GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

soc/amd/picasso: Enable secure debug unlock conditionally 

This change adds a Kconfig option PSP_UNLOCK_SECURE_DEBUG which
when enabled includes secure debug unlock blobs and sets the required
softfuses and options for amdfwtool. By default this is set to 'N'.

BUG=b:154880818

Signed-off-by: Furquan Shaikh <furquan@google.com>
Change-Id: I47d8af67989b06242d662c77b7d9db97f624edd5
Reviewed-on: https://review.coreboot.org/c/coreboot/+/40683
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Marshall Dawson <marshalldawson3rd@gmail.com>
This commit is contained in:
Furquan Shaikh 2020-04-24 15:52:04 -07:00
parent d7a6d61d51
commit 577db029a0
2 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/soc/amd/picasso/Kconfig
View File

@ -357,6 +357,12 @@ config PSP_WHITELIST_FILE
depends on HAVE_PSP_WHITELIST_FILE depends on HAVE_PSP_WHITELIST_FILE
default "3rdparty/blobs/soc/amd/picasso/PSP/wtl-rvn.sbin" default "3rdparty/blobs/soc/amd/picasso/PSP/wtl-rvn.sbin"
config PSP_UNLOCK_SECURE_DEBUG
bool "Unlock secure debug"
default n
help
Select this item to enable secure debug options in PSP.
endmenu endmenu
endif # SOC_AMD_PICASSO endif # SOC_AMD_PICASSO

11
src/soc/amd/picasso/Makefile.inc
View File

@ -109,19 +109,21 @@ PSP_SMUFW1_SUB2_FILE=$(top)/$(FIRMWARE_LOCATE)/SmuFirmwarePCO.csbin
PSP_SMUFW2_SUB1_FILE=$(top)/$(FIRMWARE_LOCATE)/SmuFirmware2RV2.csbin PSP_SMUFW2_SUB1_FILE=$(top)/$(FIRMWARE_LOCATE)/SmuFirmware2RV2.csbin
PSP_SMUFW2_SUB2_FILE=$(top)/$(FIRMWARE_LOCATE)/SmuFirmware2PCO.csbin PSP_SMUFW2_SUB2_FILE=$(top)/$(FIRMWARE_LOCATE)/SmuFirmware2PCO.csbin
ifeq ($(CONFIG_PSP_UNLOCK_SECURE_DEBUG),y)
# type = 0x9 # type = 0x9
PSP_SEC_DBG_KEY_FILE=$(top)/$(FIRMWARE_LOCATE)/RavenSecureDebug_PublicKey.bin PSP_SEC_DBG_KEY_FILE=$(top)/$(FIRMWARE_LOCATE)/RavenSecureDebug_PublicKey.bin
# type = 0x13
PSP_SEC_DEBUG_FILE=$(top)/$(FIRMWARE_LOCATE)/secure_unlock_prod_RV.sbin
# Enable secure debug unlock # Enable secure debug unlock
PSP_SOFTFUSE_BITS += 0 PSP_SOFTFUSE_BITS += 0
PSP_TOKEN_UNLOCK="--token-unlock"
endif
ifeq ($(CONFIG_USE_PSPSCUREOS),y) ifeq ($(CONFIG_USE_PSPSCUREOS),y)
# types = 0x2 # types = 0x2
PSPSCUREOS_FILE=$(top)/$(FIRMWARE_LOCATE)/psp_os_combined_prod_RV.sbin PSPSCUREOS_FILE=$(top)/$(FIRMWARE_LOCATE)/psp_os_combined_prod_RV.sbin
endif endif
# type = 0x13
PSP_SEC_DEBUG_FILE=$(top)/$(FIRMWARE_LOCATE)/secure_unlock_prod_RV.sbin
# type = 0x21 # type = 0x21
PSP_IKEK_FILE=$(top)/$(FIRMWARE_LOCATE)/PspIkekRV.bin PSP_IKEK_FILE=$(top)/$(FIRMWARE_LOCATE)/PspIkekRV.bin
@ -228,6 +230,7 @@ OPT_SMUFW1_SUB2_FILE=$(call add_opt_prefix, $(PSP_SMUFW1_SUB2_FILE), --subprogra
OPT_SMUFW2_SUB1_FILE=$(call add_opt_prefix, $(PSP_SMUFW2_SUB1_FILE), --subprogram 1 --smufirmware2) OPT_SMUFW2_SUB1_FILE=$(call add_opt_prefix, $(PSP_SMUFW2_SUB1_FILE), --subprogram 1 --smufirmware2)
OPT_SMUFW2_SUB2_FILE=$(call add_opt_prefix, $(PSP_SMUFW2_SUB2_FILE), --subprogram 2 --smufirmware2) OPT_SMUFW2_SUB2_FILE=$(call add_opt_prefix, $(PSP_SMUFW2_SUB2_FILE), --subprogram 2 --smufirmware2)
OPT_PSP_SEC_DBG_KEY_FILE=$(call add_opt_prefix, $(PSP_SEC_DBG_KEY_FILE), --securedebug) OPT_PSP_SEC_DBG_KEY_FILE=$(call add_opt_prefix, $(PSP_SEC_DBG_KEY_FILE), --securedebug)
OPT_TOKEN_UNLOCK=$(call add_opt_prefix, $(PSP_TOKEN_UNLOCK), "")
OPT_PSP_SOFTFUSE=$(call add_opt_prefix, $(PSP_SOFTFUSE), --soft-fuse) OPT_PSP_SOFTFUSE=$(call add_opt_prefix, $(PSP_SOFTFUSE), --soft-fuse)
OPT_PSPSCUREOS_FILE=$(call add_opt_prefix, $(PSPSCUREOS_FILE), --secureos) OPT_PSPSCUREOS_FILE=$(call add_opt_prefix, $(PSPSCUREOS_FILE), --secureos)
OPT_SEC_DEBUG_FILE=$(call add_opt_prefix, $(PSP_SEC_DEBUG_FILE), --secdebug) OPT_SEC_DEBUG_FILE=$(call add_opt_prefix, $(PSP_SEC_DEBUG_FILE), --secdebug)
@ -367,7 +370,7 @@ $(obj)/amdfw.rom: $(call strip_quotes, $(CONFIG_AMD_PUBKEY_FILE)) \
$(OPT_IKEK_FILE) \ $(OPT_IKEK_FILE) \
$(OPT_SEC_DEBUG_FILE) \ $(OPT_SEC_DEBUG_FILE) \
--combo-capable \ --combo-capable \
--token-unlock \ $(OPT_TOKEN_UNLOCK) \
--flashsize $(CONFIG_ROM_SIZE) \ --flashsize $(CONFIG_ROM_SIZE) \
--location $(shell printf "0x%x" $(PICASSO_FWM_POSITION)) \ --location $(shell printf "0x%x" $(PICASSO_FWM_POSITION)) \
--output $@ --output $@