sravan/system76-coreboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

util/intelmetool: Fix the BootGuard dump feature

Browse Source 
Read the correct bits for measured and verified boot, print information
about some other bits.

Signed-off-by: Pablo Stebler <pablo@stebler.xyz>
Change-Id: Ie79d6da33032aee94d716bf0698b5501bbc424fa
Reviewed-on: https://review.coreboot.org/c/coreboot/+/45516
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
This commit is contained in:
Pablo Stebler
2020-09-18 10:32:22 +02:00
committed by Angel Pons
parent ca128a0eb4
commit 9ac91d220f
5 changed files with 71 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
util/intelmetool/intelmetool.c
View File

@@ -314,12 +314,16 @@ out:
rehide_me(); rehide_me();
} }
static void print_btg_bool_param(const char *name, u8 state)
{
printf("%-20s : %s\n", name, state ? "ON" : "OFF");
}
static void dump_bootguard_info(void) static void dump_bootguard_info(void)
{ {
struct pci_dev *dev; struct pci_dev *dev;
char namebuf[1024]; char namebuf[1024];
const char *name = NULL; const char *name = NULL;
uint64_t bootguard = 0;
if (pci_platform_scan()) if (pci_platform_scan())
return; return;
@@ -342,59 +346,74 @@ static void dump_bootguard_info(void)
if (ME_major_ver && if (ME_major_ver &&
(ME_major_ver < 9 || (ME_major_ver < 9 ||
(ME_major_ver == 9 && ME_minor_ver < 5))) { (ME_major_ver == 9 && ME_minor_ver < 5))) {
print_cap("BootGuard ", 0); printf(CGRN "Your system isn't BootGuard ready.\n"
printf(CGRN "\nYour system isn't bootguard ready. You can " "You can flash other firmware!\n" RESET);
"flash other firmware!\n" RESET);
rehide_me(); rehide_me();
return; return;
} }
if (msr_bootguard(&bootguard, debug) < 0) {
printf("ME Capability: %-43s: " CCYN "%s\n" RESET,
"BootGuard Mode", "Unknown");
rehide_me();
return;
}
if (debug) {
printf("BootGuard MSR Output: 0x%" PRIx64 "\n", bootguard);
bootguard &= ~0xff;
}
print_cap("BootGuard ", 1);
if (pci_read_long(dev, 0x40) & 0x10) if (pci_read_long(dev, 0x40) & 0x10)
printf(CYEL "Your southbridge configuration is insecure!! " printf(CYEL "Your southbridge configuration is insecure!!\n"
"BootGuard keys can be overwritten or wiped, or you are " "BootGuard keys can be overwritten or wiped, or you are "
"in developer mode.\n" "in developer mode.\n"
RESET); RESET);
rehide_me(); rehide_me();
switch (bootguard) { union {
case BOOTGUARD_DISABLED: struct {
printf("ME Capability: %-43s: " CGRN "%s\n" RESET, u8 nem_enabled : 1; /* [ 0.. 0] */
"BootGuard Mode", "Disabled"); u8 tpm_type : 2; /* [ 2.. 1] */
printf(CGRN "\nYour system is bootguard ready but your vendor " u8 tpm_success : 1; /* [ 3.. 3] */
"disabled it. You can flash other firmware!\n" RESET); u8 facb_fpf : 1; /* [ 4.. 4] */
break; u8 measured_boot : 1; /* [ 5.. 5] */
case BOOTGUARD_ENABLED_COMBI_MODE: u8 verified_boot : 1; /* [ 6.. 6] */
printf("ME Capability: %-43s: " CGRN "%s\n" RESET, u8 module_revoked : 1; /* [ 7.. 7] */
"BootGuard Mode", "Verified & Measured Boot"); u32 : 24;
printf(CRED "\nVerified boot is enabled. You can't flash other " u8 btg_capability : 1; /* [32..32] */
"firmware. !\n" RESET); u32 : 31;
break; };
case BOOTGUARD_ENABLED_MEASUREMENT_MODE: u64 raw;
printf("ME Capability: %-43s: " CGRN "%s\n" RESET, } btg;
"BootGuard Mode", "Measured Boot");
printf(CGRN "\nYour system is bootguard ready but only running " if (msr_bootguard(&btg.raw) < 0) {
"the measured boot mode. You can flash other firmware!\n" printf("Could not read the BOOTGUARD_SACM_INFO MSR.\n");
RESET); return;
break; }
case BOOTGUARD_ENABLED_VERIFIED_MODE:
printf("ME Capability: %-43s: " CGRN "%s\n" RESET, printf("BootGuard MSR Output : 0x%" PRIx64 "\n", btg.raw);
"BootGuard Mode", "Verified Boot");
printf(CRED "\nVerified boot is enabled! You can't flash other " if (!btg.btg_capability) {
"firmware.\n" RESET); printf(CGRN "Your system isn't BootGuard ready.\n"
break; "You can flash other firmware!\n" RESET);
return;
}
print_btg_bool_param("Measured boot", btg.measured_boot);
print_btg_bool_param("Verified boot", btg.verified_boot);
print_btg_bool_param("FACB in FPFs", btg.facb_fpf);
print_btg_bool_param("Module revoked", btg.module_revoked);
if (btg.measured_boot) {
const char *const tpm_type_strs[] = {
"None",
"TPM 1.2",
"TPM 2.0",
"PTT",
};
printf("%-20s : %s\n", "TPM type", tpm_type_strs[btg.tpm_type]);
print_btg_bool_param("TPM success", btg.tpm_success);
}
if (btg.verified_boot) {
print_btg_bool_param("NEM enabled", btg.nem_enabled);
if (btg.nem_enabled)
printf(CRED "Verified boot is enabled and ACM has enabled "
"Cache-As-RAM.\nYou can't flash other firmware!\n" RESET);
else
printf(CYEL "Verified boot is enabled, but ACM did not enable "
"Cache-As-RAM.\nIt might be possible to flash other firmware.\n"
RESET);
} else {
printf(CGRN "Your system is BootGuard ready but verified boot is disabled.\n"
"You can flash other firmware!\n" RESET);
} }
} }

