Gitiles
Code Review Sign In
review.coreboot.org / coreboot / 463e44bedbf3d5f24b8e6e19475b5155b523309a / . / src / security / intel / txt / ramstage.c
blob: bc30da5c13d98802f27455727ab897d333814df5 [file] [log] [blame]
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame]1/* SPDX-License-Identifier: GPL-2.0-only */
2
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame]3#include <acpi/acpi.h>
Angel Pons52082be2020-10-05 12:34:29 +0200[diff] [blame]4#include <arch/mmio.h>
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame]5#include <bootmem.h>
Angel Pons52082be2020-10-05 12:34:29 +0200[diff] [blame]6#include <bootstate.h>
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame]7#include <cbfs.h>
Angel Pons52082be2020-10-05 12:34:29 +0200[diff] [blame]8#include <console/console.h>
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame]9#include <cpu/intel/common/common.h>
10#include <cpu/x86/msr.h>
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame]11#include <device/pci_ops.h>
Angel Pons52082be2020-10-05 12:34:29 +0200[diff] [blame]12#include <types.h>
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame]13
14#include "txt.h"
15#include "txt_register.h"
16#include "txt_getsec.h"
17
18/* FIXME: Seems to work only on some platforms */
19static void log_ibb_measurements(void)
20{
21 const uint64_t mseg_size = read64((void *)TXT_MSEG_SIZE);
22 uint64_t mseg_base = read64((void *)TXT_MSEG_BASE);
23
24 if (!mseg_size || !mseg_base || mseg_size <= mseg_base)
25 return;
26 /*
27 * MSEG SIZE and MSEG BASE might contain random values.
28 * Assume below 4GiB and 8byte aligned.
29 */
30 if (mseg_base & ~0xfffffff8ULL || mseg_size & ~0xfffffff8ULL)
31 return;
32
33 printk(BIOS_INFO, "TEE-TXT: IBB Hash 0x");
34 for (; mseg_base < mseg_size; mseg_base++)
35 printk(BIOS_INFO, "%02X", read8((void *)(uintptr_t)mseg_base));
36
37 printk(BIOS_INFO, "\n");
38}
39
40void bootmem_platform_add_ranges(void)
41{
42 uint64_t status = read64((void *)TXT_SPAD);
43
44 if (status & ACMSTS_TXT_DISABLED)
45 return;
46
47 /* Chapter 5.5.5 Intel TXT reserved memory */
48 bootmem_add_range(TXT_RESERVED_SPACE,
49 TXT_RESERVED_SPACE_SIZE,
50 BM_MEM_RESERVED);
51
52 /* Intel TPM decode memory */
53 bootmem_add_range(TXT_TPM_DECODE_AREA,
54 TXT_RESERVED_SPACE - TXT_TPM_DECODE_AREA,
55 BM_MEM_RESERVED);
56
57 /* Intel TXT public space memory */
58 bootmem_add_range(TXT_PUBLIC_SPACE,
59 TXT_TPM_DECODE_AREA - TXT_PUBLIC_SPACE,
60 BM_MEM_RESERVED);
61
62 /* Intel TXT private space memory */
63 bootmem_add_range(TXT_PRIVATE_SPACE,
64 TXT_PUBLIC_SPACE - TXT_PRIVATE_SPACE,
65 BM_MEM_RESERVED);
66
Angel Pons463e44b2020-10-05 13:58:16 +0200[diff] [blame^]67 const union dpr_register dpr = {
68 .raw = read32((void *)TXT_DPR),
69 };
70
71 const uint32_t dpr_base = dpr.top - dpr.size * MiB;
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame]72
73 /* Chapter 5.5.6 Intel TXT Device Memory */
Angel Pons463e44b2020-10-05 13:58:16 +0200[diff] [blame^]74 bootmem_add_range(dpr_base, dpr.size * MiB, BM_MEM_RESERVED);
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame]75}
76
77static bool get_wake_error_status(void)
78{
79 const uint8_t error = read8((void *)TXT_ESTS);
80 return !!(error & TXT_ESTS_WAKE_ERROR_STS);
81}
82
83static void check_secrets_txt(void *unused)
84{
85 uint64_t status = read64((void *)TXT_SPAD);
86
87 if (status & ACMSTS_TXT_DISABLED)
88 return;
89
90 /* Check for fatal ACM error and TXT reset */
91 if (get_wake_error_status()) {
92 /*
93 * Check if secrets bit needs to be reset. Only platforms that support
94 * CONFIG(PLATFORM_HAS_DRAM_CLEAR) will be able to run this code.
