10 files changed, 72 insertions, 22 deletions
diff --git a/src/soc/intel/common/block/include/intelblocks/msr.h b/src/soc/intel/common/block/include/intelblocks/msr.h
index 6d78ed8c2f..1025c28e92 100644
--- a/src/soc/intel/common/block/include/intelblocks/msr.h
+++ b/src/soc/intel/common/block/include/intelblocks/msr.h
@@ -18,8 +18,10 @@
 
 #define MSR_CORE_THREAD_COUNT	0x35
 #define IA32_FEATURE_CONTROL	0x3a
+#define  FEATURE_CONTROL_LOCK	(1)
 #define  CPUID_VMX		(1 << 5)
 #define  CPUID_SMX		(1 << 6)
+#define  SGX_GLOBAL_ENABLE	(1 << 18)
 #define  PLATFORM_INFO_SET_TDP	(1 << 29)
 #define MSR_PLATFORM_INFO	0xce
 #define MSR_PMG_CST_CONFIG_CONTROL	0xe2
@@ -31,6 +33,8 @@
 #define   IO_MWAIT_REDIRECT_MASK	0x400
 /* Set MSR_PMG_CST_CONFIG_CONTROL[15] to lock CST_CFG [0-15] bits */
 #define   CST_CFG_LOCK_MASK	0x8000
+#define MSR_BIOS_UPGD_TRIG	0x7a
+#define  SGX_ACTIVATE_BIT	(1)
 #define MSR_PMG_IO_CAPTURE_BASE	0xe4
 #define MSR_POWER_MISC		0x120
 #define   ENABLE_IA_UNTRUSTED	(1 << 6)
@@ -62,6 +66,7 @@
 #define  MISC_PWR_MGMT_ISST_EN_INT	(1 << 7)
 #define  MISC_PWR_MGMT_ISST_EN_EPP	(1 << 12)
 #define MSR_TURBO_RATIO_LIMIT		0x1ad
+#define PRMRR_PHYS_BASE_MSR		0x1f4
 #define PRMRR_PHYS_MASK_MSR		0x1f5
 #define  PRMRR_PHYS_MASK_LOCK		(1 << 10)
 #define  PRMRR_PHYS_MASK_VALID		(1 << 11)
@@ -69,6 +74,8 @@
 #define MSR_EVICT_CTL			0x2e0
 #define UNCORE_PRMRR_PHYS_BASE_MSR	0x2f4
 #define UNCORE_PRMRR_PHYS_MASK_MSR	0x2f5
+#define MSR_SGX_OWNEREPOCH0		0x300
+#define MSR_SGX_OWNEREPOCH1		0x301
 #define IA32_MC0_CTL			0x400
 #define IA32_MC0_STATUS			0x401
 #define SMM_FEATURE_CONTROL_MSR		0x4e0
@@ -124,5 +131,6 @@
 #define SMRR_SUPPORTED	(1<<11)
 #define PRMRR_SUPPORTED	(1<<12)
 
+#define SGX_SUPPORTED	(1<<2)
 #endif	/* SOC_INTEL_COMMON_MSR_H */
 
diff --git a/src/soc/intel/common/block/include/intelblocks/sgx.h b/src/soc/intel/common/block/include/intelblocks/sgx.h
new file mode 100644
index 0000000000..03d4ab5123
--- /dev/null
+++ b/src/soc/intel/common/block/include/intelblocks/sgx.h
@@ -0,0 +1,30 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright (C) 2017 Intel Corporation.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef SOC_INTEL_COMMON_BLOCK_SGX_H
+#define SOC_INTEL_COMMON_BLOCK_SGX_H
+
+/*
+ * Lock SGX memory.
+ * CPU specific code needs to provide the implementation.
+ */
+void cpu_lock_sgx_memory(void);
+
+/*
+ * Configure SGX.
+ */
+void sgx_configure(const void *microcode_patch);
+
+#endif	/* SOC_INTEL_COMMON_BLOCK_SGX_H */
diff --git a/src/soc/intel/common/block/sgx/Kconfig b/src/soc/intel/common/block/sgx/Kconfig
new file mode 100644
index 0000000000..7889582007
--- /dev/null
+++ b/src/soc/intel/common/block/sgx/Kconfig
@@ -0,0 +1,7 @@
+config SOC_INTEL_COMMON_BLOCK_SGX
+	bool
+	default n
+	help
+	 Software Guard eXtension(SGX) Feature. Intel SGX is a set of new CPU
+	 instructions that can be used by applications to set aside privat
+	 regions of code and data.
diff --git a/src/soc/intel/common/block/sgx/Makefile.inc b/src/soc/intel/common/block/sgx/Makefile.inc
new file mode 100644
index 0000000000..3fa18d8873
--- /dev/null
+++ b/src/soc/intel/common/block/sgx/Makefile.inc
@@ -0,0 +1 @@
+ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_SGX) += sgx.c
diff --git a/src/soc/intel/skylake/sgx.c b/src/soc/intel/common/block/sgx/sgx.c
index 0e887de2ed..5a0b61dda6 100644
--- a/src/soc/intel/skylake/sgx.c
+++ b/src/soc/intel/common/block/sgx/sgx.c
@@ -18,6 +18,7 @@
 #include <cpu/x86/msr.h>
 #include <cpu/x86/mtrr.h>
 #include <cpu/intel/microcode.h>
+#include <intelblocks/sgx.h>
 #include <soc/cpu.h>
 #include <soc/msr.h>
 #include <soc/pci_devs.h>
@@ -29,7 +30,7 @@ static int is_sgx_supported(void)
 
