soc/intel/apollolake: Drop privilege level to IA_UNTRUSTED

As per guidelines CPU security level should be dropped before OS start,
so that certain MSRs are locked out. Drop privilege levels on all logical
CPUs.

BUG=chrome-os-partner:60454
TEST=iotools rdmsr x 0x120, make sure bit 6 is set, rdmsr x 0x121 results
in io error.

Change-Id: I67540f6da16f58b822db9160d00b7a5e235188db
Signed-off-by: Andrey Petrov <andrey.petrov@intel.com>
Reviewed-on: https://review.coreboot.org/17665
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins)

src/soc/intel/apollolake/car.c

@@ -28,7 +28,7 @@
 static void flush_l1d_to_l2(void)
 {
 	msr_t msr = rdmsr(MSR_POWER_MISC);
-	msr.lo |= (1 << 8);
+	msr.lo |= FLUSH_DL1_L2;
 	wrmsr(MSR_POWER_MISC, msr);
 }
 

src/soc/intel/apollolake/cpu.c

@@ -53,6 +53,13 @@ static const struct reg_script core_msr_script[] = {
 	REG_SCRIPT_END
 };
 
+static void enable_untrusted_mode(void)
+{
+	msr_t msr = rdmsr(MSR_POWER_MISC);
+	msr.lo |= ENABLE_IA_UNTRUSTED;
+	wrmsr(MSR_POWER_MISC, msr);
+}
+
 static void soc_core_init(device_t cpu)
 {
 	/* Set core MSRs */
@@ -63,6 +70,8 @@ static void soc_core_init(device_t cpu)
 	 * implemented in microcode.
 	*/
 	enable_pm_timer_emulation();
+	/* Drop privilege level */
+	enable_untrusted_mode();
 }
 
 static struct device_operations cpu_dev_ops = {

src/soc/intel/apollolake/include/soc/cpu.h

@@ -31,6 +31,8 @@ void set_max_freq(void);
 
 #define MSR_PLATFORM_INFO	0xce
 #define MSR_POWER_MISC		0x120
+#define   ENABLE_IA_UNTRUSTED	(1 << 6)
+#define   FLUSH_DL1_L2		(1 << 8)
 #define MSR_CORE_THREAD_COUNT	0x35
 #define MSR_EVICT_CTL		0x2e0
 #define MSR_EMULATE_PM_TMR	0x121