If Vt-D is disabled in the BIOS, the DMAR table is not present.
We can look for this and skip trying to perform a measured launch. This
behavior of a missing DMAR table may not be true for all platforms, but
in any case if the DMAR table is not present the kernel will not be able
to detect/reprogram the IOMMU along the tboot_force_iommu path. So either
way this change should be helpful.
Testing: Disable Vt-D, verify that measured launch is skipped. Enable
Vt-D, verify that measured launch is performed.
Signed-off-by: Sahil Rihan <sri...@fb.com>
diff --git a/include/tb_error.h b/include/tb_error.h
--- a/include/tb_error.h
+++ b/include/tb_error.h
@@ -45,6 +45,7 @@
TB_ERR_TPM_NOT_READY, /* tpm not ready */
TB_ERR_SMX_NOT_SUPPORTED, /* smx not supported */
TB_ERR_VMX_NOT_SUPPORTED, /* vmx not supported */
+ TB_ERR_VTD_NOT_SUPPORTED, /* Vt-D not enabled in BIOS */
TB_ERR_TXT_NOT_SUPPORTED, /* txt not supported */
TB_ERR_MODULE_VERIFICATION_FAILED, /* module failed to verify against
diff --git a/tboot/common/acpi.c b/tboot/common/acpi.c
--- a/tboot/common/acpi.c
+++ b/tboot/common/acpi.c
@@ -212,7 +212,7 @@
}
}
- printk(TBOOT_ERR"cann't find %s table.\n", table_name);
+ printk(TBOOT_ERR"can't find %s table.\n", table_name);
return NULL;
}
@@ -221,6 +221,11 @@
return (struct acpi_dmar *)find_table(DMAR_SIG);
}
+bool vtd_bios_enabled(void)
+{
+ return find_table(DMAR_SIG) != NULL;
+}
+
bool save_vtd_dmar_table(void)
{
/* find DMAR table and save it */
diff --git a/tboot/common/policy.c b/tboot/common/policy.c
--- a/tboot/common/policy.c
+++ b/tboot/common/policy.c
@@ -101,6 +101,7 @@
{TB_ERR_TPM_NOT_READY, TB_POLACT_UNMEASURED_LAUNCH},
{TB_ERR_SMX_NOT_SUPPORTED, TB_POLACT_UNMEASURED_LAUNCH},
{TB_ERR_VMX_NOT_SUPPORTED, TB_POLACT_UNMEASURED_LAUNCH},
+ {TB_ERR_VTD_NOT_SUPPORTED, TB_POLACT_UNMEASURED_LAUNCH},
{TB_ERR_TXT_NOT_SUPPORTED, TB_POLACT_UNMEASURED_LAUNCH},
{TB_ERR_SINIT_NOT_PRESENT, TB_POLACT_UNMEASURED_LAUNCH},
{TB_ERR_ACMOD_VERIFY_FAILED, TB_POLACT_UNMEASURED_LAUNCH},
diff --git a/tboot/common/tb_error.c b/tboot/common/tb_error.c
--- a/tboot/common/tb_error.c
+++ b/tboot/common/tb_error.c
@@ -81,6 +81,9 @@
case TB_ERR_VMX_NOT_SUPPORTED:
printk(TBOOT_ERR"VMX not supported.\n");
break;
+ case TB_ERR_VTD_NOT_SUPPORTED:
+ printk(TBOOT_ERR"DMAR table not found. Check if Vt-D is enabled in
BIOS.\n");
+ break;
case TB_ERR_TXT_NOT_SUPPORTED:
printk(TBOOT_ERR"TXT not supported.\n");
break;
diff --git a/tboot/include/acpi.h b/tboot/include/acpi.h
--- a/tboot/include/acpi.h
+++ b/tboot/include/acpi.h
@@ -492,6 +492,7 @@
#endif
+extern bool vtd_bios_enabled(void);
extern bool save_vtd_dmar_table(void);
extern bool restore_vtd_dmar_table(void);
extern bool remove_vtd_dmar_table(void);
diff --git a/tboot/txt/verify.c b/tboot/txt/verify.c
--- a/tboot/txt/verify.c
+++ b/tboot/txt/verify.c
@@ -372,6 +372,10 @@
if ( err != TB_ERR_NONE )
return err;
+ if ( !vtd_bios_enabled() ) {
+ return TB_ERR_VTD_NOT_SUPPORTED;
+ }
+
/* check is TXT_RESET.STS is set, since if it is SENTER will fail */
txt_ests_t ests = (txt_ests_t)read_pub_config_reg(TXTCR_ESTS);
if ( ests.txt_reset_sts ) {
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
