soc/intel/common/pch: Add pch lockdown code
pch lockdown functionality can be used by supported PCH.
Right now pch lockdown functionality is applied for SPT
(Skylake SOC) and CNP(Cannon Lake SOC) PCH.
BUG=b:78109109
BRANCH=none
TEST=Build and boot KBL and CNL platform.
Change-Id: I0b81bbc54f737cb4e7120f44bbe705039b45ccb3
Signed-off-by: Maulik V Vaghela <maulik.v.vaghela@intel.com>
Signed-off-by: Subrata Banik <subrata.banik@intel.com>
Reviewed-on: https://review.coreboot.org/25688
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
diff --git a/src/soc/intel/cannonlake/lockdown.c b/src/soc/intel/cannonlake/lockdown.c
index 1f1e654..c57cde8 100644
--- a/src/soc/intel/cannonlake/lockdown.c
+++ b/src/soc/intel/cannonlake/lockdown.c
@@ -14,94 +14,59 @@
*/
#include <arch/io.h>
-#include <bootstate.h>
-#include <chip.h>
#include <intelblocks/chip.h>
-#include <intelblocks/fast_spi.h>
-#include <intelblocks/lpc_lib.h>
-#include <intelblocks/pcr.h>
-#include <soc/pci_devs.h>
-#include <soc/pcr_ids.h>
+#include <intelpch/lockdown.h>
#include <soc/pm.h>
-#include <string.h>
-#define PCR_DMI_GCS 0x274C
-#define PCR_DMI_GCS_BILD (1 << 0)
-
-static void pmc_lockdown_cfg(const struct soc_intel_common_config *config)
+static void pmc_lock_pmsync(void)
{
- uint8_t *pmcbase, reg8;
- uint32_t reg32, pmsyncreg;
+ uint8_t *pmcbase;
+ uint32_t pmsyncreg;
- /* PMSYNC */
pmcbase = pmc_mmio_regs();
+
pmsyncreg = read32(pmcbase + PMSYNC_TPR_CFG);
pmsyncreg |= PCH2CPU_TPR_CFG_LOCK;
write32(pmcbase + PMSYNC_TPR_CFG, pmsyncreg);
+}
- /* Lock down ABASE and sleep stretching policy */
+static void pmc_lock_abase(void)
+{
+ uint8_t *pmcbase;
+ uint32_t reg32;
+
+ pmcbase = pmc_mmio_regs();
+
reg32 = read32(pmcbase + GEN_PMCON_B);
reg32 |= (SLP_STR_POL_LOCK | ACPI_BASE_LOCK);
write32(pmcbase + GEN_PMCON_B, reg32);
-
- if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
- pmcbase = pmc_mmio_regs();
- reg8 = read8(pmcbase + GEN_PMCON_B);
- reg8 |= SMI_LOCK;
- write8(pmcbase + GEN_PMCON_B, reg8);
- }
}
-static void dmi_lockdown_cfg(void)
+static void pmc_lock_smi(void)
{
- /*
- * GCS reg of DMI
- *
- * When set, prevents GCS.BBS from being changed
- * GCS.BBS: (Boot BIOS Strap) This field determines the destination
- * of accesses to the BIOS memory range.