 	cpuid_regs = cpuid_ext(0x7, 0x0); /* EBX[2] is feature capability */
 	msr = rdmsr(MTRR_CAP_MSR); /* Bit 12 is PRMRR enablement */
-	return ((cpuid_regs.ebx & 0x4) && (msr.lo & PRMRR_SUPPORTED));
+	return ((cpuid_regs.ebx & SGX_SUPPORTED) && (msr.lo & PRMRR_SUPPORTED));
 }
 
 static int configure_core_prmrr(void)
@@ -55,7 +56,7 @@ static int configure_core_prmrr(void)
 		return 0;
 
 	/* Program core PRMRR MSRs */
-	prmrr_base.lo |= 0x6; /* Set memory attribute to cache writeback */
+	prmrr_base.lo |= MTRR_TYPE_WRBACK; /* cache writeback mem attrib */
 	wrmsr(PRMRR_PHYS_BASE_MSR, prmrr_base);
 	prmrr_mask.lo &= ~PRMRR_PHYS_MASK_VALID; /* Do not set the valid bit */
 	prmrr_mask.lo |= PRMRR_PHYS_MASK_LOCK; /* Lock it */
@@ -69,8 +70,8 @@ static void enable_sgx(void)
 
 	msr = rdmsr(IA32_FEATURE_CONTROL);
 	/* Only enable it when it is not locked */
-	if ((msr.lo & 1) == 0) {
-		msr.lo |= (1 << 18); /* Enable it */
+	if ((msr.lo & FEATURE_CONTROL_LOCK) == 0) {
+		msr.lo |= SGX_GLOBAL_ENABLE; /* Enable it */
 		wrmsr(IA32_FEATURE_CONTROL, msr);
 	}
 }
@@ -110,11 +111,12 @@ static void activate_sgx(void)
 	 * back and verify the bit is cleared to confirm SGX activation.
 	 */
 	msr = rdmsr(MSR_BIOS_UPGD_TRIG);
-	if (msr.lo & 0x1) {
-		wrmsr(MSR_BIOS_UPGD_TRIG, (msr_t) {.lo = 0x1, .hi = 0});
+	if (msr.lo & SGX_ACTIVATE_BIT) {
+		wrmsr(MSR_BIOS_UPGD_TRIG,
+			(msr_t) {.lo = SGX_ACTIVATE_BIT, .hi = 0});
 		/* Read back to verify it is activated */
 		msr = rdmsr(MSR_BIOS_UPGD_TRIG);
-		if (msr.lo & 0x1)
+		if (msr.lo & SGX_ACTIVATE_BIT)
 			printk(BIOS_ERR, "SGX activation failed.\n");
 		else
 			printk(BIOS_INFO, "SGX activation was successful.\n");
@@ -123,11 +125,10 @@ static void activate_sgx(void)
 	}
 }
 
-void configure_sgx(const void *microcode_patch)
+void sgx_configure(const void *microcode_patch)
 {
 	device_t dev = SA_DEV_ROOT;
 	config_t *conf = dev->chip_info;
-	msr_t msr;
 
 	if (!conf->sgx_enable || !is_sgx_supported())
 		return;
@@ -144,11 +145,7 @@ void configure_sgx(const void *microcode_patch)
 		return;
 
 	/* Ensure to lock memory before reload microcode patch */
-	msr = rdmsr(MSR_LT_LOCK_MEMORY);
-	if ((msr.lo & 1) == 0) {
-		msr.lo |= 1; /* Lock it */
-		wrmsr(MSR_LT_LOCK_MEMORY, msr);
-	}
+	cpu_lock_sgx_memory();
 
