commit bccb6916feffa340be163cefa2654e014c485b79
author Arthur Heymans <arthur@aheymans.xyz> Tue Nov 24 17:37:11 2020 +0100
committer Patrick Georgi <pgeorgi@google.com> Mon Jan 04 23:09:22 2021 +0000
tree 1709df9da0b2ea38ca74fc0a43009404f3b35cd1
parent b513c53f31678a51111df3b7313dafb976854074

security/intel/txt/ramstage.c: Fix clearing secrets on CBNT

intel_txt_memory_has_secret() checks for ESTS.TXT_ESTS_WAKE_ERROR_STS
|| E2STS.TXT_E2STS_SECRET_STS and it looks like with CBNT the E2STS
bit can be set without the ESTS bit.

Change-Id: Iff4436501b84f5c209add845b3cd3a62782d17e6
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/47934
Reviewed-by: Jonathan Zhang <jonzhang@fb.com>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

src/security/intel/txt/ramstage.c

diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c
index c33af89..cbc3a41 100644
--- a/src/security/intel/txt/ramstage.c
+++ b/src/security/intel/txt/ramstage.c
@@ -89,23 +89,21 @@
 	if (status & ACMSTS_TXT_DISABLED)
 		return;
 
-	/* Check for fatal ACM error and TXT reset */
-	if (get_wake_error_status()) {
-		/*
-		 * Check if secrets bit needs to be reset. Only platforms that support
-		 * CONFIG(PLATFORM_HAS_DRAM_CLEAR) will be able to run this code.
-		 * Assume all memory really was cleared.
-		 *
-		 * TXT will issue a platform reset to come up sober.
-		 */
-		if (intel_txt_memory_has_secrets()) {
-			printk(BIOS_INFO, "TEE-TXT: Wiping TEE...\n");
-			intel_txt_run_bios_acm(ACMINPUT_CLEAR_SECRETS);
+	/*
+	 * Check if secrets bit needs to be reset. Only platforms that support
+	 * CONFIG(PLATFORM_HAS_DRAM_CLEAR) will be able to run this code.
+	 * On some platforms FSP-M takes care of the DRAM clearing.
+	 * Assume all memory really was cleared.
+	 *
+	 * TXT will issue a platform reset to come up sober.
+	 */
+	if (intel_txt_memory_has_secrets()) {
+		printk(BIOS_INFO, "TEE-TXT: Wiping TEE...\n");
+		intel_txt_run_bios_acm(ACMINPUT_CLEAR_SECRETS);
 
-			/* Should never reach this point ... */
-			intel_txt_log_acm_error(read32((void *)TXT_BIOSACM_ERRORCODE));
-			die("Waiting for platform reset...\n");
-		}
+		/* Should never reach this point ... */
+		intel_txt_log_acm_error(read32((void *)TXT_BIOSACM_ERRORCODE));
+		die("Waiting for platform reset...\n");
 	}
 }