diff options
author | Duncan Laurie <dlaurie@chromium.org> | 2018-03-26 02:17:33 -0700 |
---|---|---|
committer | Patrick Georgi <pgeorgi@google.com> | 2018-03-28 06:43:03 +0000 |
commit | 4df7d2c4953822c33be77e20e2ceff896e4a65c5 (patch) | |
tree | c89b15eda4c21e5f41c4d030cf09e5c8091494c2 | |
parent | 969ef10f5409f70f85b76f3a7c5b5a4e4a637ee9 (diff) |
soc/intel/common: Add function to check if xDCI is allowed
When CONFIG_VBOOT is enabled then the xDCI controller should only be
enabled if the system is in developer mode. This prevents a system
in normal/verified mode from being used as a USB peripheral device
which could potentially be used to access user data.
This change adds a function to return whether xDCI can be enabled
or not, which will be used by the SOCs.
Change-Id: Ie3ee9dd7077c094a01fd857a2e4033a12ce8979b
Signed-off-by: Duncan Laurie <dlaurie@chromium.org>
Reviewed-on: https://review.coreboot.org/25347
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
-rw-r--r-- | src/soc/intel/common/block/include/intelblocks/xdci.h | 1 | ||||
-rw-r--r-- | src/soc/intel/common/block/xdci/xdci.c | 10 |
2 files changed, 11 insertions, 0 deletions
diff --git a/src/soc/intel/common/block/include/intelblocks/xdci.h b/src/soc/intel/common/block/include/intelblocks/xdci.h index fa25513b70..1158056778 100644 --- a/src/soc/intel/common/block/include/intelblocks/xdci.h +++ b/src/soc/intel/common/block/include/intelblocks/xdci.h @@ -17,5 +17,6 @@ #define SOC_INTEL_COMMON_BLOCK_XDCI_H void soc_xdci_init(struct device *dev); +int xdci_can_enable(void); #endif /* SOC_INTEL_COMMON_BLOCK_XDCI_H */ diff --git a/src/soc/intel/common/block/xdci/xdci.c b/src/soc/intel/common/block/xdci/xdci.c index 10e6f0d10a..07093dfb5e 100644 --- a/src/soc/intel/common/block/xdci/xdci.c +++ b/src/soc/intel/common/block/xdci/xdci.c @@ -19,9 +19,19 @@ #include <device/pci.h> #include <device/pci_ids.h> #include <intelblocks/xdci.h> +#include <security/vboot/vboot_common.h> __attribute__((weak)) void soc_xdci_init(struct device *dev) { /* no-op */ } +/* Only allow xDCI controller in developer mode if VBOOT is enabled */ +int xdci_can_enable(void) +{ + if (IS_ENABLED(CONFIG_VBOOT)) + return vboot_developer_mode_enabled() ? 1 : 0; + else + return 1; +} + static struct device_operations usb_xdci_ops = { .read_resources = &pci_dev_read_resources, .set_resources = &pci_dev_set_resources, |