soc/intel/common/pch: Add pch lockdown code

pch lockdown functionality can be used by supported PCH. Right now pch lockdown functionality is applied for SPT (Skylake SOC) and CNP(Cannon Lake SOC) PCH. BUG=b:78109109 BRANCH=none TEST=Build and boot KBL and CNL platform. Change-Id: I0b81bbc54f737cb4e7120f44bbe705039b45ccb3 Signed-off-by: Maulik V Vaghela <maulik.v.vaghela@intel.com> Signed-off-by: Subrata Banik <subrata.banik@intel.com> Reviewed-on: https://review.coreboot.org/25688 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Furquan Shaikh <furquan@google.com>
2018-05-28 16:12:03 +05:30 · 2018-05-28 16:12:03 +05:30 · 9cd99a1524
parent 6994bfefb5
commit 9cd99a1524
9 changed files with 195 additions and 146 deletions
--- a/src/soc/intel/cannonlake/lockdown.c
+++ b/src/soc/intel/cannonlake/lockdown.c
@ -14,94 +14,59 @@
 */

 #include <arch/io.h>
-#include <bootstate.h>
-#include <chip.h>
 #include <intelblocks/chip.h>
-#include <intelblocks/fast_spi.h>
-#include <intelblocks/lpc_lib.h>
-#include <intelblocks/pcr.h>
-#include <soc/pci_devs.h>
-#include <soc/pcr_ids.h>
+#include <intelpch/lockdown.h>
 #include <soc/pm.h>
-#include <string.h>

-#define PCR_DMI_GCS		0x274C
-#define PCR_DMI_GCS_BILD	(1 << 0)
-
-static void pmc_lockdown_cfg(const struct soc_intel_common_config *config)
+static void pmc_lock_pmsync(void)
 {
-	uint8_t *pmcbase, reg8;
-	uint32_t reg32, pmsyncreg;
+	uint8_t *pmcbase;
+	uint32_t pmsyncreg;

-	/* PMSYNC */
 	pmcbase = pmc_mmio_regs();
+
 	pmsyncreg = read32(pmcbase + PMSYNC_TPR_CFG);
 	pmsyncreg |= PCH2CPU_TPR_CFG_LOCK;
 	write32(pmcbase + PMSYNC_TPR_CFG, pmsyncreg);
+}
+
+static void pmc_lock_abase(void)
+{
+	uint8_t *pmcbase;
+	uint32_t reg32;
+
+	pmcbase = pmc_mmio_regs();

-	/* Lock down ABASE and sleep stretching policy */
 	reg32 = read32(pmcbase + GEN_PMCON_B);
 	reg32 |= (SLP_STR_POL_LOCK | ACPI_BASE_LOCK);
 	write32(pmcbase + GEN_PMCON_B, reg32);
-
-	if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
-		pmcbase = pmc_mmio_regs();
-		reg8 = read8(pmcbase + GEN_PMCON_B);
-		reg8 |= SMI_LOCK;
-		write8(pmcbase + GEN_PMCON_B, reg8);
-	}
 }

-static void dmi_lockdown_cfg(void)
+static void pmc_lock_smi(void)
 {
-	/*
-	 * GCS reg of DMI
-	 *
-	 * When set, prevents GCS.BBS from being changed
-	 * GCS.BBS: (Boot BIOS Strap) This field determines the destination
-	 * of accesses to the BIOS memory range.
-	 *	Bits Description
-	 *	"0b": SPI
-	 *	"1b": LPC/eSPI
-	 */
-	pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD);
+	uint8_t *pmcbase;
+	uint8_t reg8;
+
+	pmcbase = pmc_mmio_regs();
+
+	reg8 = read8(pmcbase + GEN_PMCON_B);
+	reg8 |= SMI_LOCK;
+	write8(pmcbase + GEN_PMCON_B, reg8);
 }

-static void fast_spi_lockdown_cfg(const struct soc_intel_common_config *config)
+static void pmc_lockdown_cfg(int chipset_lockdown)
 {
-	/* Set FAST_SPI opcode menu */
-	fast_spi_set_opcode_menu();
+	/* PMSYNC */
+	pmc_lock_pmsync();
+	/* Lock down ABASE and sleep stretching policy */
+	pmc_lock_abase();

