From b6f29c9bf47724168a58c196aa1d2ec65302731e Mon Sep 17 00:00:00 2001 From: Nick Vaccaro Date: Tue, 12 Oct 2021 17:26:52 -0700 Subject: soc/intel/common: add generic gpio lock mechanism For added security, there are some gpios that an SoC will want to lock once initially configured, such as gpios attached to non-host (x86) controllers, so that they can't be recofigured at a later point in time by rogue code. Likewise, a mainboard may have some gpios connected to secure busses and/or devices that they want to protect from being changed post initial configuration. This change adds a generic gpio locking mechanism that allows the SoC to export a list of GPIOs to be locked down and allows the mainboard to export a list of GPIOs that it wants locked down once initialization is complete. Use the SOC_INTEL_COMMON_BLOCK_SMM_LOCK_GPIO_PADS Kconfig option to enable this feature. BUG=b:201430600 TEST='emerge-brya coreboot chromeos-bootimage', flash and verify brya0 boots successfully to kernel. Signed-off-by: Nick Vaccaro Change-Id: I42979fb89567d8bcd9392da4fb8c4113ef427b14 Reviewed-on: https://review.coreboot.org/c/coreboot/+/58351 Tested-by: build bot (Jenkins) Reviewed-by: Tim Wawrzynczak --- src/soc/intel/common/block/smm/Kconfig | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'src/soc/intel/common/block/smm/Kconfig') diff --git a/src/soc/intel/common/block/smm/Kconfig b/src/soc/intel/common/block/smm/Kconfig index 77ba00c027..2d960d6b47 100644 --- a/src/soc/intel/common/block/smm/Kconfig +++ b/src/soc/intel/common/block/smm/Kconfig @@ -8,6 +8,13 @@ config SOC_INTEL_COMMON_BLOCK_SMM_IO_TRAP help Intel Processor trap flag if it is supported +config SOC_INTEL_COMMON_BLOCK_SMM_LOCK_GPIO_PADS + bool + help + Enable locking of security-sensitive SoC and mainboard GPIOs. + An SoC may provide a list of gpios to lock, and the mainboard + may also provide a list of gpios to lock. + config SOC_INTEL_COMMON_BLOCK_SMM_ESPI_DISABLE bool default n -- cgit v1.2.3