return true; } +void enable_getsec_or_reset(void) +{ + msr_t msr = rdmsr(IA32_FEATURE_CONTROL); + + if (!(msr.lo & FEATURE_CONTROL_LOCK_BIT)) { + /* + * MSR not locked, enable necessary GETSEC and VMX settings. + * We do not lock this MSR here, though. + */ + msr.lo |= 0xff06; + wrmsr(IA32_FEATURE_CONTROL, msr); + + } else if ((msr.lo & 0xff06) != 0xff06) { + /* + * MSR is locked without necessary GETSEC and VMX settings. + * This can happen after internally reflashing a coreboot + * image with different settings, and then doing a warm + * reboot. Perform a full reset in order to unlock the MSR. + */ + printk(BIOS_NOTICE, + "IA32_FEATURE_CONTROL MSR locked with GETSEC and/or VMX disabled.\n" + "Will perform a full reset to unlock this MSR.\n"); + + full_reset(); + } +} + /** * Get information as returned by getsec[PARAMETER]. * Arguments can be set to NULL if not needed. diff --git a/src/security/intel/txt/txt_getsec.h b/src/security/intel/txt/txt_getsec.h index 8e663d51b0..78171a7d5a 100644 --- a/src/security/intel/txt/txt_getsec.h +++ b/src/security/intel/txt/txt_getsec.h @@ -5,6 +5,8 @@ #include <types.h> +void enable_getsec_or_reset(void); + bool getsec_parameter(uint32_t *version_mask, uint32_t *version_numbers_supported, uint32_t *max_size_acm_area, |