-	/* Discrete Lock Flash PR registers */
-	fast_spi_pr_dlock();
-
-	/* Lock FAST_SPIBAR */
-	fast_spi_lock_bar();
-
-	/* Set Bios Interface Lock, Bios Lock */
-	if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
-		/* Bios Interface Lock */
-		fast_spi_set_bios_interface_lock_down();
-
-		/* Bios Lock */
-		fast_spi_set_lock_enable();
-	}
+	if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT)
+		pmc_lock_smi();
 }

-static void platform_lockdown_config(void *unused)
+void soc_lockdown_config(int chipset_lockdown)
 {
-	const struct soc_intel_common_config *common_config;
-	common_config = chip_get_common_soc_structure();
-
-	/* SPI lock down configuration */
-	fast_spi_lockdown_cfg(common_config);
-
-	/* DMI lock down configuration */
-	dmi_lockdown_cfg();
-
 	/* PMC lock down configuration */
-	pmc_lockdown_cfg(common_config);
+	pmc_lockdown_cfg(chipset_lockdown);
 }
-
-BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_EXIT, platform_lockdown_config,
-				NULL);
--- a/src/soc/intel/common/pch/Kconfig
+++ b/src/soc/intel/common/pch/Kconfig
@ -41,5 +41,6 @@ config PCH_SPECIFIC_OPTIONS
 	select SOC_INTEL_COMMON_BLOCK_UART
 	select SOC_INTEL_COMMON_BLOCK_XDCI
 	select SOC_INTEL_COMMON_BLOCK_XHCI
+	select SOC_INTEL_COMMON_PCH_LOCKDOWN

