sec/intel/txt: Only run LockConfig for LT-SX
LockConfig only exists on Intel TXT for Servers. Check whether this is
supported using GETSEC[PARAMETERS]. This eliminates a spurious error for
Client TXT platforms such as Haswell, and is a no-op on TXT for Servers.
Change-Id: Ibb7b0eeba1489dc522d06ab27eafcaa0248b7083
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46498
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c
index 86bf7aa..76eeaaf 100644
--- a/src/security/intel/txt/ramstage.c
+++ b/src/security/intel/txt/ramstage.c
@@ -316,6 +316,7 @@
{
const uint64_t status = read64((void *)TXT_SPAD);
+ uint32_t txt_feature_flags = 0;
uintptr_t tseg_base;
size_t tseg_size;
@@ -324,13 +325,24 @@
if (status & ACMSTS_TXT_DISABLED)
return;
- printk(BIOS_INFO, "TEE-TXT: Locking TEE...\n");
+ /*
+ * Document Number: 558294
+ * Chapter 5.4.3 Detection of Intel TXT Capability
+ */
- /* Lock TXT config, unlocks TXT_HEAP_BASE */
- if (intel_txt_run_bios_acm(ACMINPUT_LOCK_CONFIG) < 0) {
- printk(BIOS_ERR, "TEE-TXT: Failed to lock registers.\n");
- printk(BIOS_ERR, "TEE-TXT: SINIT won't be supported.\n");
+ if (!getsec_parameter(NULL, NULL, NULL, NULL, NULL, &txt_feature_flags))
return;
+
+ /* LockConfig only exists on Intel TXT for Servers */
+ if (txt_feature_flags & GETSEC_PARAMS_TXT_EXT_CRTM_SUPPORT) {
+ printk(BIOS_INFO, "TEE-TXT: Locking TEE...\n");
+
+ /* Lock TXT config, unlocks TXT_HEAP_BASE */
+ if (intel_txt_run_bios_acm(ACMINPUT_LOCK_CONFIG) < 0) {
+ printk(BIOS_ERR, "TEE-TXT: Failed to lock registers.\n");
+ printk(BIOS_ERR, "TEE-TXT: SINIT won't be supported.\n");
+ return;
+ }
}
/*