erebion/coreboot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coreboot/src/security
History
Philipp Deppenwiese 5f9f77672d security/intel/txt: Add Intel TXT support 
Add TXT ramstage driver:
 * Show startup errors
 * Check for TXT reset
 * Check for Secrets-in-memory
 * Add assembly for GETSEC instruction
 * Check platform state if GETSEC instruction is supported
 * Configure TXT memory regions
 * Lock TXT
 * Protect TSEG using DMA protected regions
 * Place SINIT ACM
 * Print information about ACMs

Extend the `security_clear_dram_request()` function:
 * Clear all DRAM if secrets are in memory

Add a config so that the code gets build-tested. Since BIOS and SINIT
ACM binaries are not available, use the STM binary as a placeholder.

Tested on OCP Wedge100s and Facebook Watson
 * Able to enter a Measured Launch Environment using SINIT ACM and TBOOT
 * Secrets in Memory bit is set on ungraceful shutdown
 * Memory is cleared after ungraceful shutdown

Change-Id: Iaf4be7f016cc12d3971e1e1fe171e6665e44c284
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/37016
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
2020-07-31 16:02:54 +00:00
..
intel security/intel/txt: Add Intel TXT support 2020-07-31 16:02:54 +00:00
lockdown lockdown: Add hint for how to check for lockdown support in boot log 2020-06-22 12:27:18 +00:00
memory security/intel/txt: Add Intel TXT support 2020-07-31 16:02:54 +00:00
tpm security/tpm/tss/tcg-1.2/tss.c: Drop dead code 2020-07-09 21:29:16 +00:00
vboot src: Change BOOL CONFIG_ to CONFIG() in comments & strings 2020-07-26 21:20:30 +00:00
Kconfig treewide: Remove "this file is part of" lines 2020-05-11 17:11:40 +00:00
Makefile.inc security: Add common boot media write protection 2020-04-28 01:19:32 +00:00