95 * Assume all memory really was cleared.
96 *
97 * TXT will issue a platform reset to come up sober.
98 */
99 if (intel_txt_memory_has_secrets()) {
100 printk(BIOS_INFO, "TEE-TXT: Wiping TEE...\n");
101 intel_txt_run_bios_acm(ACMINPUT_CLEAR_SECRETS);
102
103 /* Should never reach this point ... */
104 intel_txt_log_acm_error(read32((void *)TXT_BIOSACM_ERRORCODE));
105 die("Waiting for platform reset...\n");
106 }
107 }
108}
109
110BOOT_STATE_INIT_ENTRY(BS_POST_DEVICE, BS_ON_ENTRY, check_secrets_txt, NULL);
111
112/**
113 * Log TXT startup errors, check all bits for TXT, run BIOSACM using
114 * GETSEC[ENTERACCS].
115 *
116 * If a "TXT reset" is detected or "memory had secrets" is set, then do nothing as
117 * 1. Running ACMs will cause a TXT-RESET
118 * 2. Memory will be scrubbed in BS_DEV_INIT
119 * 3. TXT-RESET will be issued by code above later
120 *
121 */
122static void init_intel_txt(void *unused)
123{
124 const uint64_t status = read64((void *)TXT_SPAD);
125
126 if (status & ACMSTS_TXT_DISABLED)
127 return;
128
129 printk(BIOS_INFO, "TEE-TXT: Initializing TEE...\n");
130
131 intel_txt_log_spad();
132
133 if (CONFIG(INTEL_TXT_LOGGING)) {
134 intel_txt_log_bios_acm_error();
135 txt_dump_chipset_info();
136 }
137
138 printk(BIOS_INFO, "TEE-TXT: Validate TEE...\n");
139
140 if (intel_txt_prepare_txt_env()) {
141 printk(BIOS_ERR, "TEE-TXT: Failed to prepare TXT environment\n");
142 return;
143 }
144
145 /* Check for fatal ACM error and TXT reset */
146 if (get_wake_error_status()) {
147 /* Can't run ACMs with TXT_ESTS_WAKE_ERROR_STS set */
148 printk(BIOS_ERR, "TEE-TXT: Fatal BIOS ACM error reported\n");
149 return;
150 }
151
152 printk(BIOS_INFO, "TEE-TXT: Testing BIOS ACM calling code...\n");
153
154 /*
155 * Test BIOS ACM code.
156 * ACM should do nothing on reserved functions, and return an error code
157 * in TXT_BIOSACM_ERRORCODE. Tests showed that this is not true.
158 * Use special function "NOP" that does 'nothing'.
159 */
160 if (intel_txt_run_bios_acm(ACMINPUT_NOP) < 0) {
161 printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM with NOP function.\n");
162 return;
163 }
164
165 if (status & (ACMSTS_BIOS_TRUSTED | ACMSTS_IBB_MEASURED)) {
166 log_ibb_measurements();
167
168 int s3resume = acpi_is_wakeup_s3();
169 if (!s3resume) {
170 printk(BIOS_INFO, "TEE-TXT: Scheck...\n");
171 if (intel_txt_run_bios_acm(ACMINPUT_SCHECK) < 0) {
172 printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM.\n");
173 return;
174 }
175 }
176 }
177}
178
179BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_EXIT, init_intel_txt, NULL);
180
181static void push_sinit_heap(u8 **heap_ptr, void *data, size_t data_length)
182{
183 /* Push size */
184 const uint64_t tmp = data_length + 8;
185 memcpy(*heap_ptr, &tmp, 8);
186 *heap_ptr += 8;
187
188 if (data_length) {
189 /* Push data */
190 memcpy(*heap_ptr, data, data_length);
191 *heap_ptr += data_length;
192 }
193}
194
195/**
196 * Finalize the TXT device.
