diff --git a/src/mainboard/google/chell/devicetree.cb b/src/mainboard/google/chell/devicetree.cb index 4d4d0aff1d..f8c3054012 100644 --- a/src/mainboard/google/chell/devicetree.cb +++ b/src/mainboard/google/chell/devicetree.cb @@ -190,6 +190,9 @@ chip soc/intel/skylake # Send an extra VR mailbox command for the supported MPS IMVP8 model register "SendVrMbxCmd" = "1" + # Lock Down + register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT" + device cpu_cluster 0 on device lapic 0 on end end diff --git a/src/mainboard/google/eve/devicetree.cb b/src/mainboard/google/eve/devicetree.cb index b6cb848b40..2e017f8dcd 100644 --- a/src/mainboard/google/eve/devicetree.cb +++ b/src/mainboard/google/eve/devicetree.cb @@ -218,6 +218,9 @@ chip soc/intel/skylake register "tdp_pl2_override" = "15" register "tcc_offset" = "10" + # Lock Down + register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT" + device cpu_cluster 0 on device lapic 0 on end end diff --git a/src/mainboard/google/fizz/devicetree.cb b/src/mainboard/google/fizz/devicetree.cb index bf9f0c9ef9..a771380238 100644 --- a/src/mainboard/google/fizz/devicetree.cb +++ b/src/mainboard/google/fizz/devicetree.cb @@ -216,6 +216,9 @@ chip soc/intel/skylake # Use default SD card detect GPIO configuration register "sdcard_cd_gpio_default" = "GPP_A7" + # Lock Down + register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT" + device cpu_cluster 0 on device lapic 0 on end end diff --git a/src/mainboard/google/glados/devicetree.cb b/src/mainboard/google/glados/devicetree.cb index d4155ea6b8..0dff3d95dd 100644 --- a/src/mainboard/google/glados/devicetree.cb +++ b/src/mainboard/google/glados/devicetree.cb @@ -188,6 +188,9 @@ chip soc/intel/skylake # Send an extra VR mailbox command for the supported MPS IMVP8 model register "SendVrMbxCmd" = "1" + # Lock Down + register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT" + device cpu_cluster 0 on device lapic 0 on end end diff --git a/src/mainboard/google/lars/devicetree.cb b/src/mainboard/google/lars/devicetree.cb index ed1de93258..99522cbe3e 100644 --- a/src/mainboard/google/lars/devicetree.cb +++ b/src/mainboard/google/lars/devicetree.cb @@ -184,6 +184,9 @@ chip soc/intel/skylake # Send an extra VR mailbox command for the PS4 exit issue register "SendVrMbxCmd" = "2" + # Lock Down + register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT" + device cpu_cluster 0 on device lapic 0 on end end diff --git a/src/mainboard/google/poppy/variants/baseboard/devicetree.cb b/src/mainboard/google/poppy/variants/baseboard/devicetree.cb index d67c9c0ae4..2324557320 100644 --- a/src/mainboard/google/poppy/variants/baseboard/devicetree.cb +++ b/src/mainboard/google/poppy/variants/baseboard/devicetree.cb @@ -208,6 +208,9 @@ chip soc/intel/skylake # Use default SD card detect GPIO configuration register "sdcard_cd_gpio_default" = "GPP_E15" + # Lock Down + register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT" + device cpu_cluster 0 on device lapic 0 on end end diff --git a/src/mainboard/google/poppy/variants/soraka/devicetree.cb b/src/mainboard/google/poppy/variants/soraka/devicetree.cb index b874093b26..88c7c7dbeb 100644 --- a/src/mainboard/google/poppy/variants/soraka/devicetree.cb +++ b/src/mainboard/google/poppy/variants/soraka/devicetree.cb @@ -208,6 +208,9 @@ chip soc/intel/skylake # Use default SD card detect GPIO configuration register "sdcard_cd_gpio_default" = "GPP_E15" + # Lock Down + register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT" + device cpu_cluster 0 on device lapic 0 on end end diff --git a/src/mainboard/intel/kblrvp/variants/rvp3/devicetree.cb b/src/mainboard/intel/kblrvp/variants/rvp3/devicetree.cb index c1974ad718..0d2bd0f397 100644 --- a/src/mainboard/intel/kblrvp/variants/rvp3/devicetree.cb +++ b/src/mainboard/intel/kblrvp/variants/rvp3/devicetree.cb @@ -205,6 +205,9 @@ chip soc/intel/skylake # Enable/Disable VMX feature register "VmxEnable" = "0" + # Lock Down + register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT" + device cpu_cluster 0 on device lapic 0 on