sb/intel/bd82x6x: Support ME Soft Temporary Disable Mode

- Add support for ME Soft Temporary Disable Mode. In this mode, ME
  doesn't load its kernel and freezes at Bring UP (BUP) phase. This mode
  is saved in ME NVRAM (and thus will remain for next reboots and
  poweroffs).

- Add support of new CMOS option for Sandy Bridge and Ivy Bridge
  ThinkPads.

HOW TO USE

To disable ME:
1. nvramtool -w me_state=Disabled
2. reboot

To enable it back:
1. nvramtool -w me_state=Normal
2. reboot

To check current status:
intelmetool -m

Tested on ThinkPad X230 and ThinkPad X220.

BACKGROUND

There's no Intel documentation that would explain how this should be
implemented, in public. Working binary sequence for MKHI command to put
ME in Soft Temporary Disable Mode, as well as a way to bring ME out of
it (by writing to H_GS register), was found and published by researchers
from PT Security:

1.  To disable ME, BIOS issues the disable command (before End of Post)
    and reboots. ME is supposed to be disabled on the next boot after
    DID (DRAM Init Done).

    My numerous tests show that issuing the command and rebooting is not
    enough. If we reboot too early, ME will not be disabled. Apparently,
    it is doing something in background after receiving the command. It
    works with a delay of 500-1000 ms.

    I also tried to dump all known (documented) registers, such as GMES
    and HFS, before and during the next 2 seconds after execution of the
    disable command to find a possible indication that something's
    changed in ME and we're ready to reboot. Found nothing
    unfortunately.

2.  To enable ME back, host writes value 0x20000000 to H_GS.

    PT slides don't contain any more information on it, but my tests
    show, that after writing this value, GMES[31:28] is changing from
    0x01 (BUP phase) to 0x03 (Policy Module) to 0x06 (Host
    Communication). Then, after some more time, fw_init_complete bit of
    HFS becomes 1.

    This means that ME starts loading its kernel immediately, without
    reboot.

    On the other hand, Lenovo BIOS clearly perform a reboot after
    enabling it (one reboot after saving the settings, then ThinkPad
    logo appears, and then one more reboot). I'm assuming we have to
    reset too.

Change-Id: Ic01526c9731cbef4e8552bbc352133a2415787c2
Signed-off-by: Evgeny Zinoviev <me@ch1p.io>

1 files changed, 62 insertions, 3 deletions

diff --git a/src/southbridge/intel/bd82x6x/me_8.x.c b/src/southbridge/intel/bd82x6x/me_8.x.c
index f5a39ecfa6..78c71aa368 100644
--- a/src/southbridge/intel/bd82x6x/me_8.x.c
+++ b/src/southbridge/intel/bd82x6x/me_8.x.c
@@ -9,6 +9,7 @@
  */
 
 #include <acpi/acpi.h>
+#include <cf9_reset.h>
 #include <device/mmio.h>
 #include <device/device.h>
 #include <device/pci.h>
@@ -19,6 +20,9 @@
 #include <string.h>
 #include <delay.h>
 #include <elog.h>
+#include <halt.h>
+#include <option.h>
+#include <southbridge/intel/common/me.h>
 
 #include "me.h"
 #include "pch.h"
@@ -206,8 +210,7 @@ static me_bios_path intel_me_path(struct device *dev)
 
 	/* Check if the MBP is ready */
 	if (!gmes.mbp_rdy) {
-		printk(BIOS_CRIT, "%s: mbp is not ready!\n",
-		       __func__);
+		printk(BIOS_CRIT, "%s: mbp is not ready!\n", __func__);
 		path = ME_ERROR_BIOS_PATH;
 	}
 
@@ -236,13 +239,20 @@ static void intel_me_init(struct device *dev)
 {
 	me_bios_path path = intel_me_path(dev);
 	me_bios_payload mbp_data;
+	u8 me_state = 0, me_state_prev = 0;
+	bool need_reset = false;
+	struct me_hfs hfs;
 
 	/* Do initial setup and determine the BIOS path */
 	printk(BIOS_NOTICE, "ME: BIOS path: %s\n", me_get_bios_path_string(path));
 
+	get_option(&me_state, "me_state");
+	get_option(&me_state_prev, "me_state_prev");
+
+	printk(BIOS_DEBUG, "ME: me_state=%u, me_state_prev=%u\n", me_state, me_state_prev);
+
 	switch (path) {
 	case ME_S3WAKE_BIOS_PATH:
-	case ME_DISABLE_BIOS_PATH:
 #if CONFIG(HIDE_MEI_ON_ERROR)
 	case ME_ERROR_BIOS_PATH:
 #endif
@@ -266,12 +276,49 @@ static void intel_me_init(struct device *dev)
 			me_print_fwcaps(&mbp_data.fw_caps_sku);
 		}
 
+		/* Put ME in Software Temporary Disable Mode, if needed */
+		if (me_state == CMOS_ME_STATE_DISABLED
+				&& CMOS_ME_STATE(me_state_prev) == CMOS_ME_STATE_NORMAL) {
+			printk(BIOS_INFO, "ME: disabling ME\n");
+			if (enter_soft_temp_disable()) {
+				enter_soft_temp_disable_wait();
+				need_reset = true;
+			} else {
+				printk(BIOS_ERR, "ME: failed to enter Soft Temporary Disable mode\n");
+			}
+
+			break;
+		}
+
 		/*
 		 * Leave the ME unlocked in this path.
 		 * It will be locked via SMI command later.
 		 */
 		break;
 
+	case ME_DISABLE_BIOS_PATH:
+		/* Bring ME out of Soft Temporary Disable mode, if needed */
+		pci_read_dword_ptr(dev, &hfs, PCI_ME_HFS);
+		if (hfs.operation_mode == ME_HFS_MODE_DIS
+				&& me_state == CMOS_ME_STATE_NORMAL
+				&& (CMOS_ME_STATE(me_state_prev) == CMOS_ME_STATE_DISABLED
+					|| !CMOS_ME_CHANGED(me_state_prev))) {
+			printk(BIOS_INFO, "ME: re-enabling ME\n");
+
+			exit_soft_temp_disable(dev);
+			exit_soft_temp_disable_wait(dev);
+
+			/*
+			 * ME starts loading firmware immediately after writing to H_GS,
+			 * but Lenovo BIOS performs a reboot after bringing ME back to
+			 * Normal mode. Assume that global reset is needed.
+			 */
+			need_reset = true;
+		} else {
+			intel_me_hide(dev);
+		}
+		break;
+
 #if !CONFIG(HIDE_MEI_ON_ERROR)
 	case ME_ERROR_BIOS_PATH:
 #endif
@@ -279,6 +326,18 @@ static void intel_me_init(struct device *dev)
 	case ME_FIRMWARE_UPDATE_BIOS_PATH:
 		break;
 	}
+
+	/* To avoid boot loops if ME fails to get back from disabled mode,
+	   set the 'changed' bit here. */
+	if (me_state != CMOS_ME_STATE(me_state_prev) || need_reset) {
+		u8 new_state = me_state | CMOS_ME_STATE_CHANGED;
+		set_option("me_state_prev", &new_state);
+	}
+
+	if (need_reset) {
+		set_global_reset(true);
+		full_reset();
+	}
 }
 
 static struct device_operations device_ops = {