197 *
198 * - Lock TXT register.
199 * - Protect TSEG using DMA protected regions.
200 * - Setup TXT regions.
201 * - Place SINIT ACM in TXT_SINIT memory segment.
202 * - Fill TXT BIOSDATA region.
203 */
204static void lockdown_intel_txt(void *unused)
205{
206 const uint64_t status = read64((void *)TXT_SPAD);
207 uintptr_t tseg = 0;
208
209 if (status & ACMSTS_TXT_DISABLED)
210 return;
211
212 printk(BIOS_INFO, "TEE-TXT: Locking TEE...\n");
213
214 /* Lock TXT config, unlocks TXT_HEAP_BASE */
215 if (intel_txt_run_bios_acm(ACMINPUT_LOCK_CONFIG) < 0) {
216 printk(BIOS_ERR, "TEE-TXT: Failed to lock registers.\n");
217 printk(BIOS_ERR, "TEE-TXT: SINIT won't be supported.\n");
218 return;
219 }
220
221 /*
222 * Document Number: 558294
223 * Chapter 5.5.6.1 DMA Protection Memory Region
224 */
225
226 const u8 dpr_capable = !!(read64((void *)TXT_CAPABILITIES) &
227 TXT_CAPABILITIES_DPR);
228 printk(BIOS_INFO, "TEE-TXT: DPR capable %x\n", dpr_capable);
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame]229
Angel Pons463e44b2020-10-05 13:58:16 +0200[diff] [blame^]230 if (dpr_capable) {
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame]231 /* Protect 3 MiB below TSEG and lock register */
Angel Pons463e44b2020-10-05 13:58:16 +0200[diff] [blame^]232 union dpr_register dpr = {
233 .lock = 1,
234 .size = 3,
235 .top = tseg,
236 };
237 write64((void *)TXT_DPR, dpr.raw);
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame]238
239 // DPR TODO: implement SA_ENABLE_DPR in the intelblocks
240
241 printk(BIOS_INFO, "TEE-TXT: TXT.DPR 0x%08x\n",
242 read32((void *)TXT_DPR));
243 }
244
245 /*
246 * Document Number: 558294
247 * Chapter 5.5.6.3 Intel TXT Heap Memory Region
248 */
249 write64((void *)TXT_HEAP_SIZE, 0xE0000);
250 write64((void *)TXT_HEAP_BASE,
251 ALIGN_DOWN((tseg * MiB) - read64((void *)TXT_HEAP_SIZE), 4096));
252
253 /*
254 * Document Number: 558294
255 * Chapter 5.5.6.2 SINIT Memory Region
256 */
257 write64((void *)TXT_SINIT_SIZE, 0x20000);
258 write64((void *)TXT_SINIT_BASE,
259 ALIGN_DOWN(read64((void *)TXT_HEAP_BASE) -
260 read64((void *)TXT_SINIT_SIZE), 4096));
261
262 /*
263 * BIOS Data Format
264 * Chapter C.2
265 * Intel TXT Software Development Guide (Document: 315168-015)
266 */
267 struct {
268 struct txt_biosdataregion bdr;
269 struct txt_heap_acm_element heap_acm;
270 struct txt_extended_data_element_header end;
271 } __packed data = {0};
272
273 /* TPM2.0 requires version 6 of BDT */
274 if (CONFIG(TPM2))
275 data.bdr.version = 6;
276 else
277 data.bdr.version = 5;
278
279 data.bdr.no_logical_procs = dev_count_cpu();
280
281 void *sinit_base = (void *)(uintptr_t)read64((void *)TXT_SINIT_BASE);
282 data.bdr.bios_sinit_size = cbfs_boot_load_file(CONFIG_INTEL_TXT_CBFS_SINIT_ACM,
283 sinit_base,
284 read64((void *)TXT_SINIT_SIZE),
