cpu/x86/entry16.S: Make Intel CBnT TOCTOU safe

Intel CBnT (and Boot Guard) makes the chain of trust TOCTOU safe by setting up NEM (non eviction mode) in the ACM. The CBnT IBB (Initial BootBlock) therefore should not disable caching. Sidenote: the MSR macros are taken from the slimbootloader project. TESTED: ocp/Deltalake boot with and without CBnT and also a broken CBnT setup. Change-Id: Id2031e4e406655e14198e45f137ba152f8b6f567 Signed-off-by: Arthur Heymans <arthur@aheymans.xyz> Reviewed-on: https://review.coreboot.org/c/coreboot/+/54010 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Christian Walter <christian.walter@9elements.com>
2021-05-10 09:23:31 +02:00
parent e3a079cff8
commit e7266e8393
2 changed files with 24 additions and 0 deletions
--- a/src/cpu/x86/entry16.S
+++ b/src/cpu/x86/entry16.S
@@ -115,10 +115,24 @@ _start16bit:
 	subw	%ax, %bx
 	lgdtl	%cs:(%bx)

+#if CONFIG(INTEL_CBNT_SUPPORT)
+#include <cpu/intel/msr.h>
+	movl	$MSR_BOOT_GUARD_SACM_INFO, %ecx
+	rdmsr
+	andl	$B_BOOT_GUARD_SACM_INFO_NEM_ENABLED, %eax
+	jz	1f
+	movl	%cr0, %eax
+	andl	$0x7FFAFFD1, %eax /* PG,AM,WP,NE,TS,EM,MP = 0 */
+	orl	$0x01, %eax /* PE = 1 */
+	movl	%eax, %cr0
+	jmp	2f
+#endif
+1:
 	movl	%cr0, %eax
 	andl	$0x7FFAFFD1, %eax /* PG,AM,WP,NE,TS,EM,MP = 0 */
 	orl	$0x60000001, %eax /* CD, NW, PE = 1 */
 	movl	%eax, %cr0
+2:

 	/* Restore BIST to %eax */
 	movl	%ebp, %eax