Hi Ning,
You’re right that usually TXT and Vt-D are enabled together in the BIOS.
However, it’s possible that due to errors in tooling, or because the system
BIOS or settings were modified, the Vt-D setting is accidentally cleared. Tboot
is good about checking for SMX and VMX, which makes it more robust. I thought
that we should extend this check to Vt-D as well, so we can warn the user if
the system is misconfigured. Right now there’s no way to know that, and you
need to go check all the BIOS settings to see if you missed something.
Sahil
On 3/23/17, 10:15 PM, "Sun, Ning" <ning....@intel.com> wrote:
Generally, when VT-d is disabled in the BIOS, Intel TXT is also in
disabled state, tboot will boot into kernel directly without triggering
Getsec[senter].
Meanwhile, it looks like the testing method below is not sufficient to
verify your patch, as current tboot can achieve your testing goal without the
patch.
What kind of issue this patch tries to fix?
-Ning
-----Original Message-----
From: Sahil Rihan [mailto:sri...@fb.com]
Sent: Thursday, March 23, 2017 5:15 PM
To: tboot-devel@lists.sourceforge.net
Subject: [tboot-devel] Detect if Vt-D is enabled
If Vt-D is disabled in the BIOS, the DMAR table is not present.
We can look for this and skip trying to perform a measured launch. This
behavior of a missing DMAR table may not be true for all platforms, but in any
case if the DMAR table is not present the kernel will not be able to
detect/reprogram the IOMMU along the tboot_force_iommu path. So either way this
change should be helpful.
Testing: Disable Vt-D, verify that measured launch is skipped. Enable
Vt-D, verify that measured launch is performed.
Signed-off-by: Sahil Rihan <sri...@fb.com>
diff --git a/include/tb_error.h b/include/tb_error.h
--- a/include/tb_error.h
+++ b/include/tb_error.h
@@ -45,6 +45,7 @@
TB_ERR_TPM_NOT_READY, /* tpm not ready */
TB_ERR_SMX_NOT_SUPPORTED, /* smx not supported */
TB_ERR_VMX_NOT_SUPPORTED, /* vmx not supported */
+ TB_ERR_VTD_NOT_SUPPORTED, /* Vt-D not enabled in BIOS */
TB_ERR_TXT_NOT_SUPPORTED, /* txt not supported */
TB_ERR_MODULE_VERIFICATION_FAILED, /* module failed to verify
against
diff --git a/tboot/common/acpi.c b/tboot/common/acpi.c
--- a/tboot/common/acpi.c
+++ b/tboot/common/acpi.c
@@ -212,7 +212,7 @@
}
}
- printk(TBOOT_ERR"cann't find %s table.\n", table_name);
+ printk(TBOOT_ERR"can't find %s table.\n", table_name);
return NULL;
}
@@ -221,6 +221,11 @@
return (struct acpi_dmar *)find_table(DMAR_SIG); }
+bool vtd_bios_enabled(void)
+{
+ return find_table(DMAR_SIG) != NULL; }
+
bool save_vtd_dmar_table(void)
{
/* find DMAR table and save it */
diff --git a/tboot/common/policy.c b/tboot/common/policy.c
--- a/tboot/common/policy.c
+++ b/tboot/common/policy.c
@@ -101,6 +101,7 @@
{TB_ERR_TPM_NOT_READY,
TB_POLACT_UNMEASURED_LAUNCH},
{TB_ERR_SMX_NOT_SUPPORTED,
TB_POLACT_UNMEASURED_LAUNCH},
{TB_ERR_VMX_NOT_SUPPORTED,
TB_POLACT_UNMEASURED_LAUNCH},
+ {TB_ERR_VTD_NOT_SUPPORTED,
TB_POLACT_UNMEASURED_LAUNCH},
{TB_ERR_TXT_NOT_SUPPORTED,
TB_POLACT_UNMEASURED_LAUNCH},
{TB_ERR_SINIT_NOT_PRESENT,
TB_POLACT_UNMEASURED_LAUNCH},
{TB_ERR_ACMOD_VERIFY_FAILED,
TB_POLACT_UNMEASURED_LAUNCH},
diff --git a/tboot/common/tb_error.c b/tboot/common/tb_error.c
--- a/tboot/common/tb_error.c
+++ b/tboot/common/tb_error.c
@@ -81,6 +81,9 @@
case TB_ERR_VMX_NOT_SUPPORTED:
printk(TBOOT_ERR"VMX not supported.\n");
break;
+ case TB_ERR_VTD_NOT_SUPPORTED:
+ printk(TBOOT_ERR"DMAR table not found. Check if Vt-D is
enabled in BIOS.\n");
+ break;
case TB_ERR_TXT_NOT_SUPPORTED:
printk(TBOOT_ERR"TXT not supported.\n");
break;
diff --git a/tboot/include/acpi.h b/tboot/include/acpi.h
--- a/tboot/include/acpi.h
+++ b/tboot/include/acpi.h
@@ -492,6 +492,7 @@
#endif
+extern bool vtd_bios_enabled(void);
extern bool save_vtd_dmar_table(void);
extern bool restore_vtd_dmar_table(void); extern bool
remove_vtd_dmar_table(void); diff --git a/tboot/txt/verify.c
b/tboot/txt/verify.c
--- a/tboot/txt/verify.c
+++ b/tboot/txt/verify.c
@@ -372,6 +372,10 @@
if ( err != TB_ERR_NONE )
return err;
+ if ( !vtd_bios_enabled() ) {
+ return TB_ERR_VTD_NOT_SUPPORTED;
+ }
+
/* check is TXT_RESET.STS is set, since if it is SENTER will fail */
txt_ests_t ests = (txt_ests_t)read_pub_config_reg(TXTCR_ESTS);
if ( ests.txt_reset_sts ) {
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging
tech sites, Slashdot.org!
https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DwIFAg&c=5VD0RTtNlTh3ycd41b3MUw&r=q9RxudfoM9Y-NF8TWDanIA&m=fzGZ2clGClNrJ5zDpvJU7i-FGJLSpdD8efBsK_ZXdWE&s=WLdb_hOVckmv0QPZ1XjgQLUcjsFK9YOLtHok9YlgRf4&e=
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_tboot-2Ddevel&d=DwIFAg&c=5VD0RTtNlTh3ycd41b3MUw&r=q9RxudfoM9Y-NF8TWDanIA&m=fzGZ2clGClNrJ5zDpvJU7i-FGJLSpdD8efBsK_ZXdWE&s=6F3ZuNhcvE38N2Krt3g5sLXiPxCcI0pw2JPBHvZJi9g&e=
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
