From 6c4028dd3ddf571ef2e992de8d9927b598f7cd6b Mon Sep 17 00:00:00 2001
From: Angel Pons <th3fanbus@gmail.com>
Date: Fri, 16 Oct 2020 11:52:40 +0200
Subject: sec/intel/txt: Only run LockConfig for LT-SX

LockConfig only exists on Intel TXT for Servers. Check whether this is
supported using GETSEC[PARAMETERS]. This eliminates a spurious error for
Client TXT platforms such as Haswell, and is a no-op on TXT for Servers.

Change-Id: Ibb7b0eeba1489dc522d06ab27eafcaa0248b7083
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46498
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
---
 src/security/intel/txt/ramstage.c     | 22 +++++++++++++++++-----
 src/security/intel/txt/txt_register.h |  3 +--
 2 files changed, 18 insertions(+), 7 deletions(-)

(limited to 'src')

diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c
index 86bf7aa428..76eeaaffef 100644
--- a/src/security/intel/txt/ramstage.c
+++ b/src/security/intel/txt/ramstage.c
@@ -316,6 +316,7 @@ static void lockdown_intel_txt(void *unused)
 {
 	const uint64_t status = read64((void *)TXT_SPAD);
 
+	uint32_t txt_feature_flags = 0;
 	uintptr_t tseg_base;
 	size_t tseg_size;
 
@@ -324,13 +325,24 @@ static void lockdown_intel_txt(void *unused)
 	if (status & ACMSTS_TXT_DISABLED)
 		return;
 
-	printk(BIOS_INFO, "TEE-TXT: Locking TEE...\n");
+	/*
+	 * Document Number: 558294
+	 * Chapter 5.4.3 Detection of Intel TXT Capability
+	 */
 
-	/* Lock TXT config, unlocks TXT_HEAP_BASE */
-	if (intel_txt_run_bios_acm(ACMINPUT_LOCK_CONFIG) < 0) {
-		printk(BIOS_ERR, "TEE-TXT: Failed to lock registers.\n");
-		printk(BIOS_ERR, "TEE-TXT: SINIT won't be supported.\n");
+	if (!getsec_parameter(NULL, NULL, NULL, NULL, NULL, &txt_feature_flags))
 		return;
+
+	/* LockConfig only exists on Intel TXT for Servers */
+	if (txt_feature_flags & GETSEC_PARAMS_TXT_EXT_CRTM_SUPPORT) {
+		printk(BIOS_INFO, "TEE-TXT: Locking TEE...\n");
+
+		/* Lock TXT config, unlocks TXT_HEAP_BASE */
+		if (intel_txt_run_bios_acm(ACMINPUT_LOCK_CONFIG) < 0) {
+			printk(BIOS_ERR, "TEE-TXT: Failed to lock registers.\n");
+			printk(BIOS_ERR, "TEE-TXT: SINIT won't be supported.\n");
+			return;
+		}
 	}
 
 	/*
diff --git a/src/security/intel/txt/txt_register.h b/src/security/intel/txt/txt_register.h
index bbf0a7e72d..c19ec13799 100644
--- a/src/security/intel/txt/txt_register.h
+++ b/src/security/intel/txt/txt_register.h
@@ -132,8 +132,7 @@
 #define IA32_GETSEC_SMCTRL		7
 #define IA32_GETSEC_WAKEUP		8
 
-#define GETSEC_PARAMS_TXT_EXT (1ul << 5)
-#define GETSEC_PARAMS_TXT_EXT_CRTM_SUPPORT (1ul << 1)
+#define GETSEC_PARAMS_TXT_EXT_CRTM_SUPPORT (1ul << 5)
 #define GETSEC_PARAMS_TXT_EXT_MACHINE_CHECK (1ul << 6)
 
 /* ACM defines */
-- 
cgit v1.2.3