Gitiles
Code Review Sign In
review.coreboot.org / coreboot / 5f9f77672d096a013094f3cad63cb138167dbf1b / . / src / security / intel / txt / ramstage.c
blob: 8627a2b5c918c217ecc74720889058a81898f916 [file] [log] [blame]
Philipp Deppenwiese5f9f7762018-11-20 14:22:15 +0100[diff] [blame^]1/* SPDX-License-Identifier: GPL-2.0-only */
2
3#include <arch/mmio.h>
4#include <acpi/acpi.h>
5#include <bootstate.h>
6#include <bootmem.h>
7#include <console/console.h>
8#include <stdint.h>
9#include <cbfs.h>
10#include <cpu/intel/common/common.h>
11#include <cpu/x86/msr.h>
12
13#include <lib.h>
14#include <device/pci_ops.h>
15
16#include "txt.h"
17#include "txt_register.h"
18#include "txt_getsec.h"
19
20/* FIXME: Seems to work only on some platforms */
21static void log_ibb_measurements(void)
22{
23 const uint64_t mseg_size = read64((void *)TXT_MSEG_SIZE);
24 uint64_t mseg_base = read64((void *)TXT_MSEG_BASE);
25
26 if (!mseg_size || !mseg_base || mseg_size <= mseg_base)
27 return;
28 /*
29 * MSEG SIZE and MSEG BASE might contain random values.
30 * Assume below 4GiB and 8byte aligned.
31 */
32 if (mseg_base & ~0xfffffff8ULL || mseg_size & ~0xfffffff8ULL)
33 return;
34
35 printk(BIOS_INFO, "TEE-TXT: IBB Hash 0x");
36 for (; mseg_base < mseg_size; mseg_base++)
37 printk(BIOS_INFO, "%02X", read8((void *)(uintptr_t)mseg_base));
38
39 printk(BIOS_INFO, "\n");
40}
41
42void bootmem_platform_add_ranges(void)
43{
44 uint64_t status = read64((void *)TXT_SPAD);
45
46 if (status & ACMSTS_TXT_DISABLED)
47 return;
48
49 /* Chapter 5.5.5 Intel TXT reserved memory */
50 bootmem_add_range(TXT_RESERVED_SPACE,
51 TXT_RESERVED_SPACE_SIZE,
52 BM_MEM_RESERVED);
53
54 /* Intel TPM decode memory */
55 bootmem_add_range(TXT_TPM_DECODE_AREA,
56 TXT_RESERVED_SPACE - TXT_TPM_DECODE_AREA,
57 BM_MEM_RESERVED);
58
59 /* Intel TXT public space memory */
60 bootmem_add_range(TXT_PUBLIC_SPACE,
61 TXT_TPM_DECODE_AREA - TXT_PUBLIC_SPACE,
62 BM_MEM_RESERVED);
63
64 /* Intel TXT private space memory */
65 bootmem_add_range(TXT_PRIVATE_SPACE,
66 TXT_PUBLIC_SPACE - TXT_PRIVATE_SPACE,
67 BM_MEM_RESERVED);
68
69 const uint32_t txt_dev_memory = read32((void *)TXT_DPR) &
70 (TXT_DPR_TOP_ADDR_MASK << TXT_DPR_TOP_ADDR_SHIFT);
71 const uint32_t txt_dev_size =
72 (read32((void *)TXT_DPR) >> TXT_DPR_LOCK_SIZE_SHIFT) &
73 TXT_DPR_LOCK_SIZE_MASK;
74
75 /* Chapter 5.5.6 Intel TXT Device Memory */
76 bootmem_add_range(txt_dev_memory - txt_dev_size * MiB,
77 txt_dev_size * MiB,
78 BM_MEM_RESERVED);
79}
80
81static bool get_wake_error_status(void)
82{
83 const uint8_t error = read8((void *)TXT_ESTS);
84 return !!(error & TXT_ESTS_WAKE_ERROR_STS);
85}
86
87static void check_secrets_txt(void *unused)
88{
89 uint64_t status = read64((void *)TXT_SPAD);
90
91 if (status & ACMSTS_TXT_DISABLED)
92 return;
93
94 /* Check for fatal ACM error and TXT reset */
95 if (get_wake_error_status()) {
96 /*
97 * Check if secrets bit needs to be reset. Only platforms that support
98 * CONFIG(PLATFORM_HAS_DRAM_CLEAR) will be able to run this code.