 endif
--- a/src/soc/intel/common/pch/include/intelpch/lockdown.h
+++ b/src/soc/intel/common/pch/include/intelpch/lockdown.h
@ -0,0 +1,40 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2018 Intel Corporation.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef SOC_INTEL_COMMON_PCH_LOCKDOWN_H
+#define SOC_INTEL_COMMON_PCH_LOCKDOWN_H
+
+#include <stdint.h>
+
+/*
+ * This function will get lockdown config specific to soc.
+ *
+ * Return values:
+ *  0 = CHIPSET_LOCKDOWN_FSP = use FSP's lockdown functionality to lockdown IPs
+ *  1 = CHIPSET_LOCKDOWN_COREBOOT = Use coreboot to lockdown IPs
+ */
+int get_lockdown_config(void);
+
+/*
+ * Common PCH lockdown will perform lock down operation for DMI, FAST_SPI.
+ * And SoC should implement any other PCH lockdown if applicable as
+ * per silicon security guideline (i.e. LPC, PMC etc.)
+ *
+ * Input:
+ * chipset_lockdown = Return value from get_lockdown_config() function
+ */
+void soc_lockdown_config(int chipset_lockdown);
+
+#endif /* SOC_INTEL_COMMON_PCH_LOCKDOWN_H */
--- a/src/soc/intel/common/pch/lockdown/Kconfig
+++ b/src/soc/intel/common/pch/lockdown/Kconfig
@ -0,0 +1,7 @@
+config SOC_INTEL_COMMON_PCH_LOCKDOWN
+	bool
+	default n
+	help
+	  This option allows to have chipset lockdown for DMI, FAST_SPI and
+	  soc_lockdown_config() to implement any additional lockdown as PMC,
+	  LPC for supported PCH.
--- a/src/soc/intel/common/pch/lockdown/Makefile.inc
+++ b/src/soc/intel/common/pch/lockdown/Makefile.inc
@ -0,0 +1 @@
+ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c
--- a/src/soc/intel/common/pch/lockdown/lockdown.c
+++ b/src/soc/intel/common/pch/lockdown/lockdown.c
@ -0,0 +1,107 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright (C) 2018 Intel Corporation.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#include <arch/io.h>
+#include <bootstate.h>
+#include <console/console.h>
+#include <intelblocks/chip.h>
+#include <intelblocks/fast_spi.h>
+#include <intelblocks/pcr.h>
+#include <intelpch/lockdown.h>
+#include <soc/pci_devs.h>
+#include <soc/pcr_ids.h>
+#include <soc/soc_chip.h>
+#include <string.h>
+
+#define PCR_DMI_GCS		0x274C
+#define PCR_DMI_GCS_BILD	(1 << 0)
+
+/*
+ * This function will get lockdown config specific to soc.
+ *
+ * Return values:
+ *  0 = CHIPSET_LOCKDOWN_FSP = use FSP's lockdown functionality to lockdown IPs
+ *  1 = CHIPSET_LOCKDOWN_COREBOOT = Use coreboot to lockdown IPs
+ */
+int get_lockdown_config(void)
+{
+	const struct soc_intel_common_config *common_config;
+	common_config = chip_get_common_soc_structure();
+
+	return common_config->chipset_lockdown;
+}
+
+static void dmi_lockdown_cfg(void)
+{
+	/*
+	 * GCS reg of DMI
+	 *
+	 * When set, prevents GCS.BBS from being changed
+	 * GCS.BBS: (Boot BIOS Strap) This field determines the destination
+	 * of accesses to the BIOS memory range.
+	 *	Bits Description
+	 *	"0b": SPI
+	 *	"1b": LPC/eSPI
+	 */
+	pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD);
+}
+
+static void fast_spi_lockdown_cfg(int chipset_lockdown)
+{
+	if (!IS_ENABLED(CONFIG_SOC_INTEL_COMMON_BLOCK_FAST_SPI))
+		return;
+
+	/* Set FAST_SPI opcode menu */
+	fast_spi_set_opcode_menu();
+
+	/* Discrete Lock Flash PR registers */
+	fast_spi_pr_dlock();
+
+	/* Lock FAST_SPIBAR */
+	fast_spi_lock_bar();
+
+	/* Set Bios Interface Lock, Bios Lock */
+	if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
+		/* Bios Interface Lock */
+		fast_spi_set_bios_interface_lock_down();
+
+		/* Bios Lock */
+		fast_spi_set_lock_enable();
+	}
+}
+
+/*
+ * platform_lockdown_config has 2 major part.
+ * 1. Common SoC lockdown configuration.
+ * 2. SoC specific lockdown configuration as per Silicon
+ * guideline.
+ */
+static void platform_lockdown_config(void *unused)
+{
+	int chipset_lockdown;
+	chipset_lockdown = get_lockdown_config();
+
+	/* SPI lock down configuration */
+	fast_spi_lockdown_cfg(chipset_lockdown);
+
+	/* DMI lock down configuration */
+	dmi_lockdown_cfg();
+
+	/* SoC lock down configuration */
+	soc_lockdown_config(chipset_lockdown);
+}
+
+BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_EXIT, platform_lockdown_config,
+				NULL);
--- a/src/soc/intel/skylake/chip.c
+++ b/src/soc/intel/skylake/chip.c
@ -21,6 +21,7 @@
 #include <device/pci.h>
 #include <fsp/util.h>
 #include <intelblocks/xdci.h>
+#include <intelpch/lockdown.h>
 #include <soc/acpi.h>
 #include <soc/interrupt.h>
 #include <soc/irq.h>
@ -69,14 +70,6 @@ static void soc_enable(struct device *dev)
 		dev->ops = &cpu_bus_ops;
 }

-static int get_lockdown_config(void)
-{
-	const struct soc_intel_common_config *soc_config;
-	soc_config = chip_get_common_soc_structure();
-
-	return soc_config->chipset_lockdown;
-}
-
 struct chip_operations soc_intel_skylake_ops = {
 	CHIP_NAME("Intel Skylake")
 	.enable_dev = &soc_enable,
--- a/src/soc/intel/skylake/chip_fsp20.c
+++ b/src/soc/intel/skylake/chip_fsp20.c
@ -30,6 +30,7 @@
 #include <fsp/api.h>
 #include <fsp/util.h>
 #include <intelblocks/xdci.h>
+#include <intelpch/lockdown.h>
 #include <romstage_handoff.h>
 #include <soc/acpi.h>
 #include <soc/intel/common/vbt.h>
@ -211,14 +212,6 @@ static void soc_enable(struct device *dev)
 		dev->ops = &cpu_bus_ops;
 }

