diff options
Diffstat (limited to 'src/security/intel')
-rw-r--r-- | src/security/intel/txt/ramstage.c | 41 | ||||
-rw-r--r-- | src/security/intel/txt/txt_platform.h | 12 |
2 files changed, 46 insertions, 7 deletions
diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c index 263bc9daa6..f532a2fbd8 100644 --- a/src/security/intel/txt/ramstage.c +++ b/src/security/intel/txt/ramstage.c @@ -13,6 +13,7 @@ #include <types.h> #include "txt.h" +#include "txt_platform.h" #include "txt_register.h" #include "txt_getsec.h" @@ -233,16 +234,42 @@ static void lockdown_intel_txt(void *unused) printk(BIOS_INFO, "TEE-TXT: DPR capable %x\n", dpr_capable); if (dpr_capable) { - /* Protect 3 MiB below TSEG and lock register */ - union dpr_register dpr = { - .lock = 1, - .size = 3, - .top = tseg_base / MiB, - }; - write64((void *)TXT_DPR, dpr.raw); + /* Verify the DPR settings on the MCH and mirror them to TXT public space */ + union dpr_register dpr = txt_get_chipset_dpr(); + + printk(BIOS_DEBUG, "TEE-TXT: MCH DPR 0x%08x\n", dpr.raw); + + printk(BIOS_DEBUG, "TEE-TXT: MCH DPR base @ 0x%08x size %u MiB\n", + (dpr.top - dpr.size) * MiB, dpr.size); // DPR TODO: implement SA_ENABLE_DPR in the intelblocks + if (!dpr.lock) { + printk(BIOS_ERR, "TEE-TXT: MCH DPR not locked.\n"); + return; + } + + if (!dpr.epm || !dpr.prs) { + printk(BIOS_ERR, "TEE-TXT: MCH DPR protection not active.\n"); + return; + } + + if (dpr.size < 3) { + printk(BIOS_ERR, "TEE-TXT: MCH DPR configured size is too small.\n"); + return; + } + + if (dpr.top * MiB != tseg_base) { + printk(BIOS_ERR, "TEE-TXT: MCH DPR top does not equal TSEG base.\n"); + return; + } + + /* Clear reserved bits */ + dpr.prs = 0; + dpr.epm = 0; + + write64((void *)TXT_DPR, dpr.raw); + printk(BIOS_INFO, "TEE-TXT: TXT.DPR 0x%08x\n", read32((void *)TXT_DPR)); } diff --git a/src/security/intel/txt/txt_platform.h b/src/security/intel/txt/txt_platform.h new file mode 100644 index 0000000000..8881cab331 --- /dev/null +++ b/src/security/intel/txt/txt_platform.h @@ -0,0 +1,12 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ + +#ifndef __SECURITY_INTEL_TXT_PLATFORM_H__ +#define __SECURITY_INTEL_TXT_PLATFORM_H__ + +#include <types.h> +#include "txt_register.h" + +/* Prototypes to be defined in chipset code */ +union dpr_register txt_get_chipset_dpr(void); + +#endif /* __SECURITY_INTEL_TXT_PLATFORM_H__ */ |