diff options
-rw-r--r-- | src/soc/intel/cannonlake/lockdown.c | 97 | ||||
-rw-r--r-- | src/soc/intel/common/pch/Kconfig | 1 | ||||
-rw-r--r-- | src/soc/intel/common/pch/include/intelpch/lockdown.h | 40 | ||||
-rw-r--r-- | src/soc/intel/common/pch/lockdown/Kconfig | 7 | ||||
-rw-r--r-- | src/soc/intel/common/pch/lockdown/Makefile.inc | 1 | ||||
-rw-r--r-- | src/soc/intel/common/pch/lockdown/lockdown.c | 107 | ||||
-rw-r--r-- | src/soc/intel/skylake/chip.c | 9 | ||||
-rw-r--r-- | src/soc/intel/skylake/chip_fsp20.c | 9 | ||||
-rw-r--r-- | src/soc/intel/skylake/lockdown.c | 70 |
9 files changed, 195 insertions, 146 deletions
diff --git a/src/soc/intel/cannonlake/lockdown.c b/src/soc/intel/cannonlake/lockdown.c index 1f1e654636..c57cde8aed 100644 --- a/src/soc/intel/cannonlake/lockdown.c +++ b/src/soc/intel/cannonlake/lockdown.c @@ -14,94 +14,59 @@ */ #include <arch/io.h> -#include <bootstate.h> -#include <chip.h> #include <intelblocks/chip.h> -#include <intelblocks/fast_spi.h> -#include <intelblocks/lpc_lib.h> -#include <intelblocks/pcr.h> -#include <soc/pci_devs.h> -#include <soc/pcr_ids.h> +#include <intelpch/lockdown.h> #include <soc/pm.h> -#include <string.h> -#define PCR_DMI_GCS 0x274C -#define PCR_DMI_GCS_BILD (1 << 0) - -static void pmc_lockdown_cfg(const struct soc_intel_common_config *config) +static void pmc_lock_pmsync(void) { - uint8_t *pmcbase, reg8; - uint32_t reg32, pmsyncreg; + uint8_t *pmcbase; + uint32_t pmsyncreg; - /* PMSYNC */ pmcbase = pmc_mmio_regs(); + pmsyncreg = read32(pmcbase + PMSYNC_TPR_CFG); pmsyncreg |= PCH2CPU_TPR_CFG_LOCK; write32(pmcbase + PMSYNC_TPR_CFG, pmsyncreg); +} + +static void pmc_lock_abase(void) +{ + uint8_t *pmcbase; + uint32_t reg32; + + pmcbase = pmc_mmio_regs(); - /* Lock down ABASE and sleep stretching policy */ reg32 = read32(pmcbase + GEN_PMCON_B); reg32 |= (SLP_STR_POL_LOCK | ACPI_BASE_LOCK); write32(pmcbase + GEN_PMCON_B, reg32); - - if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { - pmcbase = pmc_mmio_regs(); - reg8 = read8(pmcbase + GEN_PMCON_B); - reg8 |= SMI_LOCK; - write8(pmcbase + GEN_PMCON_B, reg8); - } -} - -static void dmi_lockdown_cfg(void) -{ - /* - * GCS reg of DMI - * - * When set, prevents GCS.BBS from being changed - * GCS.BBS: (Boot BIOS Strap) This field determines the destination - * of accesses to the BIOS memory range. - * Bits Description - * "0b": SPI - * "1b": LPC/eSPI - */ - pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD); } -static void fast_spi_lockdown_cfg(const struct soc_intel_common_config *config) +static void pmc_lock_smi(void) { - /* Set FAST_SPI opcode menu */ - fast_spi_set_opcode_menu(); - - /* Discrete Lock Flash PR registers */ - fast_spi_pr_dlock(); + uint8_t *pmcbase; + uint8_t reg8; - /* Lock FAST_SPIBAR */ - fast_spi_lock_bar(); - - /* Set Bios Interface Lock, Bios Lock */ - if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { - /* Bios Interface Lock */ - fast_spi_set_bios_interface_lock_down(); + pmcbase = pmc_mmio_regs(); - /* Bios Lock */ - fast_spi_set_lock_enable(); - } + reg8 = read8(pmcbase + GEN_PMCON_B); + reg8 |= SMI_LOCK; + write8(pmcbase + GEN_PMCON_B, reg8); } -static void platform_lockdown_config(void *unused) +static void pmc_lockdown_cfg(int chipset_lockdown) { - const struct soc_intel_common_config *common_config; - common_config = chip_get_common_soc_structure(); - - /* SPI lock down configuration */ - fast_spi_lockdown_cfg(common_config); + /* PMSYNC */ + pmc_lock_pmsync(); + /* Lock down ABASE and sleep stretching policy */ + pmc_lock_abase(); - /* DMI lock down configuration */ - dmi_lockdown_cfg(); + if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) + pmc_lock_smi(); +} +void soc_lockdown_config(int chipset_lockdown) +{ /* PMC lock down configuration */ - pmc_lockdown_cfg(common_config); + pmc_lockdown_cfg(chipset_lockdown); } - -BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_EXIT, platform_lockdown_config, - NULL); diff --git a/src/soc/intel/common/pch/Kconfig b/src/soc/intel/common/pch/Kconfig index cc4f24a6dd..1157eb4f27 100644 --- a/src/soc/intel/common/pch/Kconfig +++ b/src/soc/intel/common/pch/Kconfig @@ -41,5 +41,6 @@ config PCH_SPECIFIC_OPTIONS select SOC_INTEL_COMMON_BLOCK_UART select SOC_INTEL_COMMON_BLOCK_XDCI select SOC_INTEL_COMMON_BLOCK_XHCI + select SOC_INTEL_COMMON_PCH_LOCKDOWN endif diff --git a/src/soc/intel/common/pch/include/intelpch/lockdown.h b/src/soc/intel/common/pch/include/intelpch/lockdown.h new file mode 100644 index 0000000000..adbf2fe573 --- /dev/null +++ b/src/soc/intel/common/pch/include/intelpch/lockdown.h @@ -0,0 +1,40 @@ +/* + * This file is part of the coreboot project. + * + * Copyright 2018 Intel Corporation. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef SOC_INTEL_COMMON_PCH_LOCKDOWN_H +#define SOC_INTEL_COMMON_PCH_LOCKDOWN_H + +#include <stdint.h> + +/* + * This function will get lockdown config specific to soc. + * + * Return values: + * 0 = CHIPSET_LOCKDOWN_FSP = use FSP's lockdown functionality to lockdown IPs + * 1 = CHIPSET_LOCKDOWN_COREBOOT = Use coreboot to lockdown IPs + */ +int get_lockdown_config(void); + +/* + * Common PCH lockdown will perform lock down operation for DMI, FAST_SPI. + * And SoC should implement any other PCH lockdown if applicable as + * per silicon security guideline (i.e. LPC, PMC etc.) + * + * Input: + * chipset_lockdown = Return value from get_lockdown_config() function + */ +void soc_lockdown_config(int chipset_lockdown); + +#endif /* SOC_INTEL_COMMON_PCH_LOCKDOWN_H */ diff --git a/src/soc/intel/common/pch/lockdown/Kconfig b/src/soc/intel/common/pch/lockdown/Kconfig new file mode 100644 index 0000000000..8fce5e785c --- /dev/null +++ b/src/soc/intel/common/pch/lockdown/Kconfig @@ -0,0 +1,7 @@ +config SOC_INTEL_COMMON_PCH_LOCKDOWN + bool + default n + help + This option allows to have chipset lockdown for DMI, FAST_SPI and + soc_lockdown_config() to implement any additional lockdown as PMC, + LPC for supported PCH. diff --git a/src/soc/intel/common/pch/lockdown/Makefile.inc b/src/soc/intel/common/pch/lockdown/Makefile.inc new file mode 100644 index 0000000000..f4663f569a --- /dev/null +++ b/src/soc/intel/common/pch/lockdown/Makefile.inc @@ -0,0 +1 @@ +ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c diff --git a/src/soc/intel/common/pch/lockdown/lockdown.c b/src/soc/intel/common/pch/lockdown/lockdown.c new file mode 100644 index 0000000000..f37d00117e --- /dev/null +++ b/src/soc/intel/common/pch/lockdown/lockdown.c @@ -0,0 +1,107 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018 Intel Corporation. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include <arch/io.h> +#include <bootstate.h> +#include <console/console.h> +#include <intelblocks/chip.h> +#include <intelblocks/fast_spi.h> +#include <intelblocks/pcr.h> +#include <intelpch/lockdown.h> +#include <soc/pci_devs.h> +#include <soc/pcr_ids.h> +#include <soc/soc_chip.h> +#include <string.h> + +#define PCR_DMI_GCS 0x274C +#define PCR_DMI_GCS_BILD (1 << 0) + +/* + * This function will get lockdown config specific to soc. + * + * Return values: + * 0 = CHIPSET_LOCKDOWN_FSP = use FSP's lockdown functionality to lockdown IPs + * 1 = CHIPSET_LOCKDOWN_COREBOOT = Use coreboot to lockdown IPs + */ +int get_lockdown_config(void) +{ + const struct soc_intel_common_config *common_config; + common_config = chip_get_common_soc_structure(); + + return common_config->chipset_lockdown; +} + +static void dmi_lockdown_cfg(void) +{ + /* + * GCS reg of DMI + * + * When set, prevents GCS.BBS from being changed + * GCS.BBS: (Boot BIOS Strap) This field determines the destination + * of accesses to the BIOS memory range. + * Bits Description + * "0b": SPI + * "1b": LPC/eSPI + */ + pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD); +} + +static void fast_spi_lockdown_cfg(int chipset_lockdown) +{ + if (!IS_ENABLED(CONFIG_SOC_INTEL_COMMON_BLOCK_FAST_SPI)) + return; + + /* Set FAST_SPI opcode menu */ + fast_spi_set_opcode_menu(); + + /* Discrete Lock Flash PR registers */ + fast_spi_pr_dlock(); + + /* Lock FAST_SPIBAR */ + fast_spi_lock_bar(); + + /* Set Bios Interface Lock, Bios Lock */ + if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { + /* Bios Interface Lock */ + fast_spi_set_bios_interface_lock_down(); + + /* Bios Lock */ + fast_spi_set_lock_enable(); + } +} + +/* + * platform_lockdown_config has 2 major part. + * 1. Common SoC lockdown configuration. + * 2. SoC specific lockdown configuration as per Silicon + * guideline. + */ +static void platform_lockdown_config(void *unused) +{ + int chipset_lockdown; + chipset_lockdown = get_lockdown_config(); + + /* SPI lock down configuration */ + fast_spi_lockdown_cfg(chipset_lockdown); + + /* DMI lock down configuration */ + dmi_lockdown_cfg(); + + /* SoC lock down configuration */ + soc_lockdown_config(chipset_lockdown); +} + +BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_EXIT, platform_lockdown_config, + NULL); diff --git a/src/soc/intel/skylake/chip.c b/src/soc/intel/skylake/chip.c index 466db0950e..e8023ba0ce 100644 --- a/src/soc/intel/skylake/chip.c +++ b/src/soc/intel/skylake/chip.c @@ -21,6 +21,7 @@ #include <device/pci.h> #include <fsp/util.h> #include <intelblocks/xdci.h> +#include <intelpch/lockdown.h> #include <soc/acpi.h> #include <soc/interrupt.h> #include <soc/irq.h> @@ -69,14 +70,6 @@ static void soc_enable(struct device *dev) dev->ops = &cpu_bus_ops; } -static int get_lockdown_config(void) -{ - const struct soc_intel_common_config *soc_config; - soc_config = chip_get_common_soc_structure(); - - return soc_config->chipset_lockdown; -} - struct chip_operations soc_intel_skylake_ops = { CHIP_NAME("Intel Skylake") .enable_dev = &soc_enable, diff --git a/src/soc/intel/skylake/chip_fsp20.c b/src/soc/intel/skylake/chip_fsp20.c index ebfad667bb..00c7163a2f 100644 --- a/src/soc/intel/skylake/chip_fsp20.c +++ b/src/soc/intel/skylake/chip_fsp20.c @@ -30,6 +30,7 @@ #include <fsp/api.h> #include <fsp/util.h> #include <intelblocks/xdci.h> +#include <intelpch/lockdown.h> #include <romstage_handoff.h> #include <soc/acpi.h> #include <soc/intel/common/vbt.h> @@ -211,14 +212,6 @@ static void soc_enable(struct device *dev) dev->ops = &cpu_bus_ops; } -static int get_lockdown_config(void) -{ - const struct soc_intel_common_config *soc_config; - soc_config = chip_get_common_soc_structure(); - - return soc_config->chipset_lockdown; -} - struct chip_operations soc_intel_skylake_ops = { CHIP_NAME("Intel 6th Gen") .enable_dev = &soc_enable, diff --git a/src/soc/intel/skylake/lockdown.c b/src/soc/intel/skylake/lockdown.c index fd1f5b2206..e4818dc212 100644 --- a/src/soc/intel/skylake/lockdown.c +++ b/src/soc/intel/skylake/lockdown.c @@ -1,7 +1,7 @@ /* * This file is part of the coreboot project. * - * Copyright (C) 2017 Intel Corporation. + * Copyright (C) 2017-2018 Intel Corporation. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -14,24 +14,15 @@ */ #include <arch/io.h> -#include <bootstate.h> -#include <chip.h> #include <intelblocks/chip.h> -#include <intelblocks/fast_spi.h> #include <intelblocks/lpc_lib.h> -#include <intelblocks/pcr.h> -#include <soc/pci_devs.h> -#include <soc/pcr_ids.h> +#include <intelpch/lockdown.h> #include <soc/pm.h> -#include <string.h> -#define PCR_DMI_GCS 0x274C -#define PCR_DMI_GCS_BILD (1 << 0) - -static void lpc_lockdown_config(const struct soc_intel_common_config *config) +static void lpc_lockdown_config(int chipset_lockdown) { /* Set Bios Interface Lock, Bios Lock */ - if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { + if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { lpc_set_bios_interface_lock_down(); lpc_set_lock_enable(); } @@ -49,60 +40,11 @@ static void pmc_lockdown_config(void) write32(pmcbase + PMSYNC_TPR_CFG, pmsyncreg); } -static void dmi_lockdown_config(void) +void soc_lockdown_config(int chipset_lockdown) { - /* - * GCS reg of DMI - * - * When set, prevents GCS.BBS from being changed - * GCS.BBS: (Boot BIOS Strap) This field determines the destination - * of accesses to the BIOS memory range. - * Bits Description - * "0b": SPI - * "1b": LPC/eSPI - */ - pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD); -} - -static void fast_spi_lockdown_config(const - struct soc_intel_common_config *config) -{ - /* Set FAST_SPI opcode menu */ - fast_spi_set_opcode_menu(); - - /* Discrete Lock Flash PR registers */ - fast_spi_pr_dlock(); - - /* Lock FAST_SPIBAR */ - fast_spi_lock_bar(); - - /* Set Bios Interface Lock, Bios Lock */ - if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { - /* Bios Interface Lock */ - fast_spi_set_bios_interface_lock_down(); - - /* Bios Lock */ - fast_spi_set_lock_enable(); - } -} - -static void platform_lockdown_config(void *unused) -{ - const struct soc_intel_common_config *common_config; - common_config = chip_get_common_soc_structure(); - /* LPC lock down configuration */ - lpc_lockdown_config(common_config); - - /* SPI lock down configuration */ - fast_spi_lockdown_config(common_config); - - /* DMI lock down configuration */ - dmi_lockdown_config(); + lpc_lockdown_config(chipset_lockdown); /* PMC lock down configuration */ pmc_lockdown_config(); } - -BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_EXIT, platform_lockdown_config, - NULL); |