285 CBFS_TYPE_RAW);
286
287 if (data.bdr.bios_sinit_size) {
288 printk(BIOS_INFO, "TEE-TXT: Placing SINIT ACM in memory.\n");
289 if (CONFIG(INTEL_TXT_LOGGING))
290 txt_dump_acm_info(sinit_base);
291 } else {
292 printk(BIOS_ERR, "TEE-TXT: Couldn't locate SINIT ACM in CBFS.\n");
293 /* Clear memory */
294 memset(sinit_base, 0, read64((void *)TXT_SINIT_SIZE));
295 }
296
297 struct cbfsf file;
298 /* The following have been removed from BIOS Data Table in version 6 */
299 if (!cbfs_boot_locate(&file, CONFIG_INTEL_TXT_CBFS_BIOS_POLICY, NULL)) {
300 struct region_device policy;
301
302 cbfs_file_data(&policy, &file);
303 void *policy_data = rdev_mmap_full(&policy);
304 size_t policy_len = region_device_sz(&policy);
305
306 if (policy_data && policy_len) {
307 /* Point to FIT Type 9 entry in flash */
308 data.bdr.lcp_pd_base = (uintptr_t)policy_data;
309 data.bdr.lcp_pd_size = (uint64_t)policy_len;
310 rdev_munmap(&policy, policy_data);
311 } else {
312 printk(BIOS_ERR, "TEE-TXT: Couldn't map LCP PD Policy from CBFS.\n");
313 }
314 } else {
315 printk(BIOS_ERR, "TEE-TXT: Couldn't locate LCP PD Policy in CBFS.\n");
316 }
317
318 data.bdr.support_acpi_ppi = 0;
319 data.bdr.platform_type = 0;
320
321 /* Extended elements - ACM addresses */
322 data.heap_acm.header.type = HEAP_EXTDATA_TYPE_ACM;
323 data.heap_acm.header.size = sizeof(data.heap_acm);
324 if (data.bdr.bios_sinit_size) {
325 data.heap_acm.num_acms = 2;
326 data.heap_acm.acm_addrs[1] = (uintptr_t)sinit_base;
327 } else {
328 data.heap_acm.num_acms = 1;
329 }
330 data.heap_acm.acm_addrs[0] =
331 (uintptr_t)cbfs_boot_map_with_leak(CONFIG_INTEL_TXT_CBFS_BIOS_ACM,
332 CBFS_TYPE_RAW,
333 NULL);
334 /* Extended elements - End marker */
335 data.end.type = HEAP_EXTDATA_TYPE_END;
336 data.end.size = sizeof(data.end);
337
338 /* Fill TXT.HEAP.BASE with 4 subregions */
339 u8 *heap_struct = (void *)((uintptr_t)read64((void *)TXT_HEAP_BASE));
340
341 /* BiosData */
342 push_sinit_heap(&heap_struct, &data, sizeof(data));
343
344 /* OsMLEData */
345 /* FIXME: Does firmware need to write this? */
346 push_sinit_heap(&heap_struct, NULL, 0);
347
348 /* OsSinitData */
349 /* FIXME: Does firmware need to write this? */
350 push_sinit_heap(&heap_struct, NULL, 0);
351
352 /* SinitMLEData */
353 /* FIXME: Does firmware need to write this? */
354 push_sinit_heap(&heap_struct, NULL, 0);
355
356 /*
357 * FIXME: Server-TXT capable platforms need to install an STM in SMM and set up MSEG.
358 */
359
360 /**
361 * Chapter 5.10.1 SMM in the Intel TXT for Servers Environment
362 * Disable MSEG.
363 */
364 write64((void *)TXT_MSEG_SIZE, 0);
365 write64((void *)TXT_MSEG_BASE, 0);
366
367 if (CONFIG(INTEL_TXT_LOGGING))
368 txt_dump_regions();
369}
370
371BOOT_STATE_INIT_ENTRY(BS_POST_DEVICE, BS_ON_EXIT, lockdown_intel_txt, NULL);