end end diff --git a/src/mainboard/intel/kblrvp/variants/rvp7/devicetree.cb b/src/mainboard/intel/kblrvp/variants/rvp7/devicetree.cb index a56345c00d..6f45a46a7d 100644 --- a/src/mainboard/intel/kblrvp/variants/rvp7/devicetree.cb +++ b/src/mainboard/intel/kblrvp/variants/rvp7/devicetree.cb @@ -200,6 +200,9 @@ chip soc/intel/skylake # Use default SD card detect GPIO configuration register "sdcard_cd_gpio_default" = "GPP_G5" + # Lock Down + register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT" + device cpu_cluster 0 on device lapic 0 on end end diff --git a/src/mainboard/intel/kunimitsu/devicetree.cb b/src/mainboard/intel/kunimitsu/devicetree.cb index 17e8e27606..aec57b1ffa 100644 --- a/src/mainboard/intel/kunimitsu/devicetree.cb +++ b/src/mainboard/intel/kunimitsu/devicetree.cb @@ -194,6 +194,9 @@ chip soc/intel/skylake # Use default SD card detect GPIO configuration register "sdcard_cd_gpio_default" = "GPP_A7" + # Lock Down + register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT" + device cpu_cluster 0 on device lapic 0 on end end diff --git a/src/mainboard/purism/librem13v2/devicetree.cb b/src/mainboard/purism/librem13v2/devicetree.cb index e113b3ffa4..29d35afd23 100644 --- a/src/mainboard/purism/librem13v2/devicetree.cb +++ b/src/mainboard/purism/librem13v2/devicetree.cb @@ -171,6 +171,9 @@ chip soc/intel/skylake # Send an extra VR mailbox command for the PS4 exit issue register "SendVrMbxCmd" = "2" + # Lock Down + register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT" + device cpu_cluster 0 on device lapic 0 on end end diff --git a/src/soc/intel/skylake/chip.c b/src/soc/intel/skylake/chip.c index ab069488a0..7014c24d9e 100644 --- a/src/soc/intel/skylake/chip.c +++ b/src/soc/intel/skylake/chip.c @@ -147,11 +147,12 @@ void soc_silicon_init_params(SILICON_INIT_UPD *params) params->EnableSata = config->EnableSata; params->SataMode = config->SataMode; params->LockDownConfigGlobalSmi = config->LockDownConfigGlobalSmi; - params->LockDownConfigBiosInterface = - config->LockDownConfigBiosInterface; params->LockDownConfigRtcLock = config->LockDownConfigRtcLock; - params->LockDownConfigBiosLock = config->LockDownConfigBiosLock; - params->LockDownConfigSpiEiss = config->LockDownConfigSpiEiss; + if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { + params->LockDownConfigBiosInterface = 0; + params->LockDownConfigBiosLock = 0; + params->LockDownConfigSpiEiss = 0; + } params->PchConfigSubSystemVendorId = config->PchConfigSubSystemVendorId; params->PchConfigSubSystemId = config->PchConfigSubSystemId; params->WakeConfigWolEnableOverride = diff --git a/src/soc/intel/skylake/chip.h b/src/soc/intel/skylake/chip.h index ea985db11a..beb5a7aa0b 100644 --- a/src/soc/intel/skylake/chip.h +++ b/src/soc/intel/skylake/chip.h @@ -261,30 +261,11 @@ struct soc_intel_skylake_config { u8 TcoIrqEnable; /* Enable SMI_LOCK bit to prevent writes to the Global SMI Enable bit.*/ u8 LockDownConfigGlobalSmi; - /* - * Enable BIOS Interface Lock Down bit to prevent writes to the Backup - * Control Register. Top Swap bit and the General Control and Status - * Registers Boot BIOS Straps. - */ - u8 LockDownConfigBiosInterface; /* * Enable RTC lower and upper 128 byte Lock bits to lock Bytes 38h-3Fh * in the upper and and lower 128-byte bank of RTC RAM. */ u8 LockDownConfigRtcLock; - /* - * When enabled, the BIOS Region can only be modified from SMM after - * EndOfDxe protocol is installed - */ - u8 LockDownConfigBiosLock; - /* - * Enable InSMM.STS (EISS) in SPI If this bit is set, then WPD must be a - * '1' and InSMM.STS must be '1' also in order to write to BIOS regions - * of SPI Flash. If this bit is clear, then the InSMM.STS is a don't - * care. The BIOS must set the EISS bit while BIOS Guard support is - * enabled. - */ - u8 LockDownConfigSpiEiss; /* Subsystem Vendor ID of the PCH devices*/ u16 PchConfigSubSystemVendorId; /* Subsystem ID of the PCH devices*/ @@ -493,14 +474,16 @@ struct soc_intel_skylake_config { * 0b - Disabled */ u8 eist_enable; - /* - * Skip Spi Flash Lockdown from inside FSP. - * Making