# HG changeset patch
# User Michal Camacho Romero <[email protected]>
# Date 1763628749 -3600
# Thu Nov 20 09:52:29 2025 +0100
# Node ID d512777179769bd322ea73adc560b9e85d63c893
# Parent 5220085b54dd5fb5f2e9f59766f14756b2062ebd
Enable to force PMR using, instead of TPRs
Provide a possibility to replace TPRs usage with PMRs, by setting the
additional TBOOT cmdline option "force_pmrs=true". It disables TPR
support bit in the ACM capabilities and the similar bit in the MLE
capabilities. This solution forced TBOOT and SINIT ACM to configure PMRs
as their protection ranges.
diff -r 5220085b54dd -r d51277717976 tboot/common/cmdline.c
--- a/tboot/common/cmdline.c Thu Apr 17 08:33:41 2025 -0400
+++ b/tboot/common/cmdline.c Thu Nov 20 09:52:29 2025 +0100
@@ -85,6 +85,7 @@
{ "measure_nv", "false" }, /* true|false */
{ "extpol", "sha256" }, /*agile|embedded|sha1|sha256|sm3|... */
{ "ignore_prev_err", "true"}, /* true|false */
+ { "force_pmrs", "false"}, /* true|false */
{ "force_tpm2_legacy_log", "false"}, /* true|false */
{ "save_vtd", "false"}, /* true|false */
{ "dump_memmap", "false"}, /* true|false */
@@ -541,6 +542,19 @@
}
}
+bool get_tboot_force_pmrs(void)
+{
+ const char *force_pmrs = get_option_val(g_tboot_cmdline_options,
+ g_tboot_param_values,
+ "force_pmrs");
+ if (force_pmrs != NULL && tb_strcmp(force_pmrs, "true"))
+ {
+ return true;
+ }
+
+ return false;
+}
+
bool get_tboot_force_tpm2_legacy_log(void)
{
const char *force_legacy_log =
diff -r 5220085b54dd -r d51277717976 tboot/common/tboot.c
--- a/tboot/common/tboot.c Thu Apr 17 08:33:41 2025 -0400
+++ b/tboot/common/tboot.c Thu Nov 20 09:52:29 2025 +0100
@@ -352,6 +352,7 @@
void begin_launch(void *addr, uint32_t magic)
{
tb_error_t err;
+ bool force_pmrs = false;
if (g_ldr_ctx->type == 0)
determine_loader_type(addr, magic);
@@ -454,10 +455,12 @@
if (!verify_acmod(g_sinit))
apply_policy(TB_ERR_ACMOD_VERIFY_FAILED);
}
-
+
+ force_pmrs = get_tboot_force_pmrs();
+
//We need to have g_sinit point to SINIT ACM before we can run
is_tpr_supported
//This global variable decides whether PMR or TPR is used
- g_tpr_support = is_tpr_supported();
+ g_tpr_support = is_tpr_supported(force_pmrs);
/* make TPM ready for measured launch */
if (!tpm_detect())
diff -r 5220085b54dd -r d51277717976 tboot/include/cmdline.h
--- a/tboot/include/cmdline.h Thu Apr 17 08:33:41 2025 -0400
+++ b/tboot/include/cmdline.h Thu Nov 20 09:52:29 2025 +0100
@@ -55,6 +55,7 @@
extern bool get_tboot_ignore_prev_err(void);
extern bool get_tboot_measure_nv(void);
extern void get_tboot_extpol(void);
+extern bool get_tboot_force_pmrs(void);
extern bool get_tboot_force_tpm2_legacy_log(void);
extern bool get_tboot_save_vtd(void);
extern bool get_tboot_dump_memmap(void);
diff -r 5220085b54dd -r d51277717976 tboot/include/txt/acmod.h
--- a/tboot/include/txt/acmod.h Thu Apr 17 08:33:41 2025 -0400
+++ b/tboot/include/txt/acmod.h Thu Nov 20 09:52:29 2025 +0100
@@ -202,6 +202,8 @@