- * Bits Description
- * "0b": SPI
- * "1b": LPC/eSPI
- */
- pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD);
+ uint8_t *pmcbase;
+ uint8_t reg8;
+
+ pmcbase = pmc_mmio_regs();
+
+ reg8 = read8(pmcbase + GEN_PMCON_B);
+ reg8 |= SMI_LOCK;
+ write8(pmcbase + GEN_PMCON_B, reg8);
}
-static void fast_spi_lockdown_cfg(const struct soc_intel_common_config *config)
+static void pmc_lockdown_cfg(int chipset_lockdown)
{
- /* Set FAST_SPI opcode menu */
- fast_spi_set_opcode_menu();
+ /* PMSYNC */
+ pmc_lock_pmsync();
+ /* Lock down ABASE and sleep stretching policy */
+ pmc_lock_abase();
- /* Discrete Lock Flash PR registers */
- fast_spi_pr_dlock();
-
- /* Lock FAST_SPIBAR */
- fast_spi_lock_bar();
-
- /* Set Bios Interface Lock, Bios Lock */
- if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
- /* Bios Interface Lock */
- fast_spi_set_bios_interface_lock_down();
-
- /* Bios Lock */
- fast_spi_set_lock_enable();
- }
+ if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT)
+ pmc_lock_smi();
}
-static void platform_lockdown_config(void *unused)
+void soc_lockdown_config(int chipset_lockdown)
{
- const struct soc_intel_common_config *common_config;
- common_config = chip_get_common_soc_structure();
-
- /* SPI lock down configuration */
- fast_spi_lockdown_cfg(common_config);
-
- /* DMI lock down configuration */
- dmi_lockdown_cfg();
-
/* PMC lock down configuration */
- pmc_lockdown_cfg(common_config);
+ pmc_lockdown_cfg(chipset_lockdown);
}
-
-BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_EXIT, platform_lockdown_config,
- NULL);
diff --git a/src/soc/intel/common/pch/Kconfig b/src/soc/intel/common/pch/Kconfig
index cc4f24a..1157eb4 100644
--- a/src/soc/intel/common/pch/Kconfig
+++ b/src/soc/intel/common/pch/Kconfig
@@ -41,5 +41,6 @@
select SOC_INTEL_COMMON_BLOCK_UART
select SOC_INTEL_COMMON_BLOCK_XDCI
select SOC_INTEL_COMMON_BLOCK_XHCI
+ select SOC_INTEL_COMMON_PCH_LOCKDOWN
endif
diff --git a/src/soc/intel/common/pch/include/intelpch/lockdown.h b/src/soc/intel/common/pch/include/intelpch/lockdown.h
new file mode 100644
index 0000000..adbf2fe
--- /dev/null
+++ b/src/soc/intel/common/pch/include/intelpch/lockdown.h
@@ -0,0 +1,40 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2018 Intel Corporation.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef SOC_INTEL_COMMON_PCH_LOCKDOWN_H
+#define SOC_INTEL_COMMON_PCH_LOCKDOWN_H
+
+#include <stdint.h>
+
+/*
+ * This function will get lockdown config specific to soc.
+ *
+ * Return values:
+ * 0 = CHIPSET_LOCKDOWN_FSP = use FSP's lockdown functionality to lockdown IPs
+ * 1 = CHIPSET_LOCKDOWN_COREBOOT = Use coreboot to lockdown IPs
+ */
+int get_lockdown_config(void);
+
+/*
+ * Common PCH lockdown will perform lock down operation for DMI, FAST_SPI.
+ * And SoC should implement any other PCH lockdown if applicable as
+ * per silicon security guideline (i.e. LPC, PMC etc.)
+ *
+ * Input:
+ * chipset_lockdown = Return value from get_lockdown_config() function
+ */
+void soc_lockdown_config(int chipset_lockdown);
+
+#endif /* SOC_INTEL_COMMON_PCH_LOCKDOWN_H */
diff --git a/src/soc/intel/common/pch/lockdown/Kconfig b/src/soc/intel/common/pch/lockdown/Kconfig
new file mode 100644
index 0000000..8fce5e7
--- /dev/null
+++ b/src/soc/intel/common/pch/lockdown/Kconfig
@@ -0,0 +1,7 @@
+config SOC_INTEL_COMMON_PCH_LOCKDOWN
+ bool
+ default n
+ help
+ This option allows to have chipset lockdown for DMI, FAST_SPI and
+ soc_lockdown_config() to implement any additional lockdown as PMC,
+ LPC for supported PCH.
