soc/intel/common: Add function to check if xDCI is allowed

When CONFIG_VBOOT is enabled then the xDCI controller should only be enabled if the system is in developer mode. This prevents a system in normal/verified mode from being used as a USB peripheral device which could potentially be used to access user data. This change adds a function to return whether xDCI can be enabled or not, which will be used by the SOCs. Change-Id: Ie3ee9dd7077c094a01fd857a2e4033a12ce8979b Signed-off-by: Duncan Laurie <dlaurie@chromium.org> Reviewed-on: https://review.coreboot.org/25347 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Furquan Shaikh <furquan@google.com> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2018-03-26 02:17:33 -07:00 · 2018-03-26 02:17:33 -07:00 · 4df7d2c495
parent 969ef10f54
commit 4df7d2c495
2 changed files with 11 additions and 0 deletions
--- a/src/soc/intel/common/block/include/intelblocks/xdci.h
+++ b/src/soc/intel/common/block/include/intelblocks/xdci.h
@ -17,5 +17,6 @@
 #define SOC_INTEL_COMMON_BLOCK_XDCI_H

 void soc_xdci_init(struct device *dev);
+int xdci_can_enable(void);

 #endif	/* SOC_INTEL_COMMON_BLOCK_XDCI_H */
--- a/src/soc/intel/common/block/xdci/xdci.c
+++ b/src/soc/intel/common/block/xdci/xdci.c
@ -19,9 +19,19 @@
 #include <device/pci.h>
 #include <device/pci_ids.h>
 #include <intelblocks/xdci.h>
+#include <security/vboot/vboot_common.h>

 __attribute__((weak)) void soc_xdci_init(struct device *dev) { /* no-op */ }

+/* Only allow xDCI controller in developer mode if VBOOT is enabled */
+int xdci_can_enable(void)
+{
+	if (IS_ENABLED(CONFIG_VBOOT))
+		return vboot_developer_mode_enabled() ?  1 : 0;
+	else
+		return 1;
+}
+
 static struct device_operations usb_xdci_ops = {
 	.read_resources		= &pci_dev_read_resources,
 	.set_resources		= &pci_dev_set_resources,