search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
util/intelmetool: Fix crash on strict devmem kernels
[coreboot.git] / util / intelmetool / intelmetool.c
blobbc5f26c4b51dee85d2de442ce085d76d4cf6ed32
1 /* intelmetool Dump interesting things about Management Engine even if hidden
2 * Copyright (C) 2014 Damien Zammit <damien@zamaudio.com>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; version 2 of the License.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 */
13
14 #include <stdio.h>
15 #include <inttypes.h>
16 #include <stdlib.h>
17 #include <getopt.h>
18 #include <unistd.h>
19 #include <string.h>
20 #include <cpuid.h>
21 #include <sys/io.h>
22
23 #ifdef __NetBSD__
24 #include <machine/sysarch.h>
25 #endif
26
27 #include "intelmetool.h"
28 #include "me.h"
29 #include "mmap.h"
30 #include "msr.h"
31 #include "rcba.h"
32
33 extern int fd_mem;
34 int debug = 0;
35
36 static uint32_t fd2 = 0;
37 static int ME_major_ver = 0;
38 static int ME_minor_ver = 0;
39
40 static void dumpmem(uint8_t *phys, uint32_t size)
41 {
42 uint32_t i;
43 printf("Dumping cloned ME memory:\n");
44 for (i = 0; i < size; i++) {
45 printf("%02X",*((uint8_t *) (phys + i)));
46 }
47 printf("\n");
48 }
49
50 static void zeroit(uint8_t *phys, uint32_t size)
51 {
52 uint32_t i;
53 for (i = 0; i < size; i++) {
54 *((uint8_t *) (phys + i)) = 0x00;
55 }
56 }
57
58 static void dumpmemfile(uint8_t *phys, uint32_t size)
59 {
60 FILE *fp = fopen("medump.bin", "w");
61 uint32_t i;
62 for (i = 0; i < size; i++) {
63 fprintf(fp, "%c", *((uint8_t *) (phys + i)));
64 }
65 fclose(fp);
66 }
67
68 static int isCPUGenuineIntel(void)
69 {
70 regs_t regs;
71 unsigned int level = 0;
72 unsigned int eax = 0;
73
74 __get_cpuid(level, &eax, &regs.ebx, &regs.ecx, &regs.edx);
75
76 return !strncmp((char *)&regs, "GenuineIntel", CPU_ID_SIZE-1);
77 }
78
79 /* You need >4GB total ram, in kernel cmdline, use 'mem=1000m'
80 * then this code will clone to absolute memory address 0xe0000000
81 * which can be read using a mmap tool at that offset.
82 * Real ME memory is located around top of memory minus 64MB. (I think)
83 * so we avoid cloning to this part.
84 */
85 static void dump_me_memory(void)
86 {
87 uintptr_t me_clone = 0x60000000;
88 uint8_t *dump;
89
90 dump = map_physical_exact((off_t)me_clone, (void *)me_clone, 0x2000000);
91 if (dump == NULL) {
92 printf("Could not map ME memory\n");
93 return;
94 }
95 zeroit(dump, 0x2000000);
96 printf("Send magic command for memory clone\n");
97
98 mei_reset();
99 usleep(ME_COMMAND_DELAY);
100 void* ptr = &me_clone;
101 int err = mkhi_debug_me_memory(ptr);
102
103 if (!err) {
104 printf("Wait a second...");
105 usleep(ME_COMMAND_DELAY);
106 printf("done\n\nHere are the first bytes:\n");
107 dumpmemfile(dump, 0x2000000);
108 //printf("Try reading 0x%zx with other mmap tool...\n"
109 // "Press enter to quit, you only get one chance to run"
110 // "this tool before reboot required for some reason\n",
111 // me_clone);
112 while (getc(stdin) != '\n') {};
113 unmap_physical(dump, 0x2000000);
114 }
115 }
116
117 static int pci_platform_scan(void)
118 {
119 struct pci_access *pacc;