15
util/intelmetool/intelmetool.h
View File

@@ -48,11 +48,6 @@
#define ME_MESSAGE_LEN 256 #define ME_MESSAGE_LEN 256
extern int debug; extern int debug;
static inline void print_cap(const char *name, int state)
{
printf("ME Capability: %-30s : %s\n",
name, state ? CRED "ON" RESET : CGRN "OFF" RESET);
}
#define PCI_VENDOR_ID_INTEL 0x8086 #define PCI_VENDOR_ID_INTEL 0x8086
@@ -495,13 +490,3 @@ static inline void print_cap(const char *name, int state)
((x) == PCI_DEVICE_ID_INTEL_LEWISBURG_IE3) || \ ((x) == PCI_DEVICE_ID_INTEL_LEWISBURG_IE3) || \
((x) == PCI_DEVICE_ID_INTEL_CANNONLAKE) || \ ((x) == PCI_DEVICE_ID_INTEL_CANNONLAKE) || \
0) 0)
#define BOOTGUARD_DISABLED 0x400000000
#define BOOTGUARD_ENABLED_VERIFIED_MODE 0x100000000
#define BOOTGUARD_ENABLED_MEASUREMENT_MODE 0x200000000
#define BOOTGUARD_ENABLED_COMBI_MODE 0x300000000
#define BOOTGUARD_CAPABILITY(x) ( \
((x) == BOOTGUARD_DISABLED) || \
((x) == BOOTGUARD_ENABLED_VERIFIED_MODE) || \
((x) == BOOTGUARD_ENABLED_MEASUREMENT_MODE) || \
((x) == BOOTGUARD_ENABLED_COMBI_MODE))

6
util/intelmetool/me.c
View File

@@ -413,6 +413,12 @@ int mkhi_get_fw_version(int *major, int *minor)
return 0; return 0;
} }
static void print_cap(const char *name, int state)
{
printf("ME Capability: %-30s : %s\n",
name, state ? CRED "ON" RESET : CGRN "OFF" RESET);
}
/* Get ME Firmware Capabilities */ /* Get ME Firmware Capabilities */
int mkhi_get_fwcaps(void) int mkhi_get_fwcaps(void)
{ {

5
util/intelmetool/msr.c
View File

@@ -39,7 +39,7 @@ static int rdmsr(int addr, uint64_t *msr)
} }
#endif #endif
int msr_bootguard(uint64_t *msr, int debug) int msr_bootguard(uint64_t *msr)
{ {
#ifndef __DARWIN__ #ifndef __DARWIN__
@@ -54,8 +54,5 @@ int msr_bootguard(uint64_t *msr, int debug)
return -1; return -1;
#endif #endif
if (!debug)
*msr &= ~0xff;
return 0; return 0;
} }

2
util/intelmetool/msr.h
View File

@@ -13,5 +13,5 @@ typedef struct {
unsigned int ecx; unsigned int ecx;
} regs_t; } regs_t;
extern int msr_bootguard(uint64_t *msr, int debug); extern int msr_bootguard(uint64_t *msr);
#endif #endif