Generally, when VT-d is disabled in the BIOS, Intel TXT is also in disabled state, tboot will boot into kernel directly without triggering Getsec[senter]. Meanwhile, it looks like the testing method below is not sufficient to verify your patch, as current tboot can achieve your testing goal without the patch. What kind of issue this patch tries to fix?
-Ning -----Original Message----- From: Sahil Rihan [mailto:sri...@fb.com] Sent: Thursday, March 23, 2017 5:15 PM To: tboot-devel@lists.sourceforge.net Subject: [tboot-devel] Detect if Vt-D is enabled If Vt-D is disabled in the BIOS, the DMAR table is not present. We can look for this and skip trying to perform a measured launch. This behavior of a missing DMAR table may not be true for all platforms, but in any case if the DMAR table is not present the kernel will not be able to detect/reprogram the IOMMU along the tboot_force_iommu path. So either way this change should be helpful. Testing: Disable Vt-D, verify that measured launch is skipped. Enable Vt-D, verify that measured launch is performed. Signed-off-by: Sahil Rihan <sri...@fb.com> diff --git a/include/tb_error.h b/include/tb_error.h --- a/include/tb_error.h +++ b/include/tb_error.h @@ -45,6 +45,7 @@ TB_ERR_TPM_NOT_READY, /* tpm not ready */ TB_ERR_SMX_NOT_SUPPORTED, /* smx not supported */ TB_ERR_VMX_NOT_SUPPORTED, /* vmx not supported */ + TB_ERR_VTD_NOT_SUPPORTED, /* Vt-D not enabled in BIOS */ TB_ERR_TXT_NOT_SUPPORTED, /* txt not supported */ TB_ERR_MODULE_VERIFICATION_FAILED, /* module failed to verify against diff --git a/tboot/common/acpi.c b/tboot/common/acpi.c --- a/tboot/common/acpi.c +++ b/tboot/common/acpi.c @@ -212,7 +212,7 @@ } } - printk(TBOOT_ERR"cann't find %s table.\n", table_name); + printk(TBOOT_ERR"can't find %s table.\n", table_name); return NULL; } @@ -221,6 +221,11 @@ return (struct acpi_dmar *)find_table(DMAR_SIG); } +bool vtd_bios_enabled(void) +{ + return find_table(DMAR_SIG) != NULL; } + bool save_vtd_dmar_table(void) { /* find DMAR table and save it */ diff --git a/tboot/common/policy.c b/tboot/common/policy.c --- a/tboot/common/policy.c +++ b/tboot/common/policy.c @@ -101,6 +101,7 @@ {TB_ERR_TPM_NOT_READY, TB_POLACT_UNMEASURED_LAUNCH}, {TB_ERR_SMX_NOT_SUPPORTED, TB_POLACT_UNMEASURED_LAUNCH}, {TB_ERR_VMX_NOT_SUPPORTED, TB_POLACT_UNMEASURED_LAUNCH}, + {TB_ERR_VTD_NOT_SUPPORTED, TB_POLACT_UNMEASURED_LAUNCH}, {TB_ERR_TXT_NOT_SUPPORTED, TB_POLACT_UNMEASURED_LAUNCH}, {TB_ERR_SINIT_NOT_PRESENT, TB_POLACT_UNMEASURED_LAUNCH}, {TB_ERR_ACMOD_VERIFY_FAILED, TB_POLACT_UNMEASURED_LAUNCH}, diff --git a/tboot/common/tb_error.c b/tboot/common/tb_error.c --- a/tboot/common/tb_error.c +++ b/tboot/common/tb_error.c @@ -81,6 +81,9 @@ case TB_ERR_VMX_NOT_SUPPORTED: printk(TBOOT_ERR"VMX not supported.\n"); break; + case TB_ERR_VTD_NOT_SUPPORTED: + printk(TBOOT_ERR"DMAR table not found. Check if Vt-D is enabled in BIOS.\n"); + break; case TB_ERR_TXT_NOT_SUPPORTED: printk(TBOOT_ERR"TXT not supported.\n"); break; diff --git a/tboot/include/acpi.h b/tboot/include/acpi.h --- a/tboot/include/acpi.h +++ b/tboot/include/acpi.h @@ -492,6 +492,7 @@ #endif +extern bool vtd_bios_enabled(void); extern bool save_vtd_dmar_table(void); extern bool restore_vtd_dmar_table(void); extern bool remove_vtd_dmar_table(void); diff --git a/tboot/txt/verify.c b/tboot/txt/verify.c --- a/tboot/txt/verify.c +++ b/tboot/txt/verify.c @@ -372,6 +372,10 @@ if ( err != TB_ERR_NONE ) return err; + if ( !vtd_bios_enabled() ) { + return TB_ERR_VTD_NOT_SUPPORTED; + } + /* check is TXT_RESET.STS is set, since if it is SENTER will fail */ txt_ests_t ests = (txt_ests_t)read_pub_config_reg(TXTCR_ESTS); if ( ests.txt_reset_sts ) { ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