120 struct pci_dev *dev;
121 char namebuf[1024];
122 const char *name;
123
124 pacc = pci_alloc();
125 pacc->method = PCI_ACCESS_I386_TYPE1;
126
127 pci_init(pacc);
128 pci_scan_bus(pacc);
129
130 for (dev=pacc->devices; dev; dev=dev->next) {
131 pci_fill_info(dev, PCI_FILL_IDENT | PCI_FILL_BASES |
132 PCI_FILL_SIZES | PCI_FILL_CLASS);
133 name = pci_lookup_name(pacc, namebuf, sizeof(namebuf),
134 PCI_LOOKUP_DEVICE, dev->vendor_id, dev->device_id);
135 if (name == NULL)
136 name = "<unknown>";
137 if (dev->vendor_id != PCI_VENDOR_ID_INTEL)
138 continue;
139
140 if (PCI_DEV_HAS_ME_DISABLE(dev->device_id)) {
141 printf(CGRN "Good news, you have a `%s` so ME is "
142 "present but can be disabled, continuing...\n\n"
143 RESET, name);
144 break;
145 } else if (PCI_DEV_HAS_ME_DIFFICULT(dev->device_id)) {
146 printf(CRED "Bad news, you have a `%s` so you have ME "
147 "hardware on board and you can't control or "
148 "disable it, continuing...\n\n" RESET, name);
149 break;
150 } else if (PCI_DEV_CAN_DISABLE_ME_IF_PRESENT(dev->device_id)) {
151 printf(CYEL "Not sure if ME hardware is present "
152 "because you have a `%s`, but it is possible to "
153 "disable it if you do, continuing...\n\n" RESET,
154 name);
155 break;
156 } else if (PCI_DEV_ME_NOT_SURE(dev->device_id)) {
157 printf(CYEL "Found `%s`. Not sure whether you have ME "
158 "hardware, exiting\n\n" RESET, name);
159 pci_cleanup(pacc);
160 return 1;
161 }
162 }
163
164 if (dev != NULL &&
165 !PCI_DEV_HAS_ME_DISABLE(dev->device_id) &&
166 !PCI_DEV_HAS_ME_DIFFICULT(dev->device_id) &&
167 !PCI_DEV_CAN_DISABLE_ME_IF_PRESENT(dev->device_id) &&
168 !PCI_DEV_ME_NOT_SURE(dev->device_id)) {
169 printf(CCYN "ME is not present on your board or unknown\n\n"
170 RESET);
171 pci_cleanup(pacc);
172 return 1;
173 }
174
175 pci_cleanup(pacc);
176
177 return 0;
178 }
179
180 static int activate_me(void)
181 {
182 if (read_rcba32(FD2, &fd2)) {
183 printf("Error reading RCBA\n");
184 return 1;
185 }
186 if (write_rcba32(FD2, fd2 & ~0x2)) {
187 printf("Error writing RCBA\n");
188 return 1;
189 }
190 if (debug) {
191 if (fd2 & 0x2)
192 printf("MEI was hidden on PCI, now unlocked\n");
193 else
194 printf("MEI not hidden on PCI, checking if visible\n");
195 }
196 return 0;
197 }
198
199 static void rehide_me(void)
200 {
201 if (fd2 & 0x2) {
202 if (debug)
203 printf("Re-hiding MEI device...");
204 if (read_rcba32(FD2, &fd2)) {
205 printf("Error reading RCBA\n");
206 return;
207 }
208 if (write_rcba32(FD2, fd2 | 0x2)) {
209 printf("Error writing RCBA\n");
210 return;
211 }
212 if (debug)
213 printf("done\n");
214 }
215 }
216
217 static struct pci_dev *pci_me_interface_scan(const char **name, char *namebuf,
218 int namebuf_size)
219 {
220 struct pci_access *pacc;
221 struct pci_dev *dev;
222 int me = 0;
223
224 pacc = pci_alloc();
225 pacc->method = PCI_ACCESS_I386_TYPE1;
226
227 pci_init(pacc);
228 pci_scan_bus(pacc);
229
230 for (dev=pacc->devices; dev; dev=dev->next) {
231 pci_fill_info(dev, PCI_FILL_IDENT | PCI_FILL_BASES |
232 PCI_FILL_SIZES | PCI_FILL_CLASS);
233 *name = pci_lookup_name(pacc, namebuf, namebuf_size,