99 * Assume all memory really was cleared.
100 *
101 * TXT will issue a platform reset to come up sober.
102 */
103 if (intel_txt_memory_has_secrets()) {
104 printk(BIOS_INFO, "TEE-TXT: Wiping TEE...\n");
105 intel_txt_run_bios_acm(ACMINPUT_CLEAR_SECRETS);
106
107 /* Should never reach this point ... */
108 intel_txt_log_acm_error(read32((void *)TXT_BIOSACM_ERRORCODE));
109 die("Waiting for platform reset...\n");
110 }
111 }
112}
113
114BOOT_STATE_INIT_ENTRY(BS_POST_DEVICE, BS_ON_ENTRY, check_secrets_txt, NULL);
115
116/**
117 * Log TXT startup errors, check all bits for TXT, run BIOSACM using
118 * GETSEC[ENTERACCS].
119 *
120 * If a "TXT reset" is detected or "memory had secrets" is set, then do nothing as
121 * 1. Running ACMs will cause a TXT-RESET
122 * 2. Memory will be scrubbed in BS_DEV_INIT
123 * 3. TXT-RESET will be issued by code above later
124 *
125 */
126static void init_intel_txt(void *unused)
127{
128 const uint64_t status = read64((void *)TXT_SPAD);
129
130 if (status & ACMSTS_TXT_DISABLED)
131 return;
132
133 printk(BIOS_INFO, "TEE-TXT: Initializing TEE...\n");
134
135 intel_txt_log_spad();
136
137 if (CONFIG(INTEL_TXT_LOGGING)) {
138 intel_txt_log_bios_acm_error();
139 txt_dump_chipset_info();
140 }
141
142 printk(BIOS_INFO, "TEE-TXT: Validate TEE...\n");
143
144 if (intel_txt_prepare_txt_env()) {
145 printk(BIOS_ERR, "TEE-TXT: Failed to prepare TXT environment\n");
146 return;
147 }
148
149 /* Check for fatal ACM error and TXT reset */
150 if (get_wake_error_status()) {
151 /* Can't run ACMs with TXT_ESTS_WAKE_ERROR_STS set */
152 printk(BIOS_ERR, "TEE-TXT: Fatal BIOS ACM error reported\n");
153 return;
154 }
155
156 printk(BIOS_INFO, "TEE-TXT: Testing BIOS ACM calling code...\n");
157
158 /*
159 * Test BIOS ACM code.
160 * ACM should do nothing on reserved functions, and return an error code
161 * in TXT_BIOSACM_ERRORCODE. Tests showed that this is not true.
162 * Use special function "NOP" that does 'nothing'.
163 */
164 if (intel_txt_run_bios_acm(ACMINPUT_NOP) < 0) {
165 printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM with NOP function.\n");
166 return;
167 }
168
169 if (status & (ACMSTS_BIOS_TRUSTED | ACMSTS_IBB_MEASURED)) {
170 log_ibb_measurements();
171
172 int s3resume = acpi_is_wakeup_s3();
173 if (!s3resume) {
174 printk(BIOS_INFO, "TEE-TXT: Scheck...\n");
175 if (intel_txt_run_bios_acm(ACMINPUT_SCHECK) < 0) {
176 printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM.\n");
177 return;
178 }
179 }
180 }
181}
182
183BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_EXIT, init_intel_txt, NULL);
184
185static void push_sinit_heap(u8 **heap_ptr, void *data, size_t data_length)
186{
187 /* Push size */
188 const uint64_t tmp = data_length + 8;
189 memcpy(*heap_ptr, &tmp, 8);
190 *heap_ptr += 8;
191
192 if (data_length) {
193 /* Push data */
194 memcpy(*heap_ptr, data, data_length);
195 *heap_ptr += data_length;
196 }
197}
198
199/**
200 * Finalize the TXT device.
