dasharo-issues icon indicating copy to clipboard operation
dasharo-issues copied to clipboard
verified publisher icon Dasharo

Intel TXT not working

Open filipleple opened this issue 5 months ago • 4 comments

Component

Dasharo firmware

Device

NovaCustom NV4x 12th Gen

Dasharo version

4eed42d318e3ce580b2763242d0a4f12f36ce840

Dasharo Tools Suite version

No response

Test case ID

CBNT006.101

Brief summary

TXT fails with [ERROR] GETSEC not enabled in IA32_FEATURE_CONTROL MSR

S-ACM Startup Success is NO in CBNT menu

[INFO ]  TEE-TXT: State of ACM and ucode update:
[INFO ]  TEE-TXT: Chipset Key Hash 0x1d3d9ebf9c8f9a87e634de6dd79adc1234db39c7643640aa3aae33e00b8f857b
[INFO ]  TEE-TXT: DIDVID 0xb00c8086
[INFO ]  TEE-TXT: production fused chipset: true
[INFO ]  TEE-TXT: Validate TEE...
[DEBUG]  TEE-TXT: CPU supports SMX: true
[DEBUG]  TEE-TXT: CPU supports VMX: true
[DEBUG]  TEE-TXT: IA32_FEATURE_CONTROL
[DEBUG]   VMXON in SMX enable: false
[DEBUG]   VMXON outside SMX enable: true
[DEBUG]   register is locked: true
[DEBUG]   GETSEC (all instructions) is enabled: false
[ERROR]  TEE-TXT: Failed to prepare TXT environment

Also happens when just enabling TXT, without IBG/CBNT support

How reproducible

100%

How to reproduce

Build and run NV41PZ, with or without CBnT support and IBG provisioning

Expected behavior

No errors, TXT works

Actual behavior

[ERROR] GETSEC not enabled in IA32_FEATURE_CONTROL MSR, TXT doesn't work

Screenshots

No response

Additional context

No response

Solutions you've tried

No response

filipleple avatar Oct 15 '25 12:10 filipleple

Which exact Processor? Not all supported TXT, only vPro ones. I'm certainly sure than there is an ancient ticket with something similar to this.

zirblazer avatar Oct 15 '25 13:10 zirblazer

It's the i7-1260P:

[DEBUG]  CPU: 12th Gen Intel(R) Core(TM) i7-1260P
[DEBUG]  CPU: ID 906a3, Alderlake L0 Platform, ucode: 00000437
[DEBUG]  CPU: AES supported, TXT supported, VT supported

Looks like it should support TXT.

filipleple avatar Oct 16 '25 06:10 filipleple

@miczyg1 has demonstrated already TXT on this machine in the past (with legacy boot): https://www.youtube.com/watch?v=5ieNhbLLTIU&list=PLuISieMwVBpJmIaHgyv7yKDwrHpqym9Qh&index=8

macpijan avatar Oct 16 '25 06:10 macpijan

You can't have TXT without enabling CBNT.

  1. You need to set TXTSupported bit in the ME, and basically do almost all the stuff that is done for IBG provisioning.
  2. You need to generate manifests with TXT element.
  3. You need to add ACMs.
  4. coreboot has to enable Intel TXT.
  5. One has to set FSP UPD parameters to enable TXT, otherwise the CPU feature bits won't be programmed properly.

You still haven't integrated my changes for ADL TXT from the other branches: https://github.com/Dasharo/coreboot/tree/vp6670_txt https://github.com/Dasharo/coreboot/tree/vp6670_txt_4.21

You only integrated TXT for MTL by looking at dasharo branch in coreboot repo. How can you expect it to work?

miczyg1 avatar Oct 16 '25 11:10 miczyg1