234 PCI_LOOKUP_DEVICE, dev->vendor_id, dev->device_id);
235 if (dev->vendor_id != PCI_VENDOR_ID_INTEL)
236 continue;
237
238 if (PCI_DEV_HAS_SUPPORTED_ME(dev->device_id)) {
239 me = 1;
240 break;
241 }
242 }
243
244 if (!me) {
245 rehide_me();
246
247 printf("MEI device not found\n");
248 pci_cleanup(pacc);
249 return NULL;
250 }
251
252 return dev;
253 }
254
255 static void dump_me_info(void)
256 {
257 struct pci_dev *dev;
258 uint32_t stat, stat2;
259 char namebuf[1024];
260 const char *name = NULL;
261
262 if (pci_platform_scan())
263 exit(1);
264
265 if (activate_me())
266 exit(1);
267
268 dev = pci_me_interface_scan(&name, namebuf, sizeof(namebuf));
269 if (!dev)
270 exit(1);
271
272 if (name == NULL)
273 name = "<unknown>";
274
275 printf("MEI found: [%x:%x] %s\n\n",
276 dev->vendor_id, dev->device_id, name);
277 stat = pci_read_long(dev, 0x40);
278 printf("ME Status : 0x%x\n", stat);
279 stat2 = pci_read_long(dev, 0x48);
280 printf("ME Status 2 : 0x%x\n\n", stat2);
281
282 intel_me_status(stat, stat2);
283 printf("\n");
284 intel_me_extend_valid(dev);
285 printf("\n");
286
287 if (stat & 0xf000)
288 printf("ME: has a broken implementation on your board with"
289 "this firmware\n");
290
291 if (intel_mei_setup(dev))
292 goto out;
293 usleep(ME_COMMAND_DELAY);
294 mei_reset();
295 usleep(ME_COMMAND_DELAY);
296 if (mkhi_get_fw_version(&ME_major_ver, &ME_minor_ver))
297 goto out;
298 usleep(ME_COMMAND_DELAY);
299 mei_reset();
300 usleep(ME_COMMAND_DELAY);
301 if (mkhi_get_fwcaps())
302 goto out;
303 usleep(ME_COMMAND_DELAY);
304
305 out:
306 rehide_me();
307 }
308
309 static void dump_bootguard_info(void)
310 {
311 struct pci_dev *dev;
312 char namebuf[1024];
313 const char *name;
314 uint64_t bootguard = 0;
315
316 if (pci_platform_scan())
317 exit(1);
318
319 if (activate_me())
320 exit(1);
321
322 dev = pci_me_interface_scan(&name, namebuf, sizeof(namebuf));
323 if (!dev) {
324 printf("Can't access ME PCI device\n");
325 return;
326 }
327
328 if (debug) {
329 printf("BootGuard MSR Output: 0x%" PRIx64 "\n", bootguard);
330 bootguard &= ~0xff;
331 }
332
333 /* ME_major_ver is zero on some platforms (Mac) */
334 if (ME_major_ver &&
335 (ME_major_ver < 9 ||
336 (ME_major_ver == 9 && ME_minor_ver < 5) ||
337 !BOOTGUARD_CAPABILITY(bootguard))) {
338 print_cap("BootGuard ", 0);
339 printf(CGRN "\nYour system isn't bootguard ready. You can "
340 "flash other firmware!\n" RESET);
341 rehide_me();
342 return;
343 }
344
345 if (msr_bootguard(&bootguard, debug) < 0) {
346 printf("ME Capability: %-43s: " CCYN "%s\n" RESET,
347 "BootGuard Mode", "Unknown");
348 return;
349 }
350
351 print_cap("BootGuard ", 1);
352 if (pci_read_long(dev, 0x40) & 0x10)
353 printf(CYEL "Your southbridge configuration is insecure!! "
354 "BootGuard keys can be overwritten or wiped, or you are "
355 "in developer mode.\n"
356 RESET);
357
358 switch (bootguard) {
359 case BOOTGUARD_DISABLED:
360 printf("ME Capability: %-43s: " CGRN "%s\n" RESET,
361 "BootGuard Mode", "Disabled");
362 printf(CGRN "\nYour system is bootguard ready but your vendor "
363 "disabled it. You can flash other firmware!\n" RESET);