extern txt_caps_t get_sinit_capabilities(const acm_hdr_t* hdr);
extern tpm_info_list_t *get_tpm_info_list(const acm_hdr_t* hdr);
extern void verify_IA32_se_svn_status(const acm_hdr_t *acm_hdr);
+extern acm_info_table_t *get_acmod_info_table(const acm_hdr_t* hdr);
+
#endif /* __TXT_ACMOD_H__ */
/*
diff -r 5220085b54dd -r d51277717976 tboot/include/txt/txt.h
--- a/tboot/include/txt/txt.h Thu Apr 17 08:33:41 2025 -0400
+++ b/tboot/include/txt/txt.h Thu Nov 20 09:52:29 2025 +0100
@@ -61,7 +61,7 @@
extern bool txt_is_powercycle_required(void);
extern void ap_wait(unsigned int cpuid);
extern int get_evtlog_type(void);
-extern bool is_tpr_supported(void);
+extern bool is_tpr_supported(bool);
extern uint32_t g_using_da;
extern bool g_tpr_support;
diff -r 5220085b54dd -r d51277717976 tboot/txt/acmod.c
--- a/tboot/txt/acmod.c Thu Apr 17 08:33:41 2025 -0400
+++ b/tboot/txt/acmod.c Thu Nov 20 09:52:29 2025 +0100
@@ -56,7 +56,7 @@
#include <tpm.h>
#endif /* IS_INCLUDED */
-static acm_info_table_t *get_acmod_info_table(const acm_hdr_t* hdr)
+acm_info_table_t *get_acmod_info_table(const acm_hdr_t* hdr)
{
uint32_t user_area_off;
diff -r 5220085b54dd -r d51277717976 tboot/txt/txt.c
--- a/tboot/txt/txt.c Thu Apr 17 08:33:41 2025 -0400
+++ b/tboot/txt/txt.c Thu Nov 20 09:52:29 2025 +0100
@@ -97,7 +97,7 @@
* this is the structure whose addr we'll put in TXT heap
* it needs to be within the MLE pages, so force it to the .text section
*/
-static __text const mle_hdr_t g_mle_hdr = {
+static __text mle_hdr_t g_mle_hdr = {
uuid : MLE_HDR_UUID,
length : sizeof(mle_hdr_t),
version : MLE_HDR_VER,
@@ -117,6 +117,23 @@
/* count of APs in WAIT-FOR-SIPI */
atomic_t ap_wfs_count;
+static void disable_tpr_support(const acm_hdr_t *hdr)
+{
+ // Disable TPR support in the SINIT ACM capabilities
+ acm_info_table_t *info_table = get_acmod_info_table(hdr);
+ if ( info_table == NULL || info_table->version < 3 ) {
+ printk(TBOOT_ERR"TPR support disabling process has failed\n");
+ }
+
+ info_table->capabilities.tpr_support = 0;
+ printk(TBOOT_INFO"TPR support has been disabled properly in SINIT ACM\n");
+
+ // Disable TPR support bit in the MLE capabilities
+ g_mle_hdr.capabilities.tpr_support = 0;
+
+ printk(TBOOT_INFO"MLE capabilities: 0x%X\n", g_mle_hdr.capabilities._raw);
+}
+
static void print_file_info(void)
{
printk(TBOOT_DETA"file addresses:\n");
@@ -824,7 +841,7 @@
return sts.senter_done_sts;
}
-bool is_tpr_supported(void)
+bool is_tpr_supported(bool force_pmrs)
{
//Reads SINIT ACM capabilities field and returns tpr_support bit
//Needs g_sinit to be set.
@@ -832,6 +849,12 @@
sinit_caps._raw = 0;
+ // Disable TPR support, if "force_pmrs" cmdline option was set
+ if (force_pmrs && g_sinit != NULL)
+ {
+ disable_tpr_support(g_sinit);
+ }
+
if (g_sinit != NULL) {
sinit_caps = get_sinit_capabilities(g_sinit);
}
_______________________________________________
tboot-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tboot-devel
