soc/intel/common/cse: Add support for sending CSE End-of-Post message

The CSE expects the boot firmware to send it an End-of-Post message
before loading the OS. This is a security feature, and is done to ensure
that the CSE will no longer perform certain sensitive commands that are
not intended to be exposed to the OS.

If processing the EOP message fails in any way on a ChromeOS build, (and
not already in recovery mode), recovery mode will be triggered,
otherwise the CSME BWG will be followed, which is in the following
commit.

BUG=b:191362590

Signed-off-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Change-Id: I6f667905f759cc2337daca4cc6e09694e68ab7e8
Reviewed-on: https://review.coreboot.org/c/coreboot/+/55631
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Subrata Banik <subrata.banik@intel.com>
Reviewed-by: Karthik Ramasubramanian <kramasub@google.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/src/soc/intel/common/block/include/intelblocks/cse.h b/src/soc/intel/common/block/include/intelblocks/cse.h
index eac57d9f5c..43f3137d6a 100644
--- a/src/soc/intel/common/block/include/intelblocks/cse.h
+++ b/src/soc/intel/common/block/include/intelblocks/cse.h
@@ -25,6 +25,9 @@
 /* Get Firmware Version Command Id */
 #define MKHI_GEN_GET_FW_VERSION	0x2
 
+/* Set End-of-POST in CSE */
+#define MKHI_END_OF_POST	0xc
+
 /* Boot partition info and set boot partition info command ids */
 #define MKHI_BUP_COMMON_GET_BOOT_PARTITION_INFO	0x1c
 #define MKHI_BUP_COMMON_SET_BOOT_PARTITION_INFO	0x1d
@@ -117,6 +120,9 @@ enum csme_failure_reason {
 
 	/* CSE CBFS RW blob layout is not correct */
 	CSE_LITE_SKU_LAYOUT_MISMATCH_ERROR = 11,
+
+	/* Error sending EOP to CSE */
+	CSE_EOP_FAIL = 12,
 };
 
 /* set up device for use in early boot enviroument with temp bar */