364 break;
365 case BOOTGUARD_ENABLED_COMBI_MODE:
366 printf("ME Capability: %-43s: " CGRN "%s\n" RESET,
367 "BootGuard Mode", "Verified & Measured Boot");
368 printf(CRED "\nVerified boot is enabled. You can't flash other "
369 "firmware. !\n" RESET);
370 break;
371 case BOOTGUARD_ENABLED_MEASUREMENT_MODE:
372 printf("ME Capability: %-43s: " CGRN "%s\n" RESET,
373 "BootGuard Mode", "Measured Boot");
374 printf(CGRN "\nYour system is bootguard ready but only running "
375 "the measured boot mode. You can flash other firmware!\n"
376 RESET);
377 break;
378 case BOOTGUARD_ENABLED_VERIFIED_MODE:
379 printf("ME Capability: %-43s: " CGRN "%s\n" RESET,
380 "BootGuard Mode", "Verified Boot");
381 printf(CRED "\nVerified boot is enabled! You can't flash other "
382 "firmware.\n" RESET);
383 break;
384 }
385 rehide_me();
386 }
387
388 static void print_version(void)
389 {
390 printf("intelmetool v%s -- ", INTELMETOOL_VERSION);
391 printf("Copyright (C) 2015 Damien Zammit\n");
392 printf("Copyright (C) 2017 Philipp Deppenwiese\n");
393 printf("Copyright (C) 2017 Patrick Rudolph\n\n");
394 printf(GPLV2COPYRIGHT);
395 }
396
397 static void print_usage(const char *name)
398 {
399 printf("usage: %s [-vh?smdb]\n", name);
400 printf("\n"
401 " -v | --version: print the version\n"
402 " -h | --help: print this help\n\n"
403 " -d | --debug: enable debug output\n"
404 " -m | --me dump all me information on console\n"
405 " -b | --bootguard dump bootguard state of the platform\n"
406 "\n");
407 exit(1);
408 }
409
410 int main(int argc, char *argv[])
411 {
412 int opt, option_index = 0;
413 unsigned cmd_exec = 0;
414
415 static struct option long_options[] = {
416 {"version", 0, 0, 'v'},
417 {"help", 0, 0, 'h'},
418 {"me", 0, 0, 'm'},
419 {"bootguard", 0, 0, 'b'},
420 {"debug", 0, 0, 'd'},
421 {0, 0, 0, 0}
422 };
423
424 while ((opt = getopt_long(argc, argv, "vh?smdb",
425 long_options, &option_index)) != EOF) {
426 switch (opt) {
427 case 'v':
428 print_version();
429 exit(0);
430 break;
431 case 's': /* Legacy fallthrough */
432 case 'm':
433 cmd_exec = 1;
434 break;
435 case 'b':
436 cmd_exec = 2;
437 break;
438 break;
439 case 'd':
440 debug = 1;
441 break;
442 case 'h':
443 case '?':
444 default:
445 print_usage(argv[0]);
446 exit(0);
447 break;
448 }
449 }
450
451 if (!cmd_exec)
452 print_usage(argv[0]);
453
454 #if defined(__FreeBSD__)
455 if (open("/dev/io", O_RDWR) < 0) {
456 perror("/dev/io");
457 #elif defined(__NetBSD__)
458 # ifdef __i386__
459 if (i386_iopl(3)) {
460 perror("iopl");
461 # else
462 if (x86_64_iopl(3)) {
463 perror("iopl");
464 # endif
465 #else
466 if (iopl(3)) {
467 perror("iopl");
468 #endif
469 printf("You need to be root.\n");
470 exit(1);
471 }
472
473 #ifndef __DARWIN__
474 fd_mem = open("/dev/mem", O_RDWR);
475 if (fd_mem < 0) {
476 perror("Can not open /dev/mem");
477 exit(1);
478 }
479
480 if (!isCPUGenuineIntel()) {
481 perror("Error CPU is not from Intel.");
482 exit(1);
483 }
484 #endif
485
486 if (cmd_exec & 3)
487 dump_me_info();
488 if (cmd_exec & 2)
489 dump_bootguard_info();
490
491 return 0;
492 }
ast, secure and flexible OpenSource firmware