diff --git a/src/soc/intel/common/pch/lockdown/Makefile.inc b/src/soc/intel/common/pch/lockdown/Makefile.inc
new file mode 100644
index 0000000..f4663f5
--- /dev/null
+++ b/src/soc/intel/common/pch/lockdown/Makefile.inc
@@ -0,0 +1 @@
+ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c
diff --git a/src/soc/intel/common/pch/lockdown/lockdown.c b/src/soc/intel/common/pch/lockdown/lockdown.c
new file mode 100644
index 0000000..f37d001
--- /dev/null
+++ b/src/soc/intel/common/pch/lockdown/lockdown.c
@@ -0,0 +1,107 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright (C) 2018 Intel Corporation.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#include <arch/io.h>
+#include <bootstate.h>
+#include <console/console.h>
+#include <intelblocks/chip.h>
+#include <intelblocks/fast_spi.h>
+#include <intelblocks/pcr.h>
+#include <intelpch/lockdown.h>
+#include <soc/pci_devs.h>
+#include <soc/pcr_ids.h>
+#include <soc/soc_chip.h>
+#include <string.h>
+
+#define PCR_DMI_GCS 0x274C
+#define PCR_DMI_GCS_BILD (1 << 0)
+
+/*
+ * This function will get lockdown config specific to soc.
+ *
+ * Return values:
+ * 0 = CHIPSET_LOCKDOWN_FSP = use FSP's lockdown functionality to lockdown IPs
+ * 1 = CHIPSET_LOCKDOWN_COREBOOT = Use coreboot to lockdown IPs
+ */
+int get_lockdown_config(void)
+{
+ const struct soc_intel_common_config *common_config;
+ common_config = chip_get_common_soc_structure();
+
+ return common_config->chipset_lockdown;
+}
+
+static void dmi_lockdown_cfg(void)
+{
+ /*
+ * GCS reg of DMI
+ *
+ * When set, prevents GCS.BBS from being changed
+ * GCS.BBS: (Boot BIOS Strap) This field determines the destination
+ * of accesses to the BIOS memory range.
+ * Bits Description
+ * "0b": SPI
+ * "1b": LPC/eSPI
+ */
+ pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD);
+}
+
+static void fast_spi_lockdown_cfg(int chipset_lockdown)
+{
+ if (!IS_ENABLED(CONFIG_SOC_INTEL_COMMON_BLOCK_FAST_SPI))
+ return;
+
+ /* Set FAST_SPI opcode menu */
+ fast_spi_set_opcode_menu();
+
+ /* Discrete Lock Flash PR registers */
+ fast_spi_pr_dlock();
+
+ /* Lock FAST_SPIBAR */
+ fast_spi_lock_bar();
+
+ /* Set Bios Interface Lock, Bios Lock */
+ if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
+ /* Bios Interface Lock */
+ fast_spi_set_bios_interface_lock_down();
+
+ /* Bios Lock */
+ fast_spi_set_lock_enable();
+ }
+}
+
+/*
+ * platform_lockdown_config has 2 major part.
+ * 1. Common SoC lockdown configuration.
+ * 2. SoC specific lockdown configuration as per Silicon
+ * guideline.
+ */
+static void platform_lockdown_config(void *unused)
+{
+ int chipset_lockdown;
+ chipset_lockdown = get_lockdown_config();
+
+ /* SPI lock down configuration */
+ fast_spi_lockdown_cfg(chipset_lockdown);
+
+ /* DMI lock down configuration */
+ dmi_lockdown_cfg();
+
+ /* SoC lock down configuration */
+ soc_lockdown_config(chipset_lockdown);
+}
+
+BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_EXIT, platform_lockdown_config,
+ NULL);
diff --git a/src/soc/intel/skylake/chip.c b/src/soc/intel/skylake/chip.c
index 466db09..e8023ba 100644
--- a/src/soc/intel/skylake/chip.c
+++ b/src/soc/intel/skylake/chip.c
@@ -21,6 +21,7 @@
#include <device/pci.h>
#include <fsp/util.h>
#include <intelblocks/xdci.h>
+#include <intelpch/lockdown.h>
#include <soc/acpi.h>
#include <soc/interrupt.h>
#include <soc/irq.h>
@@ -69,14 +70,6 @@
dev->ops = &cpu_bus_ops;
}
-static int get_lockdown_config(void)
-{
- const struct soc_intel_common_config *soc_config;
- soc_config = chip_get_common_soc_structure();
-
- return soc_config->chipset_lockdown;
