From 51d1f30d0eed4d594d351cc3c1d92f48f45bfb27 Mon Sep 17 00:00:00 2001 From: Felix Held Date: Wed, 4 Oct 2023 21:10:36 +0200 Subject: soc/amd/*/Kconfig: rework SPL options Move all security patch level (SPL) related Kconfig options to the common AMD PSP Kconfig file. Commit 4ab1db82bb30 ("soc/amd: rework SPL file override and SPL fusing handling") already reworked the SPL handling, but missed that another Kconfig option SOC_AMD_COMMON_BLOCK_PSP_FUSE_SPL controlled if the PSP mailbox command to update the SPL fuses was sent by the code that got added to the build when PERFORM_SPL_FUSING was selected. To make things less unexpected, rename PERFORM_SPL_FUSING to SOC_AMD_COMMON_BLOCK_PSP_SPL since it actually controls if the SPL support code is added to the build and also rename SOC_AMD_COMMON_BLOCK_PSP_FUSE_SPL to PERFORM_SPL_FUSING. This changes what PERFORM_SPL_FUSING will do from including the code that could do the fusing if another option is set to being the option that controls if the fusing mailbox command will be set. All SoCs that support SPL now select SOC_AMD_COMMON_BLOCK_PSP_SPL in their Kconfig, which won't burn any SPL fuses. The logic in the Skyrim mainboard Kconfig file is reworked to select PERFORM_SPL_FUSING for all boards on which the SPL fuses should be updated; on Guybrush PERFORM_SPL_FUSING default is changed to y for all variants. The option to include the code that checks the SPL fusing conditions and allows sending the command to update the SPL fuses if the corresponding Kconfig is set doesn't need to be added on the mainboard level, since it's already selected at the SoC level. Signed-off-by: Felix Held Change-Id: I12fd8775db66f16fe632674cd67c6af483e8d4e2 Reviewed-on: https://review.coreboot.org/c/coreboot/+/78309 Tested-by: build bot (Jenkins) Reviewed-by: Matt DeVillier Reviewed-by: Matt DeVillier --- src/mainboard/google/guybrush/Kconfig | 1 - src/mainboard/google/skyrim/Kconfig | 6 +---- src/soc/amd/cezanne/Kconfig | 23 +--------------- src/soc/amd/common/block/psp/Kconfig | 45 ++++++++++++++++++++++++++++--- src/soc/amd/common/block/psp/Makefile.inc | 2 +- src/soc/amd/common/block/psp/spl_fuse.c | 2 +- src/soc/amd/genoa/Kconfig | 23 +--------------- src/soc/amd/glinda/Kconfig | 34 +---------------------- src/soc/amd/mendocino/Kconfig | 34 +---------------------- src/soc/amd/phoenix/Kconfig | 34 +---------------------- 10 files changed, 49 insertions(+), 155 deletions(-) diff --git a/src/mainboard/google/guybrush/Kconfig b/src/mainboard/google/guybrush/Kconfig index 30d92779e4..3173980918 100644 --- a/src/mainboard/google/guybrush/Kconfig +++ b/src/mainboard/google/guybrush/Kconfig @@ -41,7 +41,6 @@ config BOARD_GOOGLE_BASEBOARD_GUYBRUSH select SOC_AMD_COMMON_BLOCK_GRAPHICS_ATIF select SOC_AMD_COMMON_BLOCK_I2C3_TPM_SHARED_WITH_PSP select SOC_AMD_COMMON_BLOCK_USE_ESPI - select SOC_AMD_COMMON_BLOCK_PSP_FUSE_SPL select SYSTEM_TYPE_LAPTOP select TPM_GOOGLE_CR50 select AMD_FWM_POSITION_C20000_DEFAULT diff --git a/src/mainboard/google/skyrim/Kconfig b/src/mainboard/google/skyrim/Kconfig index 06119e00b0..be5afada15 100644 --- a/src/mainboard/google/skyrim/Kconfig +++ b/src/mainboard/google/skyrim/Kconfig @@ -96,10 +96,6 @@ config PSP_LOAD_MP2_FW