From b51f54b518bf17a1bfb678d3d14dcf0996d882d2 Mon Sep 17 00:00:00 2001 From: Subrata Banik Date: Mon, 14 Aug 2017 16:15:33 +0530 Subject: soc/intel/skylake: Move LPC lock down config after resource allocation This patch to ensures that coreboot is performing LPC registers lockdown after PCI enumeration is done. This requirements are intended to support platform security guideline where all required chipset registers are expected to be in lock down stage before launching any 3rd party code as in option rom etc. coreboot has to change its execution order to meet those requirements. Hence lpc register lock down has been moved right after pci resource allocation is done, so that lpc registers can be lock down before calling post pci enumeration FSP NotifyPhase() API which is targeted to be done in BS_DEV_ENABLE-BS_ON_ENTRY. TEST=Ensure LPC register 0xDC bit 1 and 7 is set. Change-Id: I705a3a3c6ddc72ae7895419442d67b82f541edee Signed-off-by: Subrata Banik Reviewed-on: https://review.coreboot.org/21000 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin --- src/soc/intel/skylake/Makefile.inc | 1 + src/soc/intel/skylake/finalize.c | 13 ---------- src/soc/intel/skylake/lockdown.c | 52 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 13 deletions(-) create mode 100644 src/soc/intel/skylake/lockdown.c (limited to 'src/soc/intel') diff --git a/src/soc/intel/skylake/Makefile.inc b/src/soc/intel/skylake/Makefile.inc index baf6f01751..7046b8106c 100644 --- a/src/soc/intel/skylake/Makefile.inc +++ b/src/soc/intel/skylake/Makefile.inc @@ -53,6 +53,7 @@ ramstage-y += gspi.c ramstage-y += i2c.c ramstage-y += igd.c ramstage-y += irq.c +ramstage-y += lockdown.c ramstage-y += lpc.c ramstage-y += me.c ramstage-y += memmap.c diff --git a/src/soc/intel/skylake/finalize.c b/src/soc/intel/skylake/finalize.c index 404d217a87..a793e9551c 100644 --- a/src/soc/intel/skylake/finalize.c +++ b/src/soc/intel/skylake/finalize.c @@ -186,25 +186,12 @@ static void soc_lockdown(void) if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { /* Bios Interface Lock */ - pci_write_config8(PCH_DEV_LPC, BIOS_CNTL, - pci_read_config8(PCH_DEV_LPC, - BIOS_CNTL) | LPC_BC_BILD); - /* Reads back for posted write to take effect */ - pci_read_config8(PCH_DEV_LPC, BIOS_CNTL); - fast_spi_set_bios_interface_lock_down(); /* GCS reg of DMI */ pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD); /* Bios Lock */ - pci_write_config8(PCH_DEV_LPC, BIOS_CNTL, - pci_read_config8(PCH_DEV_LPC, - BIOS_CNTL) | LPC_BC_LE); - - /* Ensure an additional read back after performing lock down */ - pci_read_config8(PCH_DEV_LPC, BIOS_CNTL); - fast_spi_set_lock_enable(); } } diff --git a/src/soc/intel/skylake/lockdown.c b/src/soc/intel/skylake/lockdown.c new file mode 100644 index 0000000000..ac138c20b3 --- /dev/null +++ b/src/soc/intel/skylake/lockdown.c @@ -0,0 +1,52 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2017 Intel Corporation. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include +#include +#include +#include +#include +#include + +static void lpc_lockdown_config(void) +{ + static struct soc_intel_skylake_config *config; + struct device *dev; + uint8_t reg_mask = 0; + + dev = PCH_DEV_LPC; + /* Check if LPC is enabled, else return */ + if (dev == NULL || dev->chip_info == NULL) + return; + + config = dev->chip_info; + + /* Set Bios Interface Lock, Bios Lock */ + if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) + reg_mask |= LPC_BC_BILD | LPC_BC_LE; + + pci_or_config8(dev, BIOS_CNTL, reg_mask); + /* Ensure an additional read back after performing lock down */ + pci_read_config8(dev, BIOS_CNTL); +} + +static void platform_lockdown_config(void *unused) +{ + /* LPC lock down configuration */ + lpc_lockdown_config(); +} + +BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_EXIT, platform_lockdown_config, + NULL); -- cgit v1.2.3