 	/* Reload the microcode patch */
 	intel_microcode_load_unlocked(microcode_patch);
diff --git a/src/soc/intel/skylake/Kconfig b/src/soc/intel/skylake/Kconfig
index 1dc80552ce..c558886584 100644
--- a/src/soc/intel/skylake/Kconfig
+++ b/src/soc/intel/skylake/Kconfig
@@ -65,6 +65,7 @@ config CPU_SPECIFIC_OPTIONS
 	select SOC_INTEL_COMMON_BLOCK_SA
 	select SOC_INTEL_COMMON_BLOCK_SATA
 	select SOC_INTEL_COMMON_BLOCK_SCS
+	select SOC_INTEL_COMMON_BLOCK_SGX
 	select SOC_INTEL_COMMON_BLOCK_SMBUS
 	select SOC_INTEL_COMMON_BLOCK_TIMER
 	select SOC_INTEL_COMMON_BLOCK_UART
diff --git a/src/soc/intel/skylake/Makefile.inc b/src/soc/intel/skylake/Makefile.inc
index 75d57a9c19..0a8d10577e 100644
--- a/src/soc/intel/skylake/Makefile.inc
+++ b/src/soc/intel/skylake/Makefile.inc
@@ -63,7 +63,6 @@ ramstage-y += pmc.c
 ramstage-y += pmutil.c
 ramstage-$(CONFIG_PLATFORM_USES_FSP2_0) += reset.c
 ramstage-y += sd.c
-ramstage-y += sgx.c
 ramstage-y += smi.c
 ramstage-y += smmrelocate.c
 ramstage-y += spi.c
diff --git a/src/soc/intel/skylake/cpu.c b/src/soc/intel/skylake/cpu.c
index e3be73870f..7f455e0d59 100644
--- a/src/soc/intel/skylake/cpu.c
+++ b/src/soc/intel/skylake/cpu.c
@@ -37,6 +37,7 @@
 #include <intelblocks/cpulib.h>
 #include <intelblocks/fast_spi.h>
 #include <intelblocks/mp_init.h>
+#include <intelblocks/sgx.h>
 #include <pc80/mc146818rtc.h>
 #include <soc/cpu.h>
 #include <soc/msr.h>
@@ -422,7 +423,7 @@ void soc_core_init(device_t cpu, const void *microcode)
 	enable_turbo();
 
 	/* Configure SGX */
-	configure_sgx(microcode);
+	sgx_configure(microcode);
 }
 
 static int adjust_apic_id(int index, int apic_id)
@@ -489,7 +490,7 @@ void soc_init_cpus(struct bus *cpu_bus, const void *microcode)
 	 * here to get SGX enabled on BSP. This behavior needs to root-caused
 	 * and we shall not have this redundant call.
 	 */
-	configure_sgx(microcode);
+	sgx_configure(microcode);
 }
 
 int soc_skip_ucode_update(u32 current_patch_id, u32 new_patch_id)
@@ -514,3 +515,14 @@ int soc_skip_ucode_update(u32 current_patch_id, u32 new_patch_id)
 		return (msr1.lo & PRMRR_SUPPORTED) &&
 			(current_patch_id == new_patch_id - 1);
 }
+
+void cpu_lock_sgx_memory(void)
+{
+	msr_t msr;
+
+	msr = rdmsr(MSR_LT_LOCK_MEMORY);
+	if ((msr.lo & 1) == 0) {
+		msr.lo |= 1; /* Lock it */
+		wrmsr(MSR_LT_LOCK_MEMORY, msr);
+	}
+}
diff --git a/src/soc/intel/skylake/include/soc/cpu.h b/src/soc/intel/skylake/include/soc/cpu.h
index 059367aaa9..8073fcdded 100644
--- a/src/soc/intel/skylake/include/soc/cpu.h
+++ b/src/soc/intel/skylake/include/soc/cpu.h
@@ -56,6 +56,5 @@ void set_power_limits(u8 power_limit_1_time);
 u32 cpu_family_model(void);
 u32 cpu_stepping(void);
 int cpu_is_ult(void);
-void configure_sgx(const void *microcode_patch);
 
 #endif
diff --git a/src/soc/intel/skylake/include/soc/msr.h b/src/soc/intel/skylake/include/soc/msr.h
index bb4b8e72ac..81b6cc9de1 100644
--- a/src/soc/intel/skylake/include/soc/msr.h
+++ b/src/soc/intel/skylake/include/soc/msr.h
@@ -20,7 +20,6 @@
 #include <intelblocks/msr.h>
 
 #define MSR_PIC_MSG_CONTROL		0x2e
-#define MSR_BIOS_UPGD_TRIG		0x7a
 #define MSR_EMULATE_PM_TIMER		0x121
 #define  EMULATE_PM_TMR_EN		(1 << 16)
 #define  EMULATE_DELAY_OFFSET_VALUE	20
@@ -31,11 +30,8 @@
 #define  ENERGY_POLICY_NORMAL		6
 #define  ENERGY_POLICY_POWERSAVE	15
 #define IA32_PACKAGE_THERM_INTERRUPT	0x1b2
-#define PRMRR_PHYS_BASE_MSR		0x1f4
 #define IA32_PLATFORM_DCA_CAP		0x1f8
 #define MSR_LT_LOCK_MEMORY		0x2e7
-#define MSR_SGX_OWNEREPOCH0		0x300
-#define MSR_SGX_OWNEREPOCH1		0x301
 #define MSR_VR_CURRENT_CONFIG		0x601
 #define MSR_VR_MISC_CONFIG		0x603
 #define MSR_VR_MISC_CONFIG2		0x636