depends on CHROMEOS default y -config PERFORM_SPL_FUSING - bool - default y - config SPL_TABLE_FILE string default "3rdparty/blobs/mainboard/google/skyrim/TypeId0x55_SplTableBl_MDN_CHROME_RO.sbin" @@ -112,7 +108,7 @@ config SPL_RW_AB_TABLE_FILE string default "3rdparty/blobs/mainboard/google/skyrim/TypeId0x55_SplTableBl_MDN_CHROME.sbin" -config SOC_AMD_COMMON_BLOCK_PSP_FUSE_SPL +config PERFORM_SPL_FUSING default y if BOARD_GOOGLE_WINTERHOLD default y if BOARD_GOOGLE_FROSTFLOW default y if BOARD_GOOGLE_MARKARTH diff --git a/src/soc/amd/cezanne/Kconfig b/src/soc/amd/cezanne/Kconfig index ca84b33f06..452e3ec354 100644 --- a/src/soc/amd/cezanne/Kconfig +++ b/src/soc/amd/cezanne/Kconfig @@ -58,6 +58,7 @@ config SOC_AMD_CEZANNE select SOC_AMD_COMMON_BLOCK_PM select SOC_AMD_COMMON_BLOCK_PM_CHIPSET_STATE_SAVE select SOC_AMD_COMMON_BLOCK_PSP_GEN2 + select SOC_AMD_COMMON_BLOCK_PSP_SPL select SOC_AMD_COMMON_BLOCK_RESET select SOC_AMD_COMMON_BLOCK_SMBUS select SOC_AMD_COMMON_BLOCK_SMI @@ -376,28 +377,6 @@ config PSP_WHITELIST_FILE depends on HAVE_PSP_WHITELIST_FILE default "3rdparty/amd_blobs/cezanne/PSP/wtl-czn.sbin" -config PERFORM_SPL_FUSING - bool "Send SPL fuse command to PSP" - default n - help - Send the Security Patch Level (SPL) fusing command to the PSP in - order to update the minimum SPL version to be written to the SoC's - fuse bits. This will prevent using any embedded firmware components - with lower SPL version. - - If unsure, answer 'n' - -config SPL_TABLE_FILE - string "SPL table file override" - help - Provide a mainboard-specific Security Patch Level (SPL) table file - override. The SPL file is required to support PSP FW anti-rollback - and needs to be created by AMD. The default SPL file specified in the - SoC's fw.cfg is in the corresponding folder of the amd_blobs submodule - and applies to all boards that use the SoC without verstage on PSP. - In the verstage on PSP case, a different SPL file is specific as an - override via this Kconfig option. - config PSP_SOFTFUSE_BITS string "PSP Soft Fuse bits to enable" default "28 6" diff --git a/src/soc/amd/common/block/psp/Kconfig b/src/soc/amd/common/block/psp/Kconfig index 68d68615ea..d86ad7cd0a 100644 --- a/src/soc/amd/common/block/psp/Kconfig +++ b/src/soc/amd/common/block/psp/Kconfig @@ -29,13 +29,50 @@ config SOC_AMD_PSP_SELECTABLE_SMU_FW fanned set of blobs. Ask your AMD representative whether your APU is considered fanless. -config SOC_AMD_COMMON_BLOCK_PSP_FUSE_SPL +config SOC_AMD_COMMON_BLOCK_PSP_SPL bool + help + Select this option in the SoC's Kconfig to include the Security Patch + Level (SPL) support code. This code will only send the actual SPL + fuse update command to the PSP if the PERFORM_SPL_FUSING option is + also selected. + +config PERFORM_SPL_FUSING + bool "Send SPL fusing command to PSP" default n - depends on SOC_AMD_COMMON_BLOCK_PSP_GEN2 + depends on SOC_AMD_COMMON_BLOCK_PSP_SPL help - Enable sending of set SPL message to PSP. Enable this option if the platform - will require SPL fusing to be performed by PSP. + Send the Security Patch Level (SPL) fusing command to the PSP in + order to update the minimum SPL version to be written to the SoC's + fuse bits. This will prevent using any embedded