this config "0" means FSP won't set the FLOCKDN bit of - * SPIBAR + 0x04 (i.e., Bit 15 of BIOS_HSFSTS_CTL). - * So, it becomes coreboot's responsibility to set this bit before - * end of POST for security concerns. + /* Chipset (LPC and SPI) Lock Down + * 1b - coreboot to handle lockdown + * 0b - FSP to handle lockdown */ - u8 SpiFlashCfgLockDown; + enum { + /* lock according to binary UPD settings */ + CHIPSET_LOCKDOWN_FSP, + /* coreboot handles locking */ + CHIPSET_LOCKDOWN_COREBOOT, + } chipset_lockdown; }; typedef struct soc_intel_skylake_config config_t; diff --git a/src/soc/intel/skylake/chip_fsp20.c b/src/soc/intel/skylake/chip_fsp20.c index c5ecc97b01..aa612ede0a 100644 --- a/src/soc/intel/skylake/chip_fsp20.c +++ b/src/soc/intel/skylake/chip_fsp20.c @@ -201,7 +201,6 @@ void platform_fsp_silicon_init_params_cb(FSPS_UPD *supd) params->SataEnable = config->EnableSata; params->SataMode = config->SataMode; tconfig->PchLockDownGlobalSmi = config->LockDownConfigGlobalSmi; - tconfig->PchLockDownBiosInterface = config->LockDownConfigBiosInterface; tconfig->PchLockDownRtcLock = config->LockDownConfigRtcLock; /* * To disable HECI, the Psf needs to be left unlocked @@ -210,9 +209,19 @@ void platform_fsp_silicon_init_params_cb(FSPS_UPD *supd) * do the changes and then lock it back in coreboot during finalize. */ tconfig->PchSbAccessUnlock = (config->HeciEnabled == 0) ? 1 : 0; - - params->PchLockDownBiosLock = config->LockDownConfigBiosLock; - params->PchLockDownSpiEiss = config->LockDownConfigSpiEiss; + if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { + tconfig->PchLockDownBiosInterface = 0; + params->PchLockDownBiosLock = 0; + params->PchLockDownSpiEiss = 0; + /* + * Skip Spi Flash Lockdown from inside FSP. + * Making this config "0" means FSP won't set the FLOCKDN bit + * of SPIBAR + 0x04 (i.e., Bit 15 of BIOS_HSFSTS_CTL). + * So, it becomes coreboot's responsibility to set this bit + * before end of POST for security concerns. + */ + params->SpiFlashCfgLockDown = 0; + } params->PchSubSystemVendorId = config->PchConfigSubSystemVendorId; params->PchSubSystemId = config->PchConfigSubSystemId; params->PchPmWolEnableOverride = config->WakeConfigWolEnableOverride; @@ -247,15 +256,6 @@ void platform_fsp_silicon_init_params_cb(FSPS_UPD *supd) dev = dev_find_slot(0, PCH_DEVFN_SPI); params->ShowSpiController = dev->enabled; - /* - * Skip Spi Flash Lockdown from inside FSP. - * Making this config "0" means FSP won't set the FLOCKDN bit of - * SPIBAR + 0x04 (i.e., Bit 15 of BIOS_HSFSTS_CTL). - * So, it becomes coreboot's responsibility to set this bit before - * end of POST for security concerns. - */ - params->SpiFlashCfgLockDown = config->SpiFlashCfgLockDown; - /* * Send VR specific mailbox commands: * 000b - no VR specific command sent diff --git a/src/soc/intel/skylake/finalize.c b/src/soc/intel/skylake/finalize.c index 9759382149..404d217a87 100644 --- a/src/soc/intel/skylake/finalize.c +++ b/src/soc/intel/skylake/finalize.c @@ -184,8 +184,8 @@ static void soc_lockdown(void) pci_write_config8(dev, GEN_PMCON_A, reg8); } - /* Bios Interface Lock */ - if (config->LockDownConfigBiosInterface == 0) { + if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { + /* Bios Interface Lock */ pci_write_config8(PCH_DEV_LPC, BIOS_CNTL, pci_read_config8(PCH_DEV_LPC, BIOS_CNTL) | LPC_BC_BILD); @@ -196,10 +196,8 @@ static void soc_lockdown(void) /* GCS reg of DMI */ pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD); - } - /* Bios Lock */ - if (config->LockDownConfigBiosLock == 0) { + /* Bios Lock */ pci_write_config8(PCH_DEV_LPC, BIOS_CNTL, pci_read_config8(PCH_DEV_LPC, BIOS_CNTL) | LPC_BC_LE); @@ -209,18 +207,6 @@ static void soc_lockdown(void) fast_spi_set_lock_enable(); } - - /* SPIEiss */ - if (config->LockDownConfigSpiEiss == 0) { - pci_write_config8(PCH_DEV_LPC, BIOS_CNTL, - pci_read_config8(PCH_DEV_LPC, - BIOS_CNTL) | LPC_BC_EISS); - - /* Ensure an additional read back after performing lock down */ - pci_read_config8(PCH_DEV_LPC, BIOS_CNTL); - - fast_spi_set_eiss(); - } } static void soc_finalize(void *unused)