soc/intel/common: Add function to check if xDCI is allowed
When CONFIG_VBOOT is enabled then the xDCI controller should only be
enabled if the system is in developer mode. This prevents a system
in normal/verified mode from being used as a USB peripheral device
which could potentially be used to access user data.
This change adds a function to return whether xDCI can be enabled
or not, which will be used by the SOCs.
Change-Id: Ie3ee9dd7077c094a01fd857a2e4033a12ce8979b
Signed-off-by: Duncan Laurie <dlaurie@chromium.org>
Reviewed-on: https://review.coreboot.org/25347
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
diff --git a/src/soc/intel/common/block/xdci/xdci.c b/src/soc/intel/common/block/xdci/xdci.c
index 10e6f0d..07093df 100644
--- a/src/soc/intel/common/block/xdci/xdci.c
+++ b/src/soc/intel/common/block/xdci/xdci.c
@@ -19,9 +19,19 @@
#include <device/pci.h>
#include <device/pci_ids.h>
#include <intelblocks/xdci.h>
+#include <security/vboot/vboot_common.h>
__attribute__((weak)) void soc_xdci_init(struct device *dev) { /* no-op */ }
+/* Only allow xDCI controller in developer mode if VBOOT is enabled */
+int xdci_can_enable(void)
+{
+ if (IS_ENABLED(CONFIG_VBOOT))
+ return vboot_developer_mode_enabled() ? 1 : 0;
+ else
+ return 1;
+}
+
static struct device_operations usb_xdci_ops = {
.read_resources = &pci_dev_read_resources,
.set_resources = &pci_dev_set_resources,