[tboot-devel] [PATCH] Downgrade MinMleHdr version from 2.3 to 2.2

michal . camacho . romero Thu, 29 Jan 2026 00:37:05 -0800

# HG changeset patch
# User Michal Camacho Romero <[email protected]>
# Date 1769639191 -3600
#      Wed Jan 28 23:26:31 2026 +0100
# Node ID 497c8178233de6e9ae636440abfc52be57c197fc
# Parent  5b577a02cec7f8ab1344d9f548cbf9af19f3ec00
Downgrade MinMleHdr version from 2.3 to 2.2


SINIT ACM supports only TPR, if MinMleHdr version is 2.3. Forcing PMRs will 
cause
SINIT ACM failure, if TPR support bit in the MLE capabilities will be disabled.
For this reason, TBOOT downgrades MinMleHdrVer from 2.3 to 2.2. In this case 
SINIT
ACM ignores TPR support settings.

diff -r 5b577a02cec7 -r 497c8178233d tboot/common/tboot.c
--- a/tboot/common/tboot.c      Tue Jan 13 13:02:48 2026 +0100
+++ b/tboot/common/tboot.c      Wed Jan 28 23:26:31 2026 +0100
@@ -353,7 +353,7 @@
 {
     tb_error_t err;
 
-    if (g_ldr_ctx->type == 0)        
+    if (g_ldr_ctx->type == 0)
         determine_loader_type(addr, magic);
 
     /* on pre-SENTER boot, copy command line to buffer in tboot image
@@ -400,7 +400,7 @@
 
     if (is_launched()) printk(TBOOT_INFO"SINIT ACM successfully 
returned...\n");
     if ( s3_flag ) printk(TBOOT_INFO"Resume from S3...\n");
-    
+
     /* RLM scaffolding
        if (g_ldr_ctx->type == 2)
        print_loader_ctx(g_ldr_ctx);
@@ -457,7 +457,14 @@
 
     //We need to have g_sinit point to SINIT ACM before we can run 
is_tpr_supported
     //This global variable decides whether PMR or TPR is used
-    g_tpr_support = is_tpr_supported(get_tboot_force_pmrs());
+    if (get_tboot_force_pmrs()) {
+        // Disable TPR support, if "force_pmrs" cmdline option was set
+        g_tpr_support = false;
+        force_pmrs_usage();
+    }
+    else {
+        g_tpr_support = is_tpr_supported();
+    }
 
     /* make TPM ready for measured launch */
     if (!tpm_detect())
diff -r 5b577a02cec7 -r 497c8178233d tboot/include/txt/txt.h
--- a/tboot/include/txt/txt.h   Tue Jan 13 13:02:48 2026 +0100
+++ b/tboot/include/txt/txt.h   Wed Jan 28 23:26:31 2026 +0100
@@ -60,8 +60,9 @@
 extern void txt_shutdown(void);
 extern bool txt_is_powercycle_required(void);
 extern void ap_wait(unsigned int cpuid);
+extern void force_pmrs_usage(void);
 extern int get_evtlog_type(void);
-extern bool is_tpr_supported(bool);
+extern bool is_tpr_supported(void);
 
 extern uint32_t g_using_da;
 extern bool     g_tpr_support;
diff -r 5b577a02cec7 -r 497c8178233d tboot/txt/txt.c
--- a/tboot/txt/txt.c   Tue Jan 13 13:02:48 2026 +0100
+++ b/tboot/txt/txt.c   Wed Jan 28 23:26:31 2026 +0100
@@ -835,51 +835,38 @@
     return sts.senter_done_sts;
 }
 
-bool is_tpr_supported(bool force_pmrs)
+bool is_tpr_supported(void)
 {
-    acm_info_table_t *info_table = NULL;
+    //Reads SINIT ACM capabilities field and returns tpr_support bit
+    //Needs g_sinit to be set.
     txt_caps_t sinit_caps;
 
     sinit_caps._raw = 0;
+
     if (g_sinit != NULL) {
         sinit_caps = get_sinit_capabilities(g_sinit);
     }
-    else {
-        return sinit_caps.tpr_support;
+
+    return sinit_caps.tpr_support;
+}
+
+void force_pmrs_usage(void)
+{
+    acm_info_table_t *info_table = get_acmod_info_table(g_sinit);
+    if (info_table == NULL) {
+        return;
     }
 
-    // Disable TPR support, if "force_pmrs" cmdline option was set
-    if (force_pmrs) {
-        info_table = get_acmod_info_table(g_sinit);
-        if (info_table == NULL) {
-            return sinit_caps.tpr_support;
-        }
+    if (info_table->min_mle_hdr_ver >= 0x00020003) {
+        printk(TBOOT_WARN"SINIT ACM has no support for PMR DMA Protection by 
default.\n");
+        printk(TBOOT_WARN"MinMleHeader version is downgraded to 2.2.\n");
+        info_table->min_mle_hdr_ver = 0x00020002;
+    }
 
-        if (info_table->min_mle_hdr_ver == 0x00020003) {
-            printk(TBOOT_INFO"MinMleHeader version is 2.3. "
-                             "Forcing PMRs is forbidden.\n");
-            return sinit_caps.tpr_support;
-        }
-        else {
-            if (info_table->min_mle_hdr_ver == 0x00020002) {
-                printk(TBOOT_INFO"MinMleHeader version is 2.2. "
-                                 "SINIT will ignore TPR support bit 14 in\n"
-                                 "OsSinit.Capabilities.\n");
-                return sinit_caps.tpr_support;
-            }
-            else {
-                g_force_pmrs = true;
-            }
-
-            g_mle_hdr.capabilities.tpr_support = 0;
-            printk(TBOOT_INFO"TPR Support disabled in the MLE 
capabilities.\n");
-
-            return g_mle_hdr.capabilities.tpr_support;
-        }
-    }
-    else {
-        return sinit_caps.tpr_support;
-    }
+    g_force_pmrs = true;
+    g_mle_hdr.capabilities.tpr_support = 0;
+    printk(TBOOT_INFO"TPR support disabled in the MLE capabilities.\n");
+    return;
 }
 
 tb_error_t txt_launch_environment(loader_ctx *lctx)



_______________________________________________
tboot-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tboot-devel

[tboot-devel] [PATCH] Downgrade MinMleHdr version from 2.3 to 2.2

Reply via email to