soc/intel/common/cse: Add function to perform global reset lock
This patch implements `cse_control_global_reset_lock()` as per ME BWG
(doc: 627331) recommendation.
It is recommended that BIOS should set this bit early on in the boot
sequence, and then clear it and set the CF9LOCK bit prior to loading
the OS in both an Intel CSME Enabled and a Intel CSME Disabled system.
Note: For CSE-Lite SKUs BIOS should set CF9LOCK bit unconditionally.
BUG=b:211954778
TEST=Able to build and boot Brya.
Signed-off-by: Subrata Banik <subratabanik@google.com>
Change-Id: I3894b2cd8b90dc033f475384486815ab2fadf381
Reviewed-on: https://review.coreboot.org/c/coreboot/+/61520
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-by: Lean Sheng Tan <sheng.tan@9elements.com>
Reviewed-by: Sridhar Siricilla <sridhar.siricilla@intel.com>
diff --git a/src/soc/intel/common/block/cse/cse.c b/src/soc/intel/common/block/cse/cse.c
index a9a619c..5140369 100644
--- a/src/soc/intel/common/block/cse/cse.c
+++ b/src/soc/intel/common/block/cse/cse.c
@@ -11,6 +11,7 @@
#include <device/pci_ids.h>
#include <device/pci_ops.h>
#include <intelblocks/cse.h>
+#include <intelblocks/pmclib.h>
#include <option.h>
#include <security/vboot/misc.h>
#include <security/vboot/vboot_common.h>
@@ -1008,6 +1009,25 @@
}
}
+void cse_control_global_reset_lock(void)
+{
+ /*
+ * As per ME BWG recommendation the BIOS should not lock down CF9GR bit during
+ * manufacturing and re-manufacturing environment if HFSTS1 [4] is set. Note:
+ * this recommendation is not applicable for CSE-Lite SKUs where BIOS should set
+ * CF9LOCK bit irrespectively.
+ *
+ * Other than that, make sure payload/OS can't trigger global reset.
+ *
+ * BIOS must also ensure that CF9GR is cleared and locked (Bit31 of ETR3)
+ * prior to transferring control to the OS.
+ */
+ if (CONFIG(SOC_INTEL_CSE_LITE_SKU) || cse_is_hfs1_spi_protected())
+ pmc_global_reset_disable_and_lock();
+ else
+ pmc_global_reset_enable(false);
+}
+
#if ENV_RAMSTAGE
/*