soc/intel/common: Add support to control CSE firmware update
The patch adds support to control CSE Lite firmware update dynamically.
In order to disable the CSE firmware update functionality, offset 0xf00
in the coreboot binary be updated with 0x1.
Run below command on the binary to disable CSE firmwar update
printf '\x01' | dd of=image-brya4es.serial.bin bs=1 seek=3840 count=1
conv=notrunc
BUG=b:153410586
TEST=Verified CSE firmware update functionality is not getting
triggered after updating the offset:0xF00 in the coreboot binary.
........................ CB Logs ......................................
[DEBUG] prev_sleep_state 5
[DEBUG] cse_lite: Number of partitions = 3
[DEBUG] cse_lite: Current partition = RW
[DEBUG] cse_lite: Next partition = RW
[DEBUG] cse_lite: Flags = 0x3
[DEBUG] cse_lite: RO version = 16.0.15.1752 (Status=0x0, Start=0x2000,
End=0x19bfff)
[DEBUG] cse_lite: RW version = 16.0.15.1752 (Status=0x0,
Start=0x205000, End=0x439fff)
rt_debug: pre_mem_debug.cse_fw_update_disable=1
[DEBUG] Boot Count incremented to 956
.......................................................................
Signed-off-by: Sridhar Siricilla <sridhar.siricilla@intel.com>
Change-Id: I9f234b142191eb83137d5d83f21e890e1cb828ba
Reviewed-on: https://review.coreboot.org/c/coreboot/+/62715
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Rizwan Qureshi <rizwan.qureshi@intel.com>
diff --git a/src/soc/intel/common/block/cse/cse_lite.c b/src/soc/intel/common/block/cse/cse_lite.c
index ca6d7d3..83f5eb1 100644
--- a/src/soc/intel/common/block/cse/cse_lite.c
+++ b/src/soc/intel/common/block/cse/cse_lite.c
@@ -1,15 +1,16 @@
/* SPDX-License-Identifier: GPL-2.0-only */
+#include <arch/cpu.h>
#include <console/console.h>
#include <cbfs.h>
#include <commonlib/region.h>
#include <fmap.h>
#include <intelblocks/cse.h>
#include <intelblocks/cse_layout.h>
+#include <intelbasecode/debug_feature.h>
#include <security/vboot/vboot_common.h>
#include <security/vboot/misc.h>
#include <soc/intel/common/reset.h>
-#include <arch/cpu.h>
#define BPDT_HEADER_SZ sizeof(struct bpdt_header)
#define BPDT_ENTRY_SZ sizeof(struct bpdt_entry)
@@ -663,6 +664,17 @@
return true;
}
+static bool is_cse_fw_update_enabled(void)
+{
+ if (!CONFIG(SOC_INTEL_CSE_RW_UPDATE))
+ return false;
+
+ if (CONFIG(SOC_INTEL_COMMON_BASECODE_DEBUG_FEATURE))
+ return !is_debug_cse_fw_update_disable();
+
+ return true;
+}
+
static enum csme_failure_reason cse_update_rw(const struct cse_bp_info *cse_bp_info,
const void *cse_cbfs_rw, const size_t cse_blob_sz,
struct region_device *target_rdev)
@@ -1079,10 +1091,11 @@
cse_trigger_vboot_recovery(CSE_LITE_SKU_DATA_WIPE_ERROR);
/*
- * If SOC_INTEL_CSE_RW_UPDATE is defined , then trigger CSE firmware update. The driver
- * triggers recovery if CSE CBFS RW metadata or CSE CBFS RW blob is not available.
+ * cse firmware update is skipped if SOC_INTEL_CSE_RW_UPDATE is not defined and
+ * runtime debug control flag is not enabled. The driver triggers recovery if CSE CBFS
+ * RW metadata or CSE CBFS RW blob is not available.
*/
- if (CONFIG(SOC_INTEL_CSE_RW_UPDATE)) {
+ if (is_cse_fw_update_enabled()) {
uint8_t rv;
rv = cse_fw_update(&cse_bp_info.bp_info);
if (rv)