201 *
202 * - Lock TXT register.
203 * - Protect TSEG using DMA protected regions.
204 * - Setup TXT regions.
205 * - Place SINIT ACM in TXT_SINIT memory segment.
206 * - Fill TXT BIOSDATA region.
207 */
208static void lockdown_intel_txt(void *unused)
209{
210 const uint64_t status = read64((void *)TXT_SPAD);
211 uintptr_t tseg = 0;
212
213 if (status & ACMSTS_TXT_DISABLED)
214 return;
215
216 printk(BIOS_INFO, "TEE-TXT: Locking TEE...\n");
217
218 /* Lock TXT config, unlocks TXT_HEAP_BASE */
219 if (intel_txt_run_bios_acm(ACMINPUT_LOCK_CONFIG) < 0) {
220 printk(BIOS_ERR, "TEE-TXT: Failed to lock registers.\n");
221 printk(BIOS_ERR, "TEE-TXT: SINIT won't be supported.\n");
222 return;
223 }
224
225 /*
226 * Document Number: 558294
227 * Chapter 5.5.6.1 DMA Protection Memory Region
228 */
229
230 const u8 dpr_capable = !!(read64((void *)TXT_CAPABILITIES) &
231 TXT_CAPABILITIES_DPR);
232 printk(BIOS_INFO, "TEE-TXT: DPR capable %x\n", dpr_capable);
233 if (dpr_capable) {
234
235 /* Protect 3 MiB below TSEG and lock register */
236 write64((void *)TXT_DPR, (TXT_DPR_TOP_ADDR(tseg) |
237 TXT_DPR_LOCK_SIZE(3) |
238 TXT_DPR_LOCK_MASK));
239
240 // DPR TODO: implement SA_ENABLE_DPR in the intelblocks
241
242 printk(BIOS_INFO, "TEE-TXT: TXT.DPR 0x%08x\n",
243 read32((void *)TXT_DPR));
244 }
245
246 /*
247 * Document Number: 558294
248 * Chapter 5.5.6.3 Intel TXT Heap Memory Region
249 */
250 write64((void *)TXT_HEAP_SIZE, 0xE0000);
251 write64((void *)TXT_HEAP_BASE,
252 ALIGN_DOWN((tseg * MiB) - read64((void *)TXT_HEAP_SIZE), 4096));
253
254 /*
255 * Document Number: 558294
256 * Chapter 5.5.6.2 SINIT Memory Region
257 */
258 write64((void *)TXT_SINIT_SIZE, 0x20000);
259 write64((void *)TXT_SINIT_BASE,
260 ALIGN_DOWN(read64((void *)TXT_HEAP_BASE) -
261 read64((void *)TXT_SINIT_SIZE), 4096));
262
263 /*
264 * BIOS Data Format
265 * Chapter C.2
266 * Intel TXT Software Development Guide (Document: 315168-015)
267 */
268 struct {
269 struct txt_biosdataregion bdr;
270 struct txt_heap_acm_element heap_acm;
271 struct txt_extended_data_element_header end;
272 } __packed data = {0};
273
274 /* TPM2.0 requires version 6 of BDT */
275 if (CONFIG(TPM2))
276 data.bdr.version = 6;
277 else
278 data.bdr.version = 5;
279
280 data.bdr.no_logical_procs = dev_count_cpu();
281
282 void *sinit_base = (void *)(uintptr_t)read64((void *)TXT_SINIT_BASE);
283 data.bdr.bios_sinit_size = cbfs_boot_load_file(CONFIG_INTEL_TXT_CBFS_SINIT_ACM,
284 sinit_base,
285 read64((void *)TXT_SINIT_SIZE),
286 CBFS_TYPE_RAW);
287
288 if (data.bdr.bios_sinit_size) {
289 printk(BIOS_INFO, "TEE-TXT: Placing SINIT ACM in memory.\n");
290 if (CONFIG(INTEL_TXT_LOGGING))