firmware components + with lower SPL version. + + If unsure, answer 'n' + +config SPL_TABLE_FILE + string "SPL table file override" + depends on SOC_AMD_COMMON_BLOCK_PSP_SPL + help + Provide a mainboard-specific Security Patch Level (SPL) table file + override. The SPL file is required to support PSP FW anti-rollback + and needs to be created by AMD. The default SPL file specified in the + SoC's fw.cfg is in the corresponding folder of the amd_blobs submodule + and applies to all boards that use the SoC without verstage on PSP. + In the verstage on PSP case, a different SPL file is specific as an + override via this Kconfig option. + +config HAVE_SPL_RW_AB_FILE + bool "Have a separate mainboard-specific SPL file in RW A/B partitions" + default n + depends on SOC_AMD_COMMON_BLOCK_PSP_SPL + depends on VBOOT_SLOTS_RW_AB + help + Have separate mainboard-specific Security Patch Level (SPL) table + file for the RW A/B FMAP partitions. + +config SPL_RW_AB_TABLE_FILE + string "Separate SPL table file override for RW A/B partitions" + depends on HAVE_SPL_RW_AB_FILE config PSP_PLATFORM_SECURE_BOOT bool "Platform secure boot enable" diff --git a/src/soc/amd/common/block/psp/Makefile.inc b/src/soc/amd/common/block/psp/Makefile.inc index a89d4e97f7..d0fbcbe452 100644 --- a/src/soc/amd/common/block/psp/Makefile.inc +++ b/src/soc/amd/common/block/psp/Makefile.inc @@ -29,6 +29,6 @@ ramstage-$(CONFIG_SOC_AMD_COMMON_BLOCK_I2C3_TPM_SHARED_WITH_PSP) += tpm.c smm-y += psp_gen2.c smm-y += psp_smm_gen2.c -ramstage-$(CONFIG_PERFORM_SPL_FUSING) += spl_fuse.c +ramstage-$(CONFIG_SOC_AMD_COMMON_BLOCK_PSP_SPL) += spl_fuse.c endif # CONFIG_SOC_AMD_COMMON_BLOCK_PSP_GEN2 diff --git a/src/soc/amd/common/block/psp/spl_fuse.c b/src/soc/amd/common/block/psp/spl_fuse.c index d1313fb271..cb1fab0bc0 100644 --- a/src/soc/amd/common/block/psp/spl_fuse.c +++ b/src/soc/amd/common/block/psp/spl_fuse.c @@ -38,7 +38,7 @@ static void psp_set_spl_fuse(void *unused) return; } - if (!CONFIG(SOC_AMD_COMMON_BLOCK_PSP_FUSE_SPL)) + if (!CONFIG(PERFORM_SPL_FUSING)) return; printk(BIOS_DEBUG, "PSP: SPL Fusing Update Requested.\n"); diff --git a/src/soc/amd/genoa/Kconfig b/src/soc/amd/genoa/Kconfig index 8bfae4f561..cfb878c2ea 100644 --- a/src/soc/amd/genoa/Kconfig +++ b/src/soc/amd/genoa/Kconfig @@ -18,6 +18,7 @@ config SOC_SPECIFIC_OPTIONS select SOC_AMD_COMMON_BLOCK_LPC select SOC_AMD_COMMON_BLOCK_NONCAR select SOC_AMD_COMMON_BLOCK_PCI_MMCONF + select SOC_AMD_COMMON_BLOCK_PSP_SPL select SOC_AMD_COMMON_BLOCK_SMI select SOC_AMD_COMMON_BLOCK_SMU select SOC_AMD_COMMON_BLOCK_SMU_SX_ENTRY @@ -131,28 +132,6 @@ config PSP_WHITELIST_FILE string "Debug whitelist file path" depends on HAVE_PSP_WHITELIST_FILE -config PERFORM_SPL_FUSING - bool "Send SPL fuse command to PSP" - default n - help - Send the Security Patch Level (SPL) fusing command to the PSP in - order to update the minimum SPL version to be written to the SoC's - fuse bits. This will prevent using any embedded firmware components - with lower SPL version. - - If unsure, answer 'n' - -config SPL_TABLE_FILE - string "SPL table file override" - help - Provide a mainboard-specific Security Patch Level (SPL) table file - override. The SPL file is required to support PSP FW