-}
-
struct chip_operations soc_intel_skylake_ops = {
CHIP_NAME("Intel Skylake")
.enable_dev = &soc_enable,
diff --git a/src/soc/intel/skylake/chip_fsp20.c b/src/soc/intel/skylake/chip_fsp20.c
index ebfad66..00c7163 100644
--- a/src/soc/intel/skylake/chip_fsp20.c
+++ b/src/soc/intel/skylake/chip_fsp20.c
@@ -30,6 +30,7 @@
#include <fsp/api.h>
#include <fsp/util.h>
#include <intelblocks/xdci.h>
+#include <intelpch/lockdown.h>
#include <romstage_handoff.h>
#include <soc/acpi.h>
#include <soc/intel/common/vbt.h>
@@ -211,14 +212,6 @@
dev->ops = &cpu_bus_ops;
}
-static int get_lockdown_config(void)
-{
- const struct soc_intel_common_config *soc_config;
- soc_config = chip_get_common_soc_structure();
-
- return soc_config->chipset_lockdown;
-}
-
struct chip_operations soc_intel_skylake_ops = {
CHIP_NAME("Intel 6th Gen")
.enable_dev = &soc_enable,
diff --git a/src/soc/intel/skylake/lockdown.c b/src/soc/intel/skylake/lockdown.c
index fd1f5b2..e4818dc 100644
--- a/src/soc/intel/skylake/lockdown.c
+++ b/src/soc/intel/skylake/lockdown.c
@@ -1,7 +1,7 @@
/*
* This file is part of the coreboot project.
*
- * Copyright (C) 2017 Intel Corporation.
+ * Copyright (C) 2017-2018 Intel Corporation.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -14,24 +14,15 @@
*/
#include <arch/io.h>
-#include <bootstate.h>
-#include <chip.h>
#include <intelblocks/chip.h>
-#include <intelblocks/fast_spi.h>
#include <intelblocks/lpc_lib.h>
-#include <intelblocks/pcr.h>
-#include <soc/pci_devs.h>
-#include <soc/pcr_ids.h>
+#include <intelpch/lockdown.h>
#include <soc/pm.h>
-#include <string.h>
-#define PCR_DMI_GCS 0x274C
-#define PCR_DMI_GCS_BILD (1 << 0)
-
-static void lpc_lockdown_config(const struct soc_intel_common_config *config)
+static void lpc_lockdown_config(int chipset_lockdown)
{
/* Set Bios Interface Lock, Bios Lock */
- if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
+ if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
lpc_set_bios_interface_lock_down();
lpc_set_lock_enable();
}
@@ -49,60 +40,11 @@
write32(pmcbase + PMSYNC_TPR_CFG, pmsyncreg);
}
-static void dmi_lockdown_config(void)
+void soc_lockdown_config(int chipset_lockdown)
{
- /*
- * GCS reg of DMI
- *
- * When set, prevents GCS.BBS from being changed
- * GCS.BBS: (Boot BIOS Strap) This field determines the destination
- * of accesses to the BIOS memory range.
- * Bits Description
- * "0b": SPI
- * "1b": LPC/eSPI
- */
- pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD);
-}
-
-static void fast_spi_lockdown_config(const
- struct soc_intel_common_config *config)
-{
- /* Set FAST_SPI opcode menu */
- fast_spi_set_opcode_menu();
-
- /* Discrete Lock Flash PR registers */
- fast_spi_pr_dlock();
-
- /* Lock FAST_SPIBAR */
- fast_spi_lock_bar();
-
- /* Set Bios Interface Lock, Bios Lock */
- if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
- /* Bios Interface Lock */
- fast_spi_set_bios_interface_lock_down();
-
- /* Bios Lock */
- fast_spi_set_lock_enable();
- }
-}
-
-static void platform_lockdown_config(void *unused)
-{
- const struct soc_intel_common_config *common_config;
- common_config = chip_get_common_soc_structure();
-
/* LPC lock down configuration */
- lpc_lockdown_config(common_config);
-
- /* SPI lock down configuration */
- fast_spi_lockdown_config(common_config);
-
- /* DMI lock down configuration */
- dmi_lockdown_config();
+ lpc_lockdown_config(chipset_lockdown);
/* PMC lock down configuration */
pmc_lockdown_config();
}
-
-BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_EXIT, platform_lockdown_config,
- NULL);