soc/intel/common: Add function to check if xDCI is allowed

When CONFIG_VBOOT is enabled then the xDCI controller should only be
enabled if the system is in developer mode.  This prevents a system
in normal/verified mode from being used as a USB peripheral device
which could potentially be used to access user data.

This change adds a function to return whether xDCI can be enabled
or not, which will be used by the SOCs.

Change-Id: Ie3ee9dd7077c094a01fd857a2e4033a12ce8979b
Signed-off-by: Duncan Laurie <dlaurie@chromium.org>
Reviewed-on: https://review.coreboot.org/25347
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>

2 files changed, 11 insertions, 0 deletions

diff --git a/src/soc/intel/common/block/include/intelblocks/xdci.h b/src/soc/intel/common/block/include/intelblocks/xdci.h
index fa25513b70..1158056778 100644
--- a/src/soc/intel/common/block/include/intelblocks/xdci.h
+++ b/src/soc/intel/common/block/include/intelblocks/xdci.h
@@ -17,5 +17,6 @@
 #define SOC_INTEL_COMMON_BLOCK_XDCI_H
 
 void soc_xdci_init(struct device *dev);
+int xdci_can_enable(void);
 
 #endif	/* SOC_INTEL_COMMON_BLOCK_XDCI_H */
diff --git a/src/soc/intel/common/block/xdci/xdci.c b/src/soc/intel/common/block/xdci/xdci.c
index 10e6f0d10a..07093dfb5e 100644
--- a/src/soc/intel/common/block/xdci/xdci.c
+++ b/src/soc/intel/common/block/xdci/xdci.c
@@ -19,9 +19,19 @@
 #include <device/pci.h>
 #include <device/pci_ids.h>
 #include <intelblocks/xdci.h>
+#include <security/vboot/vboot_common.h>
 
 __attribute__((weak)) void soc_xdci_init(struct device *dev) { /* no-op */ }
 
+/* Only allow xDCI controller in developer mode if VBOOT is enabled */
+int xdci_can_enable(void)
+{
+	if (IS_ENABLED(CONFIG_VBOOT))
+		return vboot_developer_mode_enabled() ?  1 : 0;
+	else
+		return 1;
+}
+
 static struct device_operations usb_xdci_ops = {
 	.read_resources		= &pci_dev_read_resources,
 	.set_resources		= &pci_dev_set_resources,