Framework AMD Laptops | Add BIOS option to enable AMD DRTM #195
Description
Device Information
System Model or SKU
- Framework Laptop 13 (AMD Ryzen™ 7040 Series)
(and probably other AMD laptops)
BIOS VERSION
JFP30.03.18 (AGESA ProenixPI-FP8-FP7 1.2.0.0e)
Describe the bug
There is no BIOS Setup option to enable AMD DRTM (Dynamic Root of Trust for Measurement), yet both CPU and chipset are capable of DRTM.
The PSP security processor is present and responding, but DRTM_CMD_GET_CAPABILITY (doc, page 15) responds with bit S (DRTM Enabled bit) = 0.
(DRTM is a secure launch technology using the SKINIT instruction - a hardware mechanism that establishes a new root of trust at runtime without requiring a full boot chain of trust)
Steps To Reproduce
Steps to reproduce the behavior:
- Checkout Trenchboot-meta from accek-itl/tb-dev-accek-test12
- Adjust grub prefix in
recipes-bsp/grub/grub-efi/cfg - Build:
kas-container build meta-trenchboot/kas-tb-full-initramfs.yml - Built artifacts will be in
build/tmp/deploy/images/genericx86-64 - Boot grub and use
grub.cfgpasted below
Observe drtm_enabled=0
Expected behavior
drtm_enabled=1
Screenshots
Operating System (please complete the following information):
meta-trenchboot
Version: custom AMD dev branch
Additional context
- The TrenchBoot project is actively working on bringing DRTM support to open-source software: Grub, Xen and Linux, and Framework laptops with AMD would be excellent platforms for this.
DRTM_CMD_GET_CAPABILITYsucceeds and even return a plausible version (indicating the PSP DRTM Trusted Application is loaded), so maybe enabling DRTM is a configuration change rather than a firmware feature addition.
Grub config
set debug="slaunch,loader,linux,multiboot_loader"
set xen_cmdline="console=vga,xhci dbgp=xhci@pcic1:00.2,share=yes conring_size=512k dom0_mem=min:512M dom0_mem=max:4096M ucode=scan smt=off gnttab_max_frames=2048 gnttab_max_maptrack_frames=4096 loglvl=all guest_loglvl=all"
set cmdline="panic=30 usbcore.autosuspend=-1 loglevel=8"
echo "SLAUNCH"
slaunch
efifb_info
echo "xen_cmdline: ${xen_cmdline}"
echo "cmdline: ${cmdline}"
echo "Loading xen ..."
multiboot2 ${prefix}/xen placeholder ${xen_cmdline}
echo "Loading linux ..."
module2 ${prefix}/bzImage ${cmdline}
echo "Loading initrd ..."
module2 ${prefix}/initrd
echo "Loading slaunch module ..."
slaunch_module ${prefix}/skl.bin
echo
echo "Booting in 5 seconds, press any key to stop..."
sleep --interruptible 5
if [ $? = 0 ]; then
echo "boot"
boot
else
echo "Cancelled by user"
fi