The Intel Corporation 8 Series HECI has support for a TPM2.0 device which can be enabled by the BIOS. Unfortunately, this firmware TPM device uses DMA accesses (instead of MMIO as used by newer HECIs) to interact with the operating system and most BIOS do not include an appropriate entry in the DMAR table to allow the IOMMU to work along the firmware TPM.<\/p>\n
This blogpost aims to help you understand the procedure needed to patch the DMAR ACPI table provided by your system’s firmware to allow the TPM2.0 device through. Unfortunately, given the way the Linux kernel handles RMRR entries, you will also need a kernel patch to alias the HECIs function 7 (used by the firmware TPM application) to the function 0 (the only one that is exposed).<\/p>\n
To patch the DMAR table you will need the following tools: iasl (which you will probably need to install), lspci, cat, grep, a text editor and a way to modify your initramfs (I usually create my own although you may be able to create a cpio image with the table in a way similar to how microcodes are loaded).<\/p>\n
The first step is extracting your system’s DMAR table in binary format. You can do so by running the following command: cat \/sys\/firmware\/acpi\/tables\/DMAR > dmar.bin<\/tt><\/p>\n
To be able to modify the table you need to convert it into text format. You do this using iasl as follows: iasl dmar.bin<\/tt><\/p>\n
You also need to find out at which address the TPM2.0 device is. You can do by looking \/proc\/iomem<\/tt> for a device with a name similar to MSFT0101:00<\/tt>. In my system this could be done by running the following command: grep MSFT \/proc\/iomem | tail -1<\/tt> You should get an entry similar to this: xxxxxxxx-yyyyyyyy : MSFT0101:00<\/tt>. Here xxxxxxxx is the lower end of the memory range and yyyyyyyy the higher end.<\/p>\n
You need to find also the “physical” path to your HECI. Use the following command to do so: lspci -nn | grep HECI<\/tt>. The entry will look something as follows: ii:jj.k Communication controller [0780]: Intel Corporation 8 Series HECI #0 [llll:mmmm] (rev 04)<\/tt>. Notice that ii:jj.k are placeholders used to patch the DMAR table. Similary, llll:mmmm is a placeholder you might need if you need to patch the kernel to add another quirk. Note that k should be 0 for my patch to work.<\/p>\n
Now open the dmar.dsl<\/tt> file in your favorite editor and perform the appropriate changes. You just have to add the code, found below this paragraph, above the line at the end of the file where it says Raw Table Data:<\/tt> (if you put it below that line, your entry will instead be ignored). Remember that you need to replace xxxxxxxx and yyyyyyyy with the entries you obtained before using grep. You will also need to replace ii, jj and kk with the values you obtained using lspci. All three values are extacly two digits so you need to add zeros to the left to ensure they are two digits. For example, if your value for k on lspci is 0 you should replace kk with 00.<\/p>\n
Subtable Type : 0001
\nLength : 0020
\nReserved : 0000
\nPCI Segment Number : 0000
\nBase Address : xxxxxxxx
\nEnd Address (limit) : yyyyyyyy
\nDevice Scope Type : 01
\nEntry Length : 08
\nReserved : 0000
\nEnumeration ID : 00
\nPCI Bus Number : ii
\nPCI Path : jj,kk<\/tt><\/p>\n
You will also need to increase the value of the entry in the original file labeled Oem Revision<\/tt>. Adding one to whichever number in the field works. Although all that is needed is that it is larger than the original value (so the table is marked as newer and therefore used when overriding the original table provided by your system’s manufacturer).<\/p>\n
Now we need to compile the new table. We do so using iasl: iasl dmar.dsl<\/tt> If the command worked correctly, you should see something as follows on your terminal: Compilation successful. 0 Errors, 0 Warnings, 0 Remarks<\/tt>. The new table file will be called dmar.aml<\/tt><\/p>\n
Finally you need to modify your initramfs so that the generated file is on kernel\/firmware\/acpi\/dmar.aml<\/tt> the way to do this will depend on your distribution. If you want to create a new initrd that can be concatenated with your existing one, you can do as follows: mkdir -p kernel\/firmware\/acpi && cp dmar.aml kernel\/firmware\/acpi && find kernel -print0 | cpio -ov -0 --format=newc > my-initramfs.cpio<\/tt> Then you need to move my-initramfs.cpio to your \/boot folder and make sure you configure your bootloader to include it when loading your kernel.<\/p>\n
If all went correctly after you reboot you should see something like the following on dmesg:<\/p>\n
ACPI: DMAR ACPI table found in initrd [kernel\/firmware\/acpi\/dmar.aml]
\nACPI: Table Upgrade: override [DMAR<\/tt><\/p>\n