sec/intel/txt: Always run SCHECK on regular boots
When Boot Guard is disabled or not available, the IBB might not even
exist. This is the case on traditional (non-ULT) Haswell, for example.
Leave the S3 resume check as-is for now. Skylake and newer may need to
run SCHECK on resume as well, but I lack the hardware to test this on.
Change-Id: I70231f60d4d4c5bc8ee0fcbb0651896256fdd391
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46497
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c
index c39194b..86bf7aa 100644
--- a/src/security/intel/txt/ramstage.c
+++ b/src/security/intel/txt/ramstage.c
@@ -168,15 +168,16 @@
}
if (status & (ACMSTS_BIOS_TRUSTED | ACMSTS_IBB_MEASURED)) {
+ printk(BIOS_INFO, "TEE-TXT: Logging IBB measurements...\n");
log_ibb_measurements();
+ }
- int s3resume = acpi_is_wakeup_s3();
- if (!s3resume) {
- printk(BIOS_INFO, "TEE-TXT: Scheck...\n");
- if (intel_txt_run_bios_acm(ACMINPUT_SCHECK) < 0) {
- printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM.\n");
- return;
- }
+ int s3resume = acpi_is_wakeup_s3();
+ if (!s3resume) {
+ printk(BIOS_INFO, "TEE-TXT: Scheck...\n");
+ if (intel_txt_run_bios_acm(ACMINPUT_SCHECK) < 0) {
+ printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM.\n");
+ return;
}
}
}