-static int get_lockdown_config(void)
-{
-	const struct soc_intel_common_config *soc_config;
-	soc_config = chip_get_common_soc_structure();
-
-	return soc_config->chipset_lockdown;
-}
-
 struct chip_operations soc_intel_skylake_ops = {
 	CHIP_NAME("Intel 6th Gen")
 	.enable_dev	= &soc_enable,
--- a/src/soc/intel/skylake/lockdown.c
+++ b/src/soc/intel/skylake/lockdown.c
@ -1,7 +1,7 @@
 /*
 * This file is part of the coreboot project.
 *
- * Copyright (C) 2017 Intel Corporation.
+ * Copyright (C) 2017-2018 Intel Corporation.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -14,24 +14,15 @@
 */

 #include <arch/io.h>
-#include <bootstate.h>
-#include <chip.h>
 #include <intelblocks/chip.h>
-#include <intelblocks/fast_spi.h>
 #include <intelblocks/lpc_lib.h>
-#include <intelblocks/pcr.h>
-#include <soc/pci_devs.h>
-#include <soc/pcr_ids.h>
+#include <intelpch/lockdown.h>
 #include <soc/pm.h>
-#include <string.h>

-#define PCR_DMI_GCS		0x274C
-#define PCR_DMI_GCS_BILD	(1 << 0)
-
-static void lpc_lockdown_config(const struct soc_intel_common_config *config)
+static void lpc_lockdown_config(int chipset_lockdown)
 {
 	/* Set Bios Interface Lock, Bios Lock */
-	if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
+	if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
 		lpc_set_bios_interface_lock_down();
 		lpc_set_lock_enable();
 	}
@ -49,60 +40,11 @@ static void pmc_lockdown_config(void)
 	write32(pmcbase + PMSYNC_TPR_CFG, pmsyncreg);
 }

-static void dmi_lockdown_config(void)
+void soc_lockdown_config(int chipset_lockdown)
 {
-	/*
-	 * GCS reg of DMI
-	 *
-	 * When set, prevents GCS.BBS from being changed
-	 * GCS.BBS: (Boot BIOS Strap) This field determines the destination
-	 * of accesses to the BIOS memory range.
-	 *	Bits Description
-	 *	"0b": SPI
-	 *	"1b": LPC/eSPI
-	 */
-	pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD);
-}
-
-static void fast_spi_lockdown_config(const
-	struct soc_intel_common_config *config)
-{
-	/* Set FAST_SPI opcode menu */
-	fast_spi_set_opcode_menu();
-
-	/* Discrete Lock Flash PR registers */
-	fast_spi_pr_dlock();
-
-	/* Lock FAST_SPIBAR */
-	fast_spi_lock_bar();
-
-	/* Set Bios Interface Lock, Bios Lock */
-	if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
-		/* Bios Interface Lock */
-		fast_spi_set_bios_interface_lock_down();
-
-		/* Bios Lock */
-		fast_spi_set_lock_enable();
-	}
-}
-
-static void platform_lockdown_config(void *unused)
-{
-	const struct soc_intel_common_config *common_config;
-	common_config = chip_get_common_soc_structure();
-
 	/* LPC lock down configuration */
-	lpc_lockdown_config(common_config);
-
-	/* SPI lock down configuration */
-	fast_spi_lockdown_config(common_config);
-
-	/* DMI lock down configuration */
-	dmi_lockdown_config();
+	lpc_lockdown_config(chipset_lockdown);

 	/* PMC lock down configuration */
 	pmc_lockdown_config();
 }
-
-BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_EXIT, platform_lockdown_config,
-				NULL);
				`@ -0,0 +1 @@`
				`ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c`