From 577db029a02306fcdcb873f7a01f78b19d47da91 Mon Sep 17 00:00:00 2001 From: Furquan Shaikh Date: Fri, 24 Apr 2020 15:52:04 -0700 Subject: soc/amd/picasso: Enable secure debug unlock conditionally This change adds a Kconfig option PSP_UNLOCK_SECURE_DEBUG which when enabled includes secure debug unlock blobs and sets the required softfuses and options for amdfwtool. By default this is set to 'N'. BUG=b:154880818 Signed-off-by: Furquan Shaikh Change-Id: I47d8af67989b06242d662c77b7d9db97f624edd5 Reviewed-on: https://review.coreboot.org/c/coreboot/+/40683 Tested-by: build bot (Jenkins) Reviewed-by: Marshall Dawson --- src/soc/amd/picasso/Kconfig | 6 ++++++ src/soc/amd/picasso/Makefile.inc | 11 +++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/src/soc/amd/picasso/Kconfig b/src/soc/amd/picasso/Kconfig index a37f5430ed..fa053f98cc 100644 --- a/src/soc/amd/picasso/Kconfig +++ b/src/soc/amd/picasso/Kconfig @@ -357,6 +357,12 @@ config PSP_WHITELIST_FILE depends on HAVE_PSP_WHITELIST_FILE default "3rdparty/blobs/soc/amd/picasso/PSP/wtl-rvn.sbin" +config PSP_UNLOCK_SECURE_DEBUG + bool "Unlock secure debug" + default n + help + Select this item to enable secure debug options in PSP. + endmenu endif # SOC_AMD_PICASSO diff --git a/src/soc/amd/picasso/Makefile.inc b/src/soc/amd/picasso/Makefile.inc index d7cf9c052c..4790ecb502 100644 --- a/src/soc/amd/picasso/Makefile.inc +++ b/src/soc/amd/picasso/Makefile.inc @@ -109,19 +109,21 @@ PSP_SMUFW1_SUB2_FILE=$(top)/$(FIRMWARE_LOCATE)/SmuFirmwarePCO.csbin PSP_SMUFW2_SUB1_FILE=$(top)/$(FIRMWARE_LOCATE)/SmuFirmware2RV2.csbin PSP_SMUFW2_SUB2_FILE=$(top)/$(FIRMWARE_LOCATE)/SmuFirmware2PCO.csbin +ifeq ($(CONFIG_PSP_UNLOCK_SECURE_DEBUG),y) # type = 0x9 PSP_SEC_DBG_KEY_FILE=$(top)/$(FIRMWARE_LOCATE)/RavenSecureDebug_PublicKey.bin +# type = 0x13 +PSP_SEC_DEBUG_FILE=$(top)/$(FIRMWARE_LOCATE)/secure_unlock_prod_RV.sbin # Enable secure debug unlock PSP_SOFTFUSE_BITS += 0 +PSP_TOKEN_UNLOCK="--token-unlock" +endif ifeq ($(CONFIG_USE_PSPSCUREOS),y) # types = 0x2 PSPSCUREOS_FILE=$(top)/$(FIRMWARE_LOCATE)/psp_os_combined_prod_RV.sbin endif -# type = 0x13 -PSP_SEC_DEBUG_FILE=$(top)/$(FIRMWARE_LOCATE)/secure_unlock_prod_RV.sbin - # type = 0x21 PSP_IKEK_FILE=$(top)/$(FIRMWARE_LOCATE)/PspIkekRV.bin @@ -228,6 +230,7 @@ OPT_SMUFW1_SUB2_FILE=$(call add_opt_prefix, $(PSP_SMUFW1_SUB2_FILE), --subprogra OPT_SMUFW2_SUB1_FILE=$(call add_opt_prefix, $(PSP_SMUFW2_SUB1_FILE), --subprogram 1 --smufirmware2) OPT_SMUFW2_SUB2_FILE=$(call add_opt_prefix, $(PSP_SMUFW2_SUB2_FILE), --subprogram 2 --smufirmware2) OPT_PSP_SEC_DBG_KEY_FILE=$(call add_opt_prefix, $(PSP_SEC_DBG_KEY_FILE), --securedebug) +OPT_TOKEN_UNLOCK=$(call add_opt_prefix, $(PSP_TOKEN_UNLOCK), "") OPT_PSP_SOFTFUSE=$(call add_opt_prefix, $(PSP_SOFTFUSE), --soft-fuse) OPT_PSPSCUREOS_FILE=$(call add_opt_prefix, $(PSPSCUREOS_FILE), --secureos) OPT_SEC_DEBUG_FILE=$(call add_opt_prefix, $(PSP_SEC_DEBUG_FILE), --secdebug) @@ -367,7 +370,7 @@ $(obj)/amdfw.rom: $(call strip_quotes, $(CONFIG_AMD_PUBKEY_FILE)) \ $(OPT_IKEK_FILE) \ $(OPT_SEC_DEBUG_FILE) \ --combo-capable \ - --token-unlock \ + $(OPT_TOKEN_UNLOCK) \ --flashsize $(CONFIG_ROM_SIZE) \ --location $(shell printf "0x%x" $(PICASSO_FWM_POSITION)) \ --output $@ -- cgit v1.2.3