[tboot-devel] [PATCH 4 of 4] Verify MinMleHeader version, before TPR support disabling

[michal . camacho . romero]

# HG changeset patch
# User Michal Camacho Romero <michal.camacho.rom...@linux.intel.com>
# Date 1768305768 -3600
#      Tue Jan 13 13:02:48 2026 +0100
# Node ID 5b577a02cec7f8ab1344d9f548cbf9af19f3ec00
# Parent  f24ac8c37095e6a0ffb2f781ad2202656a249caa
Verify MinMleHeader version, before TPR support disabling

Before TBOOT disables TPR support bits in the OsSinit.Capabilities and 
MleHeader.Capabilities,
it needs to verify if the MinMleHeader version is not equal both to the v2.2 
and v2.3.
In case, when minimal MLE Header version is 2.2, then SINIT treats TprSupport 
bit in OsSinit.Capabilities
as reserved field and ignores it. However, when MinMleHeader version is 2.3, it 
means that SINIT supports
only TPRs as memory protection mechanism and it will abort MLE execution if TPR 
support bit is disabled in MLE
Header. From these reasons, TBOOT needs to verify MinMleHeader, before it 
forces PMR usage by SINIT ACM.

In the case, when the force_pmrs option isn't used, function returnes TPR 
support bit value from the SINIT ACM capabilities.

diff -r f24ac8c37095 -r 5b577a02cec7 tboot/txt/txt.c
--- a/tboot/txt/txt.c   Wed Jan 07 16:45:20 2026 +0100
+++ b/tboot/txt/txt.c   Tue Jan 13 13:02:48 2026 +0100
@@ -837,15 +837,49 @@
 
 bool is_tpr_supported(bool force_pmrs)
 {
-    // Disable TPR support, if "force_pmrs" cmdline option was set
-    if (force_pmrs)
-    {
-        g_force_pmrs = true;
-        g_mle_hdr.capabilities.tpr_support = 0;
-        printk(TBOOT_INFO"TPR Support disabled in the MLE capabilities.\n");
+    acm_info_table_t *info_table = NULL;
+    txt_caps_t sinit_caps;
+
+    sinit_caps._raw = 0;
+    if (g_sinit != NULL) {
+        sinit_caps = get_sinit_capabilities(g_sinit);
+    }
+    else {
+        return sinit_caps.tpr_support;
     }
 
-    return g_mle_hdr.capabilities.tpr_support;
+    // Disable TPR support, if "force_pmrs" cmdline option was set
+    if (force_pmrs) {
+        info_table = get_acmod_info_table(g_sinit);
+        if (info_table == NULL) {
+            return sinit_caps.tpr_support;
+        }
+
+        if (info_table->min_mle_hdr_ver == 0x00020003) {
+            printk(TBOOT_INFO"MinMleHeader version is 2.3. "
+                             "Forcing PMRs is forbidden.\n");
+            return sinit_caps.tpr_support;
+        }
+        else {
+            if (info_table->min_mle_hdr_ver == 0x00020002) {
+                printk(TBOOT_INFO"MinMleHeader version is 2.2. "
+                                 "SINIT will ignore TPR support bit 14 in\n"
+                                 "OsSinit.Capabilities.\n");
+                return sinit_caps.tpr_support;
+            }
+            else {
+                g_force_pmrs = true;
+            }
+
+            g_mle_hdr.capabilities.tpr_support = 0;
+            printk(TBOOT_INFO"TPR Support disabled in the MLE 
capabilities.\n");
+
+            return g_mle_hdr.capabilities.tpr_support;
+        }
+    }
+    else {
+        return sinit_caps.tpr_support;
+    }
 }
 
 tb_error_t txt_launch_environment(loader_ctx *lctx)



_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel