1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
/** @file
EFI 2.0 PEIM to initialize the cache and load the BSP microcode
@copyright
Copyright (c) 1999 - 2013 Intel Corporation. All rights reserved
This software and associated documentation (if any) is furnished
under a license and may only be used or copied in accordance
with the terms of the license. Except as permitted by such
license, no part of this software or documentation may be
reproduced, stored in a retrieval system, or transmitted in any
form or by any means without the express written consent of
Intel Corporation.
This file contains an 'Intel Pre-EFI Module' and is licensed
for Intel CPUs and Chipsets under the terms of your license
agreement with Intel or your vendor. This file may be
modified by the user, subject to additional terms of the
license agreement
**/
///
/// External include files do NOT need to be explicitly specified in real EDKII
/// environment
///
#if !defined(EDK_RELEASE_VERSION) || (EDK_RELEASE_VERSION < 0x00020000)
#include "EdkIIGluePeim.h"
#include "CpuInitPeim.h"
#include "CpuAccess.h"
#include "BootGuardLibrary.h"
#include "MeAccess.h"
#include "HeciRegs.h"
#endif
VOID
BootGuardInit (
IN EFI_PEI_SERVICES **PeiServices,
IN PEI_CPU_PLATFORM_POLICY_PPI *CpuPlatformPolicyPpi
)
/**
Perform the platform spefific initializations.
@param[in] PeiServices - Indirect reference to the PEI Services Table.
@param[in] CpuPlatformPolicyPpi - Platform Policy PPI
**/
{
UINT32 MsrValue;
UINT32 MeFwSts4;
UINT32 BootGuardAcmStatus;
if (CpuPlatformPolicyPpi->SecurityConfig->BootGuardConfig == NULL) {
return;
}
///
/// Check if System Supports Boot Guard
///
if( IsBootGuardSupported() ) {
CpuPlatformPolicyPpi->SecurityConfig->BootGuardConfig->BootGuardSupport = TRUE;
BootGuardAcmStatus = *(UINT32 *) (UINTN) (TXT_PUBLIC_BASE + R_CPU_BOOT_GUARD_ACM_STATUS);
DEBUG ((EFI_D_INFO, "Boot Guard ACM Status = %x\n", BootGuardAcmStatus));
///
/// Check Bit 12 in ME FWSTS4 to check if TPM_DISCONNECT_ALL bit is set
/// or ENF Shutdown path is taken by ME FW.
/// Also Identify any failures in ACM
///
MeFwSts4 = HeciPciRead32(R_ME_HFS_4);
DEBUG ((EFI_D_INFO, "ME FW STS 4 = %x\n", MeFwSts4));
if((MeFwSts4 & (B_TPM_DISCONNECT | B_BOOT_GUARD_ENF_MASK)) || (BootGuardAcmStatus & B_BOOT_GUARD_ACM_ERRORCODE_MASK)) {
DEBUG ((EFI_D_INFO, "All TPM's on Platform are Disconnected\n"));
CpuPlatformPolicyPpi->SecurityConfig->BootGuardConfig->DisconnectAllTpms = TRUE;
}
CpuPlatformPolicyPpi->SecurityConfig->BootGuardConfig->BypassTpmInit = FALSE;
CpuPlatformPolicyPpi->SecurityConfig->BootGuardConfig->MeasuredBoot = FALSE;
if(MeFwSts4 & BIT10) {
DEBUG ((EFI_D_INFO, "Sx Resume Type Identified - TPM Event Log not required for ACM Measurements\n"));
CpuPlatformPolicyPpi->SecurityConfig->BootGuardConfig->ByPassTpmEventLog = TRUE;
}
///
/// Check bit 0 of BOOT_GUARD_SACM_INFO MSR if system is in Boot Guard boot mode
///
MsrValue = (UINT32) AsmReadMsr64 (MSR_BOOT_GUARD_SACM_INFO);
DEBUG ((EFI_D_INFO, "MSR_BOOT_GUARD_SACM_INFO MSR = %x\n", MsrValue));
if ( (MsrValue & B_NEM_INIT) == 0 ) {
DEBUG ((EFI_D_INFO, "NEM is not initiated by Boot Guard ACM\n"));
}
if (MsrValue & B_MEASURED) {
CpuPlatformPolicyPpi->SecurityConfig->BootGuardConfig->MeasuredBoot = TRUE;
///
/// if measured bit is set, BIOS needs to bypass startup command
///
if (MsrValue & B_TPM_SUCCESS) {
CpuPlatformPolicyPpi->SecurityConfig->BootGuardConfig->BypassTpmInit = TRUE;
}
///
/// Read present TPM type
///
CpuPlatformPolicyPpi->SecurityConfig->BootGuardConfig->TpmType = (TPM_TYPE) ( (MsrValue & V_TPM_PRESENT_MASK) >> 1 );
DEBUG ((EFI_D_INFO, "TPM Type is %x\n", CpuPlatformPolicyPpi->SecurityConfig->BootGuardConfig->TpmType));
}
} else {
CpuPlatformPolicyPpi->SecurityConfig->BootGuardConfig->BootGuardSupport = FALSE;
}
return;
}
|