anti-rollback - and needs to be created by AMD. The default SPL file specified in the - SoC's fw.cfg is in the corresponding folder of the amd_blobs submodule - and applies to all boards that use the SoC without verstage on PSP. - In the verstage on PSP case, a different SPL file is specific as an - override via this Kconfig option. - config PSP_SOFTFUSE_BITS string "PSP Soft Fuse bits to enable" default "" diff --git a/src/soc/amd/glinda/Kconfig b/src/soc/amd/glinda/Kconfig index 9f5d537076..a3b0ea6ec0 100644 --- a/src/soc/amd/glinda/Kconfig +++ b/src/soc/amd/glinda/Kconfig @@ -61,6 +61,7 @@ config SOC_AMD_GLINDA select SOC_AMD_COMMON_BLOCK_PM # TODO: Check if this is still correct select SOC_AMD_COMMON_BLOCK_PM_CHIPSET_STATE_SAVE # TODO: Check if this is still correct select SOC_AMD_COMMON_BLOCK_PSP_GEN2 # TODO: Check if this is still correct + select SOC_AMD_COMMON_BLOCK_PSP_SPL select SOC_AMD_COMMON_BLOCK_RESET select SOC_AMD_COMMON_BLOCK_SMBUS # TODO: Check if this is still correct select SOC_AMD_COMMON_BLOCK_SMI # TODO: Check if this is still correct @@ -349,39 +350,6 @@ config PSP_WHITELIST_FILE depends on HAVE_PSP_WHITELIST_FILE default "site-local/3rdparty/amd_blobs/glinda/PSP/wtl-mrg.sbin" -config PERFORM_SPL_FUSING - bool "Send SPL fuse command to PSP" - default n - help - Send the Security Patch Level (SPL) fusing command to the PSP in - order to update the minimum SPL version to be written to the SoC's - fuse bits. This will prevent using any embedded firmware components - with lower SPL version. - - If unsure, answer 'n' - -config SPL_TABLE_FILE - string "SPL table file override" - help - Provide a mainboard-specific Security Patch Level (SPL) table file - override. The SPL file is required to support PSP FW anti-rollback - and needs to be created by AMD. The default SPL file specified in the - SoC's fw.cfg is in the corresponding folder of the amd_blobs submodule - and applies to all boards that use the SoC without verstage on PSP. - In the verstage on PSP case, a different SPL file is specific as an - override via this Kconfig option. - -config HAVE_SPL_RW_AB_FILE - bool "Have a separate mainboard-specific SPL file in RW A/B partitions" - default n - depends on VBOOT_SLOTS_RW_AB - help - Have separate mainboard-specific Security Patch Level (SPL) table - file for the RW A/B FMAP partitions. - -config SPL_RW_AB_TABLE_FILE - string "Separate SPL table file override for RW A/B partitions" - config PSP_SOFTFUSE_BITS string "PSP Soft Fuse bits to enable" default "34 28 6" diff --git a/src/soc/amd/mendocino/Kconfig b/src/soc/amd/mendocino/Kconfig index ba204818fa..2fcd508862 100644 --- a/src/soc/amd/mendocino/Kconfig +++ b/src/soc/amd/mendocino/Kconfig @@ -64,6 +64,7 @@ config SOC_AMD_REMBRANDT_BASE select SOC_AMD_COMMON_BLOCK_PM select SOC_AMD_COMMON_BLOCK_PM_CHIPSET_STATE_SAVE select SOC_AMD_COMMON_BLOCK_PSP_GEN2 + select SOC_AMD_COMMON_BLOCK_PSP_SPL select SOC_AMD_COMMON_BLOCK_RESET select SOC_AMD_COMMON_BLOCK_SMBUS select SOC_AMD_COMMON_BLOCK_SMI @@ -406,39 +407,6 @@ config PSP_WHITELIST_FILE depends on HAVE_PSP_WHITELIST_FILE default "site-local/3rdparty/amd_blobs/mendocino/PSP/wtl-mdn.sbin" -config PERFORM_SPL_FUSING - bool "Send SPL fuse command to