summaryrefslogtreecommitdiff
path: root/src/soc/intel/common/pch
diff options
context:
space:
mode:
Diffstat (limited to 'src/soc/intel/common/pch')
-rw-r--r--src/soc/intel/common/pch/Kconfig1
-rw-r--r--src/soc/intel/common/pch/include/intelpch/lockdown.h40
-rw-r--r--src/soc/intel/common/pch/lockdown/Kconfig7
-rw-r--r--src/soc/intel/common/pch/lockdown/Makefile.inc1
-rw-r--r--src/soc/intel/common/pch/lockdown/lockdown.c107
5 files changed, 156 insertions, 0 deletions
diff --git a/src/soc/intel/common/pch/Kconfig b/src/soc/intel/common/pch/Kconfig
index cc4f24a6dd..1157eb4f27 100644
--- a/src/soc/intel/common/pch/Kconfig
+++ b/src/soc/intel/common/pch/Kconfig
@@ -41,5 +41,6 @@ config PCH_SPECIFIC_OPTIONS
select SOC_INTEL_COMMON_BLOCK_UART
select SOC_INTEL_COMMON_BLOCK_XDCI
select SOC_INTEL_COMMON_BLOCK_XHCI
+ select SOC_INTEL_COMMON_PCH_LOCKDOWN
endif
diff --git a/src/soc/intel/common/pch/include/intelpch/lockdown.h b/src/soc/intel/common/pch/include/intelpch/lockdown.h
new file mode 100644
index 0000000000..adbf2fe573
--- /dev/null
+++ b/src/soc/intel/common/pch/include/intelpch/lockdown.h
@@ -0,0 +1,40 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2018 Intel Corporation.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef SOC_INTEL_COMMON_PCH_LOCKDOWN_H
+#define SOC_INTEL_COMMON_PCH_LOCKDOWN_H
+
+#include <stdint.h>
+
+/*
+ * This function will get lockdown config specific to soc.
+ *
+ * Return values:
+ * 0 = CHIPSET_LOCKDOWN_FSP = use FSP's lockdown functionality to lockdown IPs
+ * 1 = CHIPSET_LOCKDOWN_COREBOOT = Use coreboot to lockdown IPs
+ */
+int get_lockdown_config(void);
+
+/*
+ * Common PCH lockdown will perform lock down operation for DMI, FAST_SPI.
+ * And SoC should implement any other PCH lockdown if applicable as
+ * per silicon security guideline (i.e. LPC, PMC etc.)
+ *
+ * Input:
+ * chipset_lockdown = Return value from get_lockdown_config() function
+ */
+void soc_lockdown_config(int chipset_lockdown);
+
+#endif /* SOC_INTEL_COMMON_PCH_LOCKDOWN_H */
diff --git a/src/soc/intel/common/pch/lockdown/Kconfig b/src/soc/intel/common/pch/lockdown/Kconfig
new file mode 100644
index 0000000000..8fce5e785c
--- /dev/null
+++ b/src/soc/intel/common/pch/lockdown/Kconfig
@@ -0,0 +1,7 @@
+config SOC_INTEL_COMMON_PCH_LOCKDOWN
+ bool
+ default n
+ help
+ This option allows to have chipset lockdown for DMI, FAST_SPI and
+ soc_lockdown_config() to implement any additional lockdown as PMC,
+ LPC for supported PCH.
diff --git a/src/soc/intel/common/pch/lockdown/Makefile.inc b/src/soc/intel/common/pch/lockdown/Makefile.inc
new file mode 100644
index 0000000000..f4663f569a
--- /dev/null
+++ b/src/soc/intel/common/pch/lockdown/Makefile.inc
@@ -0,0 +1 @@
+ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c
diff --git a/src/soc/intel/common/pch/lockdown/lockdown.c b/src/soc/intel/common/pch/lockdown/lockdown.c
new file mode 100644
index 0000000000..f37d00117e
--- /dev/null
+++ b/src/soc/intel/common/pch/lockdown/lockdown.c
@@ -0,0 +1,107 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright (C) 2018 Intel Corporation.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#include <arch/io.h>
+#include <bootstate.h>
+#include <console/console.h>
+#include <intelblocks/chip.h>
+#include <intelblocks/fast_spi.h>
+#include <intelblocks/pcr.h>
+#include <intelpch/lockdown.h>
+#include <soc/pci_devs.h>
+#include <soc/pcr_ids.h>
+#include <soc/soc_chip.h>
+#include <string.h>
+
+#define PCR_DMI_GCS 0x274C
+#define PCR_DMI_GCS_BILD (1 << 0)
+
+/*
+ * This function will get lockdown config specific to soc.
+ *
+ * Return values:
+ * 0 = CHIPSET_LOCKDOWN_FSP = use FSP's lockdown functionality to lockdown IPs
+ * 1 = CHIPSET_LOCKDOWN_COREBOOT = Use coreboot to lockdown IPs
+ */
+int get_lockdown_config(void)
+{
+ const struct soc_intel_common_config *common_config;
+ common_config = chip_get_common_soc_structure();
+
+ return common_config->chipset_lockdown;
+}
+
+static void dmi_lockdown_cfg(void)
+{
+ /*
+ * GCS reg of DMI
+ *
+ * When set, prevents GCS.BBS from being changed
+ * GCS.BBS: (Boot BIOS Strap) This field determines the destination
+ * of accesses to the BIOS memory range.
+ * Bits Description
+ * "0b": SPI
+ * "1b": LPC/eSPI
+ */
+ pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD);
+}
+
+static void fast_spi_lockdown_cfg(int chipset_lockdown)
+{
+ if (!IS_ENABLED(CONFIG_SOC_INTEL_COMMON_BLOCK_FAST_SPI))
+ return;
+
+ /* Set FAST_SPI opcode menu */
+ fast_spi_set_opcode_menu();
+
+ /* Discrete Lock Flash PR registers */
+ fast_spi_pr_dlock();
+
+ /* Lock FAST_SPIBAR */
+ fast_spi_lock_bar();
+
+ /* Set Bios Interface Lock, Bios Lock */
+ if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
+ /* Bios Interface Lock */
+ fast_spi_set_bios_interface_lock_down();
+
+ /* Bios Lock */
+ fast_spi_set_lock_enable();
+ }
+}
+
+/*
+ * platform_lockdown_config has 2 major part.
+ * 1. Common SoC lockdown configuration.
+ * 2. SoC specific lockdown configuration as per Silicon
+ * guideline.
+ */
+static void platform_lockdown_config(void *unused)
+{
+ int chipset_lockdown;
+ chipset_lockdown = get_lockdown_config();
+
+ /* SPI lock down configuration */
+ fast_spi_lockdown_cfg(chipset_lockdown);
+
+ /* DMI lock down configuration */
+ dmi_lockdown_cfg();
+
+ /* SoC lock down configuration */
+ soc_lockdown_config(chipset_lockdown);
+}
+
+BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_EXIT, platform_lockdown_config,
+ NULL);