291 txt_dump_acm_info(sinit_base);
292 } else {
293 printk(BIOS_ERR, "TEE-TXT: Couldn't locate SINIT ACM in CBFS.\n");
294 /* Clear memory */
295 memset(sinit_base, 0, read64((void *)TXT_SINIT_SIZE));
296 }
297
298 struct cbfsf file;
299 /* The following have been removed from BIOS Data Table in version 6 */
300 if (!cbfs_boot_locate(&file, CONFIG_INTEL_TXT_CBFS_BIOS_POLICY, NULL)) {
301 struct region_device policy;
302
303 cbfs_file_data(&policy, &file);
304 void *policy_data = rdev_mmap_full(&policy);
305 size_t policy_len = region_device_sz(&policy);
306
307 if (policy_data && policy_len) {
308 /* Point to FIT Type 9 entry in flash */
309 data.bdr.lcp_pd_base = (uintptr_t)policy_data;
310 data.bdr.lcp_pd_size = (uint64_t)policy_len;
311 rdev_munmap(&policy, policy_data);
312 } else {
313 printk(BIOS_ERR, "TEE-TXT: Couldn't map LCP PD Policy from CBFS.\n");
314 }
315 } else {
316 printk(BIOS_ERR, "TEE-TXT: Couldn't locate LCP PD Policy in CBFS.\n");
317 }
318
319 data.bdr.support_acpi_ppi = 0;
320 data.bdr.platform_type = 0;
321
322 /* Extended elements - ACM addresses */
323 data.heap_acm.header.type = HEAP_EXTDATA_TYPE_ACM;
324 data.heap_acm.header.size = sizeof(data.heap_acm);
325 if (data.bdr.bios_sinit_size) {
326 data.heap_acm.num_acms = 2;
327 data.heap_acm.acm_addrs[1] = (uintptr_t)sinit_base;
328 } else {
329 data.heap_acm.num_acms = 1;
330 }
331 data.heap_acm.acm_addrs[0] =
332 (uintptr_t)cbfs_boot_map_with_leak(CONFIG_INTEL_TXT_CBFS_BIOS_ACM,
333 CBFS_TYPE_RAW,
334 NULL);
335 /* Extended elements - End marker */
336 data.end.type = HEAP_EXTDATA_TYPE_END;
337 data.end.size = sizeof(data.end);
338
339 /* Fill TXT.HEAP.BASE with 4 subregions */
340 u8 *heap_struct = (void *)((uintptr_t)read64((void *)TXT_HEAP_BASE));
341
342 /* BiosData */
343 push_sinit_heap(&heap_struct, &data, sizeof(data));
344
345 /* OsMLEData */
346 /* FIXME: Does firmware need to write this? */
347 push_sinit_heap(&heap_struct, NULL, 0);
348
349 /* OsSinitData */
350 /* FIXME: Does firmware need to write this? */
351 push_sinit_heap(&heap_struct, NULL, 0);
352
353 /* SinitMLEData */
354 /* FIXME: Does firmware need to write this? */
355 push_sinit_heap(&heap_struct, NULL, 0);
356
357 /*
358 * FIXME: Server-TXT capable platforms need to install an STM in SMM and set up MSEG.
359 */
360
361 /**
362 * Chapter 5.10.1 SMM in the Intel TXT for Servers Environment
363 * Disable MSEG.
364 */
365 write64((void *)TXT_MSEG_SIZE, 0);
366 write64((void *)TXT_MSEG_BASE, 0);
367
368 if (CONFIG(INTEL_TXT_LOGGING))
369 txt_dump_regions();
370}
371
372BOOT_STATE_INIT_ENTRY(BS_POST_DEVICE, BS_ON_EXIT, lockdown_intel_txt, NULL);