5f9f77672d
Add TXT ramstage driver: * Show startup errors * Check for TXT reset * Check for Secrets-in-memory * Add assembly for GETSEC instruction * Check platform state if GETSEC instruction is supported * Configure TXT memory regions * Lock TXT * Protect TSEG using DMA protected regions * Place SINIT ACM * Print information about ACMs Extend the `security_clear_dram_request()` function: * Clear all DRAM if secrets are in memory Add a config so that the code gets build-tested. Since BIOS and SINIT ACM binaries are not available, use the STM binary as a placeholder. Tested on OCP Wedge100s and Facebook Watson * Able to enter a Measured Launch Environment using SINIT ACM and TBOOT * Secrets in Memory bit is set on ungraceful shutdown * Memory is cleared after ungraceful shutdown Change-Id: Iaf4be7f016cc12d3971e1e1fe171e6665e44c284 Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/37016 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Christian Walter <christian.walter@9elements.com>
22 lines
583 B
C
22 lines
583 B
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
|
|
#ifndef SECURITY_INTEL_TXT_GETSEC_H_
|
|
#define SECURITY_INTEL_TXT_GETSEC_H_
|
|
|
|
#include <stdint.h>
|
|
|
|
bool getsec_parameter(uint32_t *version_mask,
|
|
uint32_t *version_numbers_supported,
|
|
uint32_t *max_size_acm_area,
|
|
uint32_t *memory_type_mask,
|
|
uint32_t *senter_function_disable,
|
|
uint32_t *txt_feature_flags);
|
|
|
|
bool getsec_capabilities(uint32_t *eax);
|
|
|
|
void getsec_enteraccs(const uint32_t esi,
|
|
const uint32_t acm_base,
|
|
const uint32_t acm_size);
|
|
|
|
#endif /* SECURITY_INTEL_TXT_REGISTER_H_ */
|