PSP" - default n - help - Send the Security Patch Level (SPL) fusing command to the PSP in - order to update the minimum SPL version to be written to the SoC's - fuse bits. This will prevent using any embedded firmware components - with lower SPL version. - - If unsure, answer 'n' - -config SPL_TABLE_FILE - string "SPL table file override" - help - Provide a mainboard-specific Security Patch Level (SPL) table file - override. The SPL file is required to support PSP FW anti-rollback - and needs to be created by AMD. The default SPL file specified in the - SoC's fw.cfg is in the corresponding folder of the amd_blobs submodule - and applies to all boards that use the SoC without verstage on PSP. - In the verstage on PSP case, a different SPL file is specific as an - override via this Kconfig option. - -config HAVE_SPL_RW_AB_FILE - bool "Have a separate mainboard-specific SPL file in RW A/B partitions" - default n - depends on VBOOT_SLOTS_RW_AB - help - Have separate mainboard-specific Security Patch Level (SPL) table - file for the RW A/B FMAP partitions. - -config SPL_RW_AB_TABLE_FILE - string "Separate SPL table file override for RW A/B partitions" - config PSP_SOFTFUSE_BITS string "PSP Soft Fuse bits to enable" default "34 28 6" diff --git a/src/soc/amd/phoenix/Kconfig b/src/soc/amd/phoenix/Kconfig index c9aa32c770..9137bc5ce7 100644 --- a/src/soc/amd/phoenix/Kconfig +++ b/src/soc/amd/phoenix/Kconfig @@ -64,6 +64,7 @@ config SOC_AMD_PHOENIX select SOC_AMD_COMMON_BLOCK_PM select SOC_AMD_COMMON_BLOCK_PM_CHIPSET_STATE_SAVE select SOC_AMD_COMMON_BLOCK_PSP_GEN2 # TODO: Check if this is still correct + select SOC_AMD_COMMON_BLOCK_PSP_SPL select SOC_AMD_COMMON_BLOCK_RESET select SOC_AMD_COMMON_BLOCK_SMBUS select SOC_AMD_COMMON_BLOCK_SMI @@ -362,39 +363,6 @@ config PSP_WHITELIST_FILE depends on HAVE_PSP_WHITELIST_FILE default "site-local/3rdparty/amd_blobs/phoenix/PSP/wtl-phx.sbin" -config PERFORM_SPL_FUSING - bool "Send SPL fuse command to PSP" - default n - help - Send the Security Patch Level (SPL) fusing command to the PSP in - order to update the minimum SPL version to be written to the SoC's - fuse bits. This will prevent using any embedded firmware components - with lower SPL version. - - If unsure, answer 'n' - -config SPL_TABLE_FILE - string "SPL table file override" - help - Provide a mainboard-specific Security Patch Level (SPL) table file - override. The SPL file is required to support PSP FW anti-rollback - and needs to be created by AMD. The default SPL file specified in the - SoC's fw.cfg is in the corresponding folder of the amd_blobs submodule - and applies to all boards that use the SoC without verstage on PSP. - In the verstage on PSP case, a different SPL file is specific as an - override via this Kconfig option. - -config HAVE_SPL_RW_AB_FILE - bool "Have a separate mainboard-specific SPL file in RW A/B partitions" - default n - depends on VBOOT_SLOTS_RW_AB - help - Have separate mainboard-specific Security Patch Level (SPL) table - file for the RW A/B FMAP partitions. - -config SPL_RW_AB_TABLE_FILE - string "Separate SPL table file override for RW A/B partitions" - config PSP_SOFTFUSE_BITS string "PSP Soft Fuse bits to enable" default "